231301ed9cd5650bd3766453eac3ff9286278f13367c1e5062f7bf5b2d97e26a

Analysis

max time kernel
63s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VRCHub Setup (1).exe
Size

64.0MB
MD5

1cf986e4d33e1a8a747669a254b86d71
SHA1

6eb78630be370c5efb9142e4ec95cef6f659875e
SHA256

231301ed9cd5650bd3766453eac3ff9286278f13367c1e5062f7bf5b2d97e26a
SHA512

ffb42662eb2e3044681232fb404d1a995a6393f16e700c417c945dbae2cd5d19bbb2b4f62c12f059951d5abb7955abc40e01d5b47e8e4c024fb92a809fd5ef05
SSDEEP

1572864:Q038VopLXRSUhmTSPND6MHrpG+KEFDs+w/4fyL/puYZYoS29E/JmE:QHSpLX0CN1RnwQfyL/ZYj2aIE

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
656	powershell.exe
440	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
5016	VRCHub Setup (1).tmp
1224	VRCHub.exe
764	ZER0.Certificates.exe

Loads dropped DLL 64 IoCs

pid	Process
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe
1224	VRCHub.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VRCHub\Microsoft.CSharp.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\PresentationNative_cor3.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\it\is-O18T7.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Security.Cryptography.OpenSsl.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\tr\UIAutomationClient.resources.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-VOAL6.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-D0526.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-BTRO3.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\tr\is-P381K.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Runtime.InteropServices.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Runtime.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Runtime.Serialization.Xml.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\it\PresentationFramework.resources.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\es\is-EFGLE.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\ko\is-64IDH.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\it\System.Windows.Controls.Ribbon.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\pl\UIAutomationClient.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\fr\UIAutomationProvider.resources.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-JKHKN.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-9V5RH.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\cs\is-GIBVT.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\es\is-0F956.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.AppContext.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Data.Common.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\es\System.Windows.Input.Manipulations.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\pl\UIAutomationProvider.resources.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\it\is-DQPSA.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\cs\PresentationFramework.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\ja\System.Windows.Forms.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.ComponentModel.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-U9J08.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-0VNQU.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\zh-Hant\is-ITL2V.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\de\is-M88SV.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\it\is-ASJ23.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\pt-BR\is-81PUI.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Net.HttpListener.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Printing.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-2KVBM.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\es\System.Windows.Forms.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\ja\System.Windows.Input.Manipulations.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\zh-Hans\UIAutomationClientSideProviders.resources.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-Q7GVR.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-NRBOM.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-03885.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\es\is-QFIGE.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\zh-Hant\UIAutomationClient.resources.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\it\is-VF7AH.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\de\System.Windows.Input.Manipulations.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Security.Principal.Windows.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\ko\PresentationFramework.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\tr\System.Windows.Controls.Ribbon.resources.dll	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-PKSCL.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\is-O79GO.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\pt-BR\is-7MDBG.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\ru\is-ESLN7.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\tr\is-HTSJ0.tmp	VRCHub Setup (1).tmp
File created	C:\Program Files\VRCHub\zh-Hans\is-FNS47.tmp	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\clretwrc.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Diagnostics.Contracts.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\System.Reflection.TypeExtensions.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\pt-BR\System.Windows.Forms.Primitives.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\tr\System.Windows.Forms.Primitives.resources.dll	VRCHub Setup (1).tmp
File opened for modification	C:\Program Files\VRCHub\ru\UIAutomationProvider.resources.dll	VRCHub Setup (1).tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VRCHub Setup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VRCHub Setup (1).tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZER0.Certificates.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dp	VRCHub Setup (1).tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VRCHub.dp	VRCHub Setup (1).tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VRCHub.dp\ = "VRChat Asset Package"	VRCHub Setup (1).tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VRCHub.dp\DefaultIcon	VRCHub Setup (1).tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dp\ = "VRCHub.dp"	VRCHub Setup (1).tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VRCHub.dp\DefaultIcon\ = "\"C:\\Program Files\\VRCHub\\Package.ico\""	VRCHub Setup (1).tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VRCHub.dp\Shell\Open\Command	VRCHub Setup (1).tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VRCHub.dp\Shell	VRCHub Setup (1).tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VRCHub.dp\Shell\Open	VRCHub Setup (1).tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VRCHub.dp\Shell\Open\Command\ = "\"C:\\Program Files\\VRCHub\\VRCDataMod.exe\" \"%1\""	VRCHub Setup (1).tmp

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\388678CFB6A9627CB62083131A1D88B2E2306381\Blob = 030000000100000014000000388678cfb6a9627cb62083131a1d88b2e23063812000000001000000930500003082058f30820377a00302010202144a2c64052856febaea3118c40bf04be2fe536c5e300d06092a864886f70d01010b05003049310b3009060355040613025553311c301a060355040a0c135a45523020436f6d6d756e697479205369676e311c301a06035504030c135a45523020436f6d6d756e697479205369676e301e170d3234303831363133333230315a170d3439303831303133333230315a3049310b3009060355040613025553311c301a060355040a0c135a45523020436f6d6d756e697479205369676e311c301a06035504030c135a45523020436f6d6d756e697479205369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100c610f7f764bf52f8b59bd35a766109f610e83fba15381006d8ee4827f813a2de5a7b55458a0c8fa97373fbbe48f9884e78aa4d20a4cf343db893884af2137959e5cbb76a1ea5f068fe196e05bc5d1e803c220c0b586f134f8ab47e0a9a698b28fbb421c87d5aa412e1cb477b078b8dd1adf814d3e643707b4c6f00746266000b6a647d3ae833ff1f5559de05c45fafe398b4b5540ccfd16675c8920583d04377f7f9da3aaa9f7d5766adf1c69e9a8246e5ae650bec36781d8a32bfe4537e7f4b2dcb9fb1d72f9145b9376fb4d78eae94bc47a8ad58a6d66e07382c2d5078315dcf99a3032323e3e7f804a59d1eed5e4eb54c6bd8d2a3761585960c53e6c8f7652b5e224f54a9691d347ae16107c79a0ce482e14a17cfb6338804e8e07851c3756d69ac86731835f8b996ff1fab0c36fd9865c557be8a517db7c1ddc877342302ccdf46ea5d0072e107b14e6c39ecde53e1d0bd804ad6e94df79f6e2635152ce6b197fd3a78e6e5083f93b8f3a9de811f0d5005bbe12494bad3a3ebe940cbd8128163ab856d767eab1eb22d4e890b5083c431cbf3b1358fb8c9b5808e32aa94a5e21d028011023d202eebcac4d6001ed2650027cbffd1fc581708ad3d2337f8cd3a7e6d67af2e814f9cbebd7f5f24aee21d5ad9a73f7f0b0f3f4b6057b24a7318e7d27d5528a39bd6715a209c464123c8db5bd683183f82ef9ab923242bf094150203010001a36f306d301d0603551d0e04160414c91d69e12acf625f9580b637cbeb812ecddee01d301f0603551d23041830168014c91d69e12acf625f9580b637cbeb812ecddee01d30090603551d1304023000300b0603551d0f04040302078030130603551d25040c300a06082b06010505070303300d06092a864886f70d01010b05000382020100088cc3dd2e60ce7066cbd369c07a90d14082130f13f70ae7c5ba0fde9548a87910e2868169251b1fd6a393c4aaa59e54db55428bebf6ae35e885fbf6bc9b79a485c40b0fe2352147d5a36608dd191cbd8c42f15c6f15cb074a5d8610a0708828c4624b1423ad3262841d80b644a529fb06f0dc93963e083fbbf2b417854671708e549606335caba89ca48bab35827aa1addf75157b080bfbc6d4ac81812b6e7231b0a878498ec426b66bd64e7637acb473dd8512cb33caa7547507e5cedbc476ca3c4b24ffb4a2fed8da8fd945806d5059aa37925952937262b4321aefd626d2e797a31db05169b7bccea5028ebba1c49468bb254d333d826a4604a87fe022edd02742af8d9a0b5ecf88ccd6cd04c4b45a8aa43869bcd60ddaa499e7cb2e8d5332aadbf9477e7d238518779340e566253b19620543f79aebde89258935002810becf4818ebf1e4894d41c270e1d82037cc4de7fd58646e9733933a52ea636cffb68348a15c7d893dde42221fb65b693b77c6eb05545901f839e36d7a1a713de4f119880df7143a7d11e251f55aee24cd6023e23c4a5d295d78092904afc98ab8311d22a7ed2f37301365186f4fb1d6070fdc3facf8f86c4685a490c695c95ddb6f77ee167e17a51bb56dadd0bcda9bd483a6891f39af58b9cf2e3e32cdb0789889472d19c765aa7063790b8f869682648632a15b1fa1a1b639400ac011a0db7f	ZER0.Certificates.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7B9D7E1F96BA7FF50AC0D201383FD1F07412E59E	ZER0.Certificates.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7B9D7E1F96BA7FF50AC0D201383FD1F07412E59E\Blob = 0300000001000000140000007b9d7e1f96ba7ff50ac0d201383fd1f07412e59e2000000001000000d3050000308205cf308203b7a00302010202147d7bd06f0a46a1d10d3dad668239b834249f5fc4300d06092a864886f70d01010b05003069310b30090603550406130247423116301406035504080c0d57657374204d69646c616e64733113301106035504070c0a4269726d696e6768616d3110300e060355040a0c074d61676d614d43311b301906035504030c124d61676d614d4320476c6f62616c5369676e301e170d3234303831363133333331335a170d3339303831333133333331335a3069310b30090603550406130247423116301406035504080c0d57657374204d69646c616e64733113301106035504070c0a4269726d696e6768616d3110300e060355040a0c074d61676d614d43311b301906035504030c124d61676d614d4320476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a028202010093210f529d7445a998218a94ebaa50e6dc11038451ad30469459b44d716ece5f54eb3fd38b305e29ba3b60bcf3f5f980d261cc391ae519f1e05c221c80e5da1f46eef851bd4b768f8ef4471b80f52043e01f59966df78d4e717b8be427162989da8d828db463fce97cbbe0b75452a63b24222605308b3add6123be8a4e92e53ceffbf41484d874624c113d43e2a51e086a39bf30830310f0423ad1d934ca41b7b85cd885fdd5865378932111b73227d6574c26b9102d4a29de2a7003f8fdb2f295fa39ab8b1b6f8c62d2e5ae90f6d614ee6464fd807a4c4872e4a56cf6edb0cc73ea2ecc644d2b1bbc682bb75f1b53204cf8b16861d278c9ffc32ad9a700e9d5de035bc2b7ec0b2258899b31b285192040d97aeebea70968e6029bf0fe5bf3ecf3c2144dc9e6fcce39720a3e5f03288f8cc0af6a1d929c15ccfc187a20dd6897659fb45da7bdd45559afb1a4b577d4980ac359aa00089fb66adcfc79c263c515d9e3db19d201e76a0db2ab26d2ece0b282d57811299f8a7f2ab72d58c27f29c82b881c96fa2f30d8229d6d06ff55bf41276552723f9260285b0a685ac4c0ab23c04ff7cdbf9bc94574d82f43fb622d34f1d9d1ea6f4fe0cf4dd59f8b631f2a59dda59542383a8c4411932c51413b3a77915281e2518b51c08486e846b588cf2ce7b0b0a9331e706e9f7ae6ec9f0bd513524d0ec57720f0cc6dbef1ebd6209c490203010001a36f306d301d0603551d0e0416041400e97016ef3bdf351cd1ce322c1188324a352151301f0603551d2304183016801400e97016ef3bdf351cd1ce322c1188324a35215130090603551d1304023000300b0603551d0f04040302078030130603551d25040c300a06082b06010505070303300d06092a864886f70d01010b05000382020100587a2cd58f10ac6407ec028b511d1363a9ef269ee78c7a2d6fbcfb10f87fcd4c2b9e9c1086a0dc03af5f4ef5bf91e500c96d071896ab3770d2110b26fc047fed1c8124b8066c3d19de9b3e47bb9a7bf0959877acf807e5c318fc38a46ecb81657119d554383472c517a9709e57936b4fda72603d909d4d6312d1671356bc6b77efb73ce60f66ca0d5f3cc54db8e4977ba92f859e0a7eb528a5ba770ede910a77d655ae42180f863614480374fbe3efeff32baf7b6f7db12e7b0d776f3b5fb1edbb5dd5dd20ef9d08a94104dbdd8ef082080148af43510b3d8e869dfec42ddda578319ca601f99aedd598f52d56b9a4c77fc8a35370d35a9b0e258319bc0e2ad67aa37a41f99b0e9d45de208141f8f3e97718974a5a02a5c0a9e45d3f6b7cd4f97a7ccf4042eaa381ffb1307abde103c0bd64a470e3c07170633f66985841d373cbf1c5bf9f2e18b3847dc6d72d9e76ad5d0e4003abe684cab66053b25a50d1e287b6c0b797936e9603c937beb9e49c2a551e197005e7a838f2a909b944aebdc23dfbaf7de3ad183c909f88de6c3f6fa1af9100a69c071ca3dc6599b70da0c0cce68d0e2cb23b5eab785e496bba843db233196d155c15457c01dfb3e9ed4a248c68750ce187351806aa7b7d85421d56f733400c64f4010b0c9cd078a801599d9fb7080eb7f6987cd12323a5653fa7e88dc3279b9333dd87de3ae622c9e67c327e	ZER0.Certificates.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C9B4CA6DE60F5398B21CDA1841CFD9081D3960F7	ZER0.Certificates.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C9B4CA6DE60F5398B21CDA1841CFD9081D3960F7\Blob = 030000000100000014000000c9b4ca6de60f5398b21cda1841cfd9081d3960f72000000001000000c5050000308205c1308203a9a003020102021464f260997509be7e207b99fd968f2bc20afed4b1300d06092a864886f70d01010b05003062310b30090603550406130247423116301406035504080c0d57657374204d69646c616e64733113301106035504070c0a4269726d696e6768616d31123010060355040a0c095a455230205465616d3112301006035504030c095a455230205465616d301e170d3234303831363133333330385a170d3339303831333133333330385a3062310b30090603550406130247423116301406035504080c0d57657374204d69646c616e64733113301106035504070c0a4269726d696e6768616d31123010060355040a0c095a455230205465616d3112301006035504030c095a455230205465616d30820222300d06092a864886f70d01010105000382020f003082020a0282020100bd166a791cc1ea6f5af331e87fa3b54ca042e47ad224a08f23f19cb5cb0fcaae58974f5b9526e558518cdb1ba133cb95eba881c04a8ed2e738e907c9593e2da4796195220cdc297c0cf7e28502de9ecf15e0aa3cf1efa78ecbc7ca65ec6129c2bb3db786a74624598907f14f19a8a8adc71da369fac97599323eb6d5ee0b0ef6a188037f91c87dd7453fac3864d06f232fce044e00a50820476c221daf3a3e8e3182891fdd49102767605fcd610cae1a6c8a3e76e98933bca0c6426a61a41a2f77e5017e76b18e2986fec3cc839bb1173e136d3e41a6dea72dac4715ab38117595f6db905d3770567331b9ff924d65443b83bf9cad4043ff73d0f5767fa8c4cbc1fe3dac34d96c47a99a96eba1f2ef9762904af25401b8a2175a8cac765589549dca49b56fc46510200571b062cecaed8ad1a1c2165de6c40b9ba101416c4b046cfaaa22c81370fb969074368aa49532ffc1395a93b74ccb74256c123c0af26041f70f4e203d784a5e7feb59680c748f91cb9523c5f4c006559ac3ed37bc69c4b40f0c5fe447a134c94d4b2600731c024ddfd201c3710655d4082b4f4f9990c97c0752fe21bf7d95041f9a8ba7fa84929a8e348da7ad32c4e923a7cea00cd78873376f761e90a29c8311a792241c307658496917d6f058c6c6eaa077f5753bd3c1e14de6c150052b3ba13a6832e7b326e19a23647a555c8d5e95c8199474df770203010001a36f306d301d0603551d0e04160414817e1ff385f7063b05692cc2ff235d83e560a366301f0603551d23041830168014817e1ff385f7063b05692cc2ff235d83e560a36630090603551d1304023000300b0603551d0f04040302078030130603551d25040c300a06082b06010505070303300d06092a864886f70d01010b05000382020100657115b65f2af264dca34ea1d2c90daa2afe9198e172370d5b1f59a56595602a41e565810a2f5b7bd07f783dbe110010a3fad5ec8c0089ee31aedddd0dee8f60c2af3ca947aa1b136cec53e53633941572d2581fee3c742f68bb4023f9d463027af6c9a7a5bf52b636b09412c24503e5d30bed11128001eca664e27d08b6af0e2cfa76fb96a6ca9017c08391b5ca9d423e0122643eb157ee22ae71c94c9c9991839361e294cc811e00f18196b304d76fb777978dbf1795a44591d240e3e94bee2df678fbcbc4d080544202958d4556d76f56b976e0da56fd162bea45f15fb3273ca031355b1fffbd814aa40dc3159dfdacb2bd59598c3b0addb3c4ac903bcdcea43a7ccb11718ac0bb93274d83627577aab763d3e52a9fb692c29a9c4ba0bc5d4bd354d2bc09e2f72bc8a005924c0fe59ebdc548371e7b5f64241d0c63fcbc9cce1cfdec0ef946a84809266a4cdf3dd2325bcd92792da9b52220c7d9825c02ffbb6abe224e1285252129bc9c3cafe28113793ee84ed13d9212446cc3f99a386fd5176bccfac01e08187208b0e83c038b1a6fa81b3e90ec249263c5faf2fbe167acfc8fb780d9ba857550bb0b06cf529375cbe9fc76973cf65167b327840929e4947299722ede77af1db718a31f27a4f13c668b616c910dddfdb4d2f1e288cb09f48e5cf075b3db7da245b1c69ecda75875522348a0728909f01cd861e0ac637f	ZER0.Certificates.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\388678CFB6A9627CB62083131A1D88B2E2306381	ZER0.Certificates.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5016	VRCHub Setup (1).tmp
5016	VRCHub Setup (1).tmp
656	powershell.exe
656	powershell.exe
440	powershell.exe
440	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5016	VRCHub Setup (1).tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 5016	1928	VRCHub Setup (1).exe	85
PID 1928 wrote to memory of 5016	1928	VRCHub Setup (1).exe	85
PID 1928 wrote to memory of 5016	1928	VRCHub Setup (1).exe	85
PID 5016 wrote to memory of 1136	5016	VRCHub Setup (1).tmp	94
PID 5016 wrote to memory of 1136	5016	VRCHub Setup (1).tmp	94
PID 1136 wrote to memory of 656	1136	cmd.exe	96
PID 1136 wrote to memory of 656	1136	cmd.exe	96
PID 5016 wrote to memory of 3808	5016	VRCHub Setup (1).tmp	98
PID 5016 wrote to memory of 3808	5016	VRCHub Setup (1).tmp	98
PID 3808 wrote to memory of 440	3808	cmd.exe	100
PID 3808 wrote to memory of 440	3808	cmd.exe	100
PID 5016 wrote to memory of 1224	5016	VRCHub Setup (1).tmp	101
PID 5016 wrote to memory of 1224	5016	VRCHub Setup (1).tmp	101
PID 1224 wrote to memory of 764	1224	VRCHub.exe	102
PID 1224 wrote to memory of 764	1224	VRCHub.exe	102
PID 1224 wrote to memory of 764	1224	VRCHub.exe	102

C:\Users\Admin\AppData\Local\Temp\VRCHub Setup (1).exe
"C:\Users\Admin\AppData\Local\Temp\VRCHub Setup (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\is-4CGNL.tmp\VRCHub Setup (1).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4CGNL.tmp\VRCHub Setup (1).tmp" /SL5="$B0090,66064940,905216,C:\Users\Admin\AppData\Local\Temp\VRCHub Setup (1).exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c powershell -c "Add-MpPreference -ExclusionPath """C:\Program Files\VRCHub""" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "Add-MpPreference -ExclusionPath """C:\Program Files\VRCHub""" "
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:656
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c powershell -c "Add-MpPreference -ExclusionPath """C:\Users\Admin\AppData\Local\VRCHub""" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "Add-MpPreference -ExclusionPath """C:\Users\Admin\AppData\Local\VRCHub""" "
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:440
- - C:\Program Files\VRCHub\VRCHub.exe
    "C:\Program Files\VRCHub\VRCHub.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\ZER0.Certificates.exe
      "C:\Users\Admin\AppData\Local\Temp\ZER0.Certificates.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VRCHub\DirectWriteForwarder.dll

Filesize
514KB

MD5
73a26ed60cddd2726bb734e364b91af5

SHA1
8ae4ecbf58513a56922ff77cb8758ae178af33c6

SHA256
7524c267dac31729edd2a5b2ef97de81b719aa3792525c788e982a009641037f

SHA512
ceb56a221a3d94c7c1cad516ff4e4b2e8b095af98f283c262e0e497150295877e85d66629ef33d4f620882e9f448e54b27a43edd44203adf3b51d60476277761

Download Submit
C:\Program Files\VRCHub\Microsoft.Win32.Primitives.dll

Filesize
15KB

MD5
25afa2521f1c4dd830b7e1b09be2a748

SHA1
c2b0b2a0f8fb5985da72739c3337acb4eb4e6b6c

SHA256
612401ef7aa517ebada96526b6643a6beea0869bc95e084f8be6b0ec26beac43

SHA512
a17b23ae657727b9592b0270258a091bb731a8da42f5c0677717910a651221351fcc36cafdcb846a444a9386f467b7854eb6f29193e71531aeba3e174885a690

Download Submit
C:\Program Files\VRCHub\Microsoft.Win32.Registry.dll

Filesize
118KB

MD5
d28a59520d799d513d8e39c69a9c6703

SHA1
4ec10e6c2e55e3de6578d81333e08759815cb350

SHA256
f8d9d39e98b2e0ac54af9eb908c3fc904ce426e98291991849ad2fd0d711a47a

SHA512
8f9e100dc439c1658717eb0b3a35da05b9c8705cd382a5947d7b8a19863c6111c7e1c744ac779b329a6b52fbe7b08ef5d42ffe26ce9f8b0b059adb19ef72ed8b

Download Submit
C:\Program Files\VRCHub\PresentationCore.dll

Filesize
8.1MB

MD5
0d9dc9204a727d2da2fcdfe7f49f1679

SHA1
b2d6e91bdc1f0855d7022bff0efcfcd9223f5e43

SHA256
67a9fa25b58865941f1edb6cdee30511f9a045be492a4bee128a5ec00a302114

SHA512
dc14e5e2e7e4b2dfd0a558df72ea86f793ea757909b920d42554aa172f5eba11f58d9570b0bcd5d5c96d0f6a31895655c5d435b5eb79ae2e784c675b5f1cd28e

Download Submit
C:\Program Files\VRCHub\PresentationFramework.dll

Filesize
15.3MB

MD5
66493fb267f3b444d596161f64759a7d

SHA1
0fec0b3386ae779191e1714fdfebd0d2aa0632bf

SHA256
2c4979ec44d52eff4d33135b287748347aef116259f906b35c962ff9c0005aa9

SHA512
d30bdd99ec1169db1e322c3a8d2aa488526781f90f5820805211f9ca385d54639cb090ceadab0be3b0bd180de490be854f655ed5d4d6ee9176c6729ee1a961fa

Download Submit
C:\Program Files\VRCHub\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
6eba2908117a118ff23d04a99d5c3f38

SHA1
1681e9be4fea69427ec38fe521fd932c681b2509

SHA256
f90b8bcf5728c597cb28e941907a9612fb6ac89a88289e4c748ff9edb8c4b25c

SHA512
c45bf74052520eb4453b8cfa8c28adbe8c5795c03ca5fa3281309c2f9025f8ea3eae6167f5ad1bf34eebcd9889e6451ab1682ccbb6a473c5ac963029d2e962dd

Download Submit
C:\Program Files\VRCHub\System.Collections.NonGeneric.dll

Filesize
102KB

MD5
dc1acd333174ed20f114e10fa8ff328a

SHA1
2a8f4435038d148b7e7125ad0e9525f2869600b4

SHA256
2e5c8f875909b4a872b4ef2c483821e1b727633c0e5a967f9546e06c0389a9ad

SHA512
4e14e3e90897253e8478735bb45db21ce040e186c323eed07262786300d78eb59683e9dd5da70d35f1f2626988c4e05e43b0068bd72c258bb1a79e3dcca189bd

Download Submit
C:\Program Files\VRCHub\System.Collections.Specialized.dll

Filesize
102KB

MD5
79811b63a6f7366eaf2f5d41b2d0054d

SHA1
a2bf478ca3c987f1936d9c1bd85f7da5e118da05

SHA256
f049745f0050115d48974be92ab6da064e7ef92f5cb899f6e1ef3b40447142d1

SHA512
6adbe13c51fcdba95f70b175fc32dd3b946be4c272b63f75f8815cf4b7ee43fa248bd85698383d36785a695d487a62ce980d313dec8067fcbe1df09ad385b2d6

Download Submit
C:\Program Files\VRCHub\System.Collections.dll

Filesize
262KB

MD5
3bdd31dd83396a734f9b9f84f38fbf8c

SHA1
df0ae93b31ceec681d878a135c1dbbae3e63abb8

SHA256
7037c2575f7f8ed21e8592f7e7b12d865a4ed8adab0e03603f4024c221213266

SHA512
9d4e194f70863b2c8e71c717f75b2cc8cff7ded182d8fb669c2cf208d59550f2251f7f3106d8a163fc7af92c90574a8b41b79fc351f495c34e5b67d720bbc6fc

Download Submit
C:\Program Files\VRCHub\System.ComponentModel.Primitives.dll

Filesize
78KB

MD5
90849931c2086e18c996ce3032fc491c

SHA1
051d62155e67a9a422be29e4e48d50ab3516303f

SHA256
df3a79166b6f5340815b556dddaee33d5723babde5b63b83ee58a6798c805f2c

SHA512
c36a4d09a6605793b3f74e380efbfaefd933c2c4eedf8b30c161d632982a6162a983f6332141f53c29981ed226c8a2be96714dd9794cec36da9e70024eaefe45

Download Submit
C:\Program Files\VRCHub\System.Configuration.ConfigurationManager.dll

Filesize
1.0MB

MD5
3a29061197e4afcfd7b5ba354cb652a4

SHA1
b413f14979d7b9aa5c00d5cb5a5911aeb83975d1

SHA256
4cab0b8fa32f57eba792c276d381b37d04784da63e9d90e08c6eebc44881bbc5

SHA512
5c5c0f6b632f402973b4516c15452ff4bf99bc32b1b6c9dbf33c4d69d41124d58c2a1ad87290c5bd9cd08288472c5976fc404b0fa4e255de59aef9627aaa0b1a

Download Submit
C:\Program Files\VRCHub\System.Diagnostics.Debug.dll

Filesize
15KB

MD5
df692ac7c122fa58c1e10820caf63275

SHA1
8d146282763ea6b273197962ba0eeaafeca440f6

SHA256
597f6373feecd0d38b6212dc980de08ef44f71b563d5a74d0a08a24f54b9e0a7

SHA512
6bc32168e1d35dd4635a44ede36d0735f3fed798b1f17cbb9dd59f39e99cf95c511d9871cf717aa130a1277e2de439aaa279f542eb6b9682e2cb21bd302b2924

Download Submit
C:\Program Files\VRCHub\System.IO.Packaging.dll

Filesize
282KB

MD5
dccc51d967ee7ba56d7c3a6b36baa11b

SHA1
6896aad68be8e75e41217140a6abd6d74dc43c12

SHA256
ddad5ac21f4fa13ff27d4162543f6e1dfa45d9b173f6ec6c7ce9018ee2c5813d

SHA512
e4f2f1cc605440fbd6ca76f3e145e29507eddc3d1ddac49282a289fa6775289f44d098b9bece163b9ebd12d56d898f564b18edf4cef01bd60594460726de9f9e

Download Submit
C:\Program Files\VRCHub\System.Memory.dll

Filesize
154KB

MD5
e4dd8549a587761da1b5ce57737e2397

SHA1
2582e4c5d788254a407e85a58362af6104a390d6

SHA256
352efe0ff163df315d0a37015e1b4fc1515b67c600701504815083c5c789a6e6

SHA512
4711bf84c3fde4ac28208425cd501424ada5cfadd99a120f302380c3718d3424606c4d0ceed72e6bf201cdf9fe764e0c7d1a68afdb5bd09d30a143faa6c746b7

Download Submit
C:\Program Files\VRCHub\System.Private.CoreLib.dll

Filesize
13.5MB

MD5
48beab63c379dfd470bfdfa2589861e0

SHA1
1356cc4c21b15d54c5841b7c149837a5b5c33455

SHA256
f63243f588eb54a4b310657c42b8e59c5e697cc632cb627a6e15c94ee285520d

SHA512
c1e554f09ab8fe3d41b99cbdc069d5250749644d41553f4bbb446bedd5f6ed8401c0830d1798ba444eb72c55f873b451ef6eec240c4df30a025c1b6b2f7b0003

Download Submit
C:\Program Files\VRCHub\System.Private.Uri.dll

Filesize
258KB

MD5
bb59d65d562066565fa3b0d784745462

SHA1
2c016a028d4e6a7f9635f134154a61e5d67475ba

SHA256
a37698a5c05b62e771b2084c8dd42909f900b8200001f0e4187a97c7e1615cb0

SHA512
5eb87e630dd879fd51b94ed5020caf9e6ec0710a2fa1aa37db9774bc2ab180cc73b0ba63f6b79082da440c822d230ab477a3c1b76df61cf1a03064c263c5b1d8

Download Submit
C:\Program Files\VRCHub\System.Private.Xml.dll

Filesize
7.6MB

MD5
c2af4102138ab9fee563cffbb21375bc

SHA1
2d9a80e8d957b4b6588223bb5e23f6219d165327

SHA256
b0cb5ae9109463980b4af05befc1e0f12d275b4bdbda7d9d918a21fad0d764e5

SHA512
7a8395d4408e674d4c24df420491667cd71b884c3d869a31db4262e8e488e9f1074248440840095aa2a56b063d0feceac73031f7bd13c7c5d59e649eb4abcdf7

Download Submit
C:\Program Files\VRCHub\System.Runtime.CompilerServices.VisualC.dll

Filesize
30KB

MD5
43dd6fb7992d538e4bdcbb357c5d8ce9

SHA1
37fbd0329ceed0d4cd428fa2c880da2e0ba72c9c

SHA256
2f089b31fa7c04ff2035b3fc81d3cbc0378fe84ac7e9f6c3cbf1e845e43ab492

SHA512
62f3151bcf7083fa42060ca89fa442f60ce8f27d7fad54fe351dff702c27026cb2cd3b70e1b3ec61326014766d76ca6e02992cb411487f029f9f258ead6e84ed

Download Submit
C:\Program Files\VRCHub\System.Runtime.Extensions.dll

Filesize
17KB

MD5
7d11dc0007fd8293b1343ceed8757e22

SHA1
c799c082581fd2610f24f5c1354df18190fac219

SHA256
6e9cef8b3d0f63f2908ad7c8e0c656284a3e726be7d27e3390ad9ac0554f8d65

SHA512
6f4687d3cc942389ce254c666bc26bf9b5b3c66b815e26395d4bc7d08ca6593bfc0c90da506bce4ed7f6204dcc983a6fff14e149be4ea7d6906b76112321d3cb

Download Submit
C:\Program Files\VRCHub\System.Runtime.InteropServices.dll

Filesize
110KB

MD5
493d415ad18d64adbb1207258002885b

SHA1
3a6b7a8e5c6aea63b06bbdeb5a245f4a33f98d0e

SHA256
00b383885da0c416d753b624261b0f12969c84f843fecada92c28a619b4fa399

SHA512
ed3c57621ea73635f0fcfdbc58f83b6836ecd0db06df503b74ffbded82b7c23d4347daa0cb73a3f73d3101f3dab60b533f565be32f5efa931a333ecc490df1ee

Download Submit
C:\Program Files\VRCHub\System.Runtime.dll

Filesize
43KB

MD5
d9db9b062333551d0ea63189af4618ec

SHA1
68166941a0afe76a52382e875aa1912b754025eb

SHA256
5288717a9775c852ea6727a1420ce83af33aece4355d9c8ef4f3639c996e6e01

SHA512
96230fdf0efbe920cc457cc9da2ef2463efed477e389ec54c165f1efd770be4939a125efd5028660b80387491bd81dc3c72d927e227dcb04a3d8eab866987dbf

Download Submit
C:\Program Files\VRCHub\System.Threading.Thread.dll

Filesize
15KB

MD5
3621fbf624cd2f4df41934893c9bc2a2

SHA1
1be38631b8554900e76cb2ea6749398f77143276

SHA256
7b6c1e48538dee2c9fc329267dd3bb0d70381b0c2ac3abf9d64846f774ed654a

SHA512
60ca31c9478a2620ded7787d40453bbff6a8e3588f98b756953892d4fdb4c0aef69418f66feb54da0c2dc7322234a2b6ed5fbe1c3c1e23ab23bcf43257667e0c

Download Submit
C:\Program Files\VRCHub\System.Threading.dll

Filesize
82KB

MD5
024234723590129ebf6cb3360ba765c2

SHA1
e7c0e782451c946083e02be888dc07b0e0b995ab

SHA256
c34c98f95b29968d2dd89bc7dd0910d90e04d683e32452299c75c9f1405a5d21

SHA512
c54ac559f401f95d9f1a89e83b46516a02680786b6940100c32a9ababd60f47156eec6b1fc2a3b150e28db2e47039615f2012a516bcb526bd05fc29b294562d2

Download Submit
C:\Program Files\VRCHub\System.Xaml.dll

Filesize
1.4MB

MD5
c243c0df4c218b9b1beb37a10624d36a

SHA1
73c85abdd68767ce13dd024e7e8f74b53b324667

SHA256
ad7d175c7c7acc5cf17646265b6dda6a5e581ebefe24fdc771b3664324994084

SHA512
615b36c962310428fd06e40a1bf2bfb50b1e5051ce9c8fb7862171e50312c4e63d11f2ef62f9eadfca7799d2e4b6ba6a3e792561d20db02a91a05348a020a2c9

Download Submit
C:\Program Files\VRCHub\System.Xml.ReaderWriter.dll

Filesize
21KB

MD5
1c23dd179888ad48ea3796568d6fdfd5

SHA1
eff3a03a3e3e77d2ffd5c4453b6cf4c66d60d65c

SHA256
172c340c5d7aa156656c2b507ca7451857c8285e44f24a03c42d5a5f82bee0e5

SHA512
21fbd7081b2feac7c800eafd1bbe44bf4829f27017ebe5ffd0865d5e0ee25c8ff3d79edd0156f38ba6771bf6c9721835bd071b2433b64e008d20dd063ad3e25c

Download Submit
C:\Program Files\VRCHub\VRCHub.deps.json

Filesize
112KB

MD5
f19cced0d1bf9a04d9284e35d37f147a

SHA1
d8bdfbec26612fc8a408630a194bb2b535bbb4bb

SHA256
e57f2d97ef1534914f276f0b596dcbf8b35b07c041ee9fc6f5568023b8fd3cb0

SHA512
e2499a09e5d1274ae20c2e66e3d10e23c9995b7b43bc3c4897a5b8c5c233334f8274f484f77593eb73b48bb9fb8bcad0d81892dd64cfb7ab45ce803ab9d6a482

Download Submit
C:\Program Files\VRCHub\VRCHub.dll

Filesize
4.6MB

MD5
95413729a70b3e0fe9d89f10c4eb3c29

SHA1
312e4a264186dde3191b77ed1dbce269f4af1171

SHA256
4cbacb83170b1ee6e60a1616cdcd47676cbaccd1b55ae62e5b845733490e8248

SHA512
6d935ad3237ca5da4f42b5f5a226188b48a8e216f20c39b69e0f82c990c2b2a84a827fd216522dea83d2186a8c55d9f1a197a3b6aa9f9d3b4882bed3d56cc1b0

Download Submit
C:\Program Files\VRCHub\VRCHub.exe

Filesize
260KB

MD5
52823951eb2e98962f80f88e4a92c1fd

SHA1
6028e1f59f7352b0dbcef4721dd8cf9a13541733

SHA256
2667e32201be490caefc2241df13f3fced83776ea703059a07678de4fd9869bf

SHA512
dbfc6ce8d3e23accad01978212c4a6e6001dbf00a684c2a5b862afdb6a76a8acf34c2918bbc15bd8b1860441566859506e389b31c6a26fb2dc356109f9ef8fbb

Download Submit
C:\Program Files\VRCHub\VRCHub.runtimeconfig.json

Filesize
504B

MD5
4a42b40810e278c15b5acf2938fd237f

SHA1
9f5d6f8dd32d5b0502e4ef3467858d4edbd42fd2

SHA256
0b5b3c3e06120d3c62c76c0879b62ca4f66d0428c28e09cb6f3984cf5ee4a95b

SHA512
175bbaf254addde1671cb4735fa987f129dedbbabf7c14868569d40b65b73f2e0051690e4f76c1ec5676e53a3813fb1db654a9bed420f79299ab5834e6342288

Download Submit
C:\Program Files\VRCHub\WindowsBase.dll

Filesize
2.1MB

MD5
2dbdf4d2b1155bb5d1557c6fbb79d9b0

SHA1
8d7e315f54146637c2ab269f1df06703a424592a

SHA256
adfba13ceb69ed191b9a9b39711b9012fa42544bfbde8c7729ccc5886583743e

SHA512
42300b57b9d66f273d51e4b057b783a37f6216b5f3c9a1ccd0ccd8a6e3b7dba88ea6fba2bd9991d5d8d9d0b5427922b26a176692a23ce08c84278e95492cbf08

Download Submit
C:\Program Files\VRCHub\ZER0.Core.xml

Filesize
15KB

MD5
a4a3c8a177b9d41dccbdc8b20f47e5bb

SHA1
015d4ff311cf48d660c6e456389aaec998a16f69

SHA256
77612d44180d9c7114ecb5e500e4466779289b5b8bb699e81c13deb6eae33d57

SHA512
4e89b474eaf70820a471b94f0b8d5f9aaba9047199745acff55cc05f2c8e4fc8c6f021897921f942825bd9a8f754f1d98c14b99a7c78f9262fafd49c4f7cb20a

Download Submit
C:\Program Files\VRCHub\clrjit.dll

Filesize
1.7MB

MD5
1195878c7f131355e78cc863955de0db

SHA1
2a850ef8ff8a45f631ba93de573816091f8bdc17

SHA256
1d1c64dd29436a9451472dedce83e0bc423c2028fc908958b28356a8af5dae75

SHA512
11adab574a21bb40f91d097a50755861a62f40db149cd29de545a40752dde5ba59ad1193e5c7ec9b3cf191a68399cd39c74fa92e6d94d43b4cf8c3a467bfe9bb

Download Submit
C:\Program Files\VRCHub\coreclr.dll

Filesize
4.7MB

MD5
089a75e08284d92b33821c472d12391b

SHA1
198e1c31cc9618e3f57fbe96055cf43a3e6aff2b

SHA256
fb5764205efa1371aa304780dc71dec3d17c59a8caac8f8870bf2951fb86af87

SHA512
31a06d1c1287dd3d01974a72661afa4646d8309849e4b6de70d6f67b36dc5ebba112a202fcddb5f4d39174e5e6d979b24f36d0cec7cbd404a3013e0c8f1fc437

Download Submit
C:\Program Files\VRCHub\hostfxr.dll

Filesize
344KB

MD5
ab03418b25d67b36cf9642f38f7efd72

SHA1
f28b855abedfbf544cb6e116c5a197fb6e830794

SHA256
176a2bb49adbf459cfbe5f8dd6d2cbf690a336bf230b6eb2463396491a405214

SHA512
baa9f8374e1c00c978b7530e6747beda897be4858b092c9296668957c723cec255b5f7066dec1db811ef69bb4d22e310b7d4550054c0bc3cac287b14a67dcc28

Download Submit
C:\Program Files\VRCHub\hostpolicy.dll

Filesize
370KB

MD5
bcf5c5804c705b0c702f4cf100fae23e

SHA1
dc4f3ac764736c3eec4a2cdb56ff2298801d410c

SHA256
dbad5d81d86abbe75f3ae0b1ef7b83bbf3347f87c6238ff860d647115376ba3a

SHA512
1cf1da5db32558a1529d313c1edeba20be3398a1d5c002058f806edb36d7844fd18b5b59024125577cd724e543dbd978f6f5776db49fc5b8f8cc20c9a0d28597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rbeiz24k.hc2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4CGNL.tmp\VRCHub Setup (1).tmp

Filesize
3.2MB

MD5
20befcbd9f8394961b0988fb8f2af99d

SHA1
0b8dbd295af08d82ad7acc33e3b3487a3015fd4c

SHA256
c6f3b7dc369636a3f793f0c483d1d8c5798679ca88d5f1a4202478a59629366f

SHA512
7463c2bc704c8e037c14ccfcdb1eafd3ad1bdb6220ba5f4f782f92cfa9809c8b12ed60cf4b1f0f9c2f53588d30d54e8a3064d5802b1107d47fe7fa960a1bb9bf

Download Submit
memory/656-974-0x00007FFAA5E60000-0x00007FFAA6921000-memory.dmp

Filesize
10.8MB

Download
memory/656-968-0x000001E4332B0000-0x000001E4332D2000-memory.dmp

Filesize
136KB

Download
memory/656-977-0x00007FFAA5E60000-0x00007FFAA6921000-memory.dmp

Filesize
10.8MB

Download
memory/656-973-0x00007FFAA5E60000-0x00007FFAA6921000-memory.dmp

Filesize
10.8MB

Download
memory/656-962-0x00007FFAA5E63000-0x00007FFAA5E65000-memory.dmp

Filesize
8KB

Download
memory/764-1061-0x00000000030F0000-0x00000000030FA000-memory.dmp

Filesize
40KB

Download
memory/764-1063-0x00000000032E0000-0x00000000032E8000-memory.dmp

Filesize
32KB

Download
memory/764-1065-0x0000000003300000-0x0000000003308000-memory.dmp

Filesize
32KB

Download
memory/764-1066-0x00000000058A0000-0x00000000058BE000-memory.dmp

Filesize
120KB

Download
memory/764-1064-0x0000000005870000-0x0000000005896000-memory.dmp

Filesize
152KB

Download
memory/764-1062-0x0000000005990000-0x0000000005A22000-memory.dmp

Filesize
584KB

Download
memory/764-1060-0x00000000017F0000-0x00000000017FA000-memory.dmp

Filesize
40KB

Download
memory/764-1059-0x00000000057D0000-0x0000000005870000-memory.dmp

Filesize
640KB

Download
memory/764-1058-0x0000000000E90000-0x0000000000F70000-memory.dmp

Filesize
896KB

Download
memory/1928-101-0x0000000000590000-0x000000000067B000-memory.dmp

Filesize
940KB

Download
memory/1928-0-0x0000000000590000-0x000000000067B000-memory.dmp

Filesize
940KB

Download
memory/1928-1053-0x0000000000590000-0x000000000067B000-memory.dmp

Filesize
940KB

Download
memory/1928-2-0x0000000000591000-0x0000000000639000-memory.dmp

Filesize
672KB

Download
memory/5016-105-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/5016-102-0x00000000006F0000-0x0000000000A3A000-memory.dmp

Filesize
3.3MB

Download
memory/5016-1052-0x00000000006F0000-0x0000000000A3A000-memory.dmp

Filesize
3.3MB

Download
memory/5016-6-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download