Overview

overview

10

Static

static

10

XClient111.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    04-12-2024 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient111.exe

  • Size

    75KB

  • MD5

    1c7d67e357a4c6f86fde169b8fa74639

  • SHA1

    4168ae0daa5e17cd0928c7542e49bde8490acdb9

  • SHA256

    4094fea68e7a41431fe15eaf1ebbf4d88d20c10e01d4c32e4b466757e626964f

  • SHA512

    a9b87f16bd144568182d2f2dc19855d57be54b73f3066cbfc299f6132b41cd2cd49fdd4d2921d2dedf17b05f5a244c9b41dc8ff500140cbe760e11daf9038205

  • SSDEEP

    1536:9zpyggc1VrFL5n1yubpKAXcbK8ni9o26XvmOpqKnKE1J:9lEaFVn1zbzsbKh9oPvmOIiJ

Score
10/10
dcratxwormdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

5.166.171.54:5552

Attributes
  • Install_directory

    %Temp%

  • install_file

    CelestialUpdate.exe

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 4 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient111.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient111.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient111.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient111.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CelestialUpdate.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4032
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "CelestialUpdate" /tr "C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3016
    • C:\Users\Admin\AppData\Local\Temp\IFEBS6HLOW81BN6.exe
      "C:\Users\Admin\AppData\Local\Temp\IFEBS6HLOW81BN6.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "IFEBS6HLOW81BN6" /tr "C:\Users\Admin\AppData\Roaming\IFEBS6HLOW81BN6.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4844
    • C:\Users\Admin\AppData\Local\Temp\FKAOR4WHCDP2BBL.exe
      "C:\Users\Admin\AppData\Local\Temp\FKAOR4WHCDP2BBL.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1080
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3jk5zgow\3jk5zgow.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1592
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78F4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCABE4C6881E744A61A5B88CF75D4CE.TMP"
                7⤵
                  PID:1304
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fp2x55ut\fp2x55ut.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1008
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7980.tmp" "c:\Users\Admin\AppData\Roaming\CSC6EC0FCA16BC44E4C8F78DA8627924081.TMP"
                  7⤵
                    PID:1612
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iet25ydo\iet25ydo.cmdline"
                  6⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3200
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A0D.tmp" "c:\Windows\System32\CSCE449623D20804A59B4FD76FE48C952A.TMP"
                    7⤵
                      PID:2524
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:1476
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\IFEBS6HLOW81BN6.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:3356
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\WmiPrvSE.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:2180
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\dwm.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:3232
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\Idle.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4948
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4584
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svvGmvXnz7.bat"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4024
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      7⤵
                        PID:3336
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        7⤵
                          PID:1528
                        • C:\Users\Default User\dllhost.exe
                          "C:\Users\Default User\dllhost.exe"
                          7⤵
                          • Executes dropped EXE
                          PID:5076
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4696
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4280
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1564
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IFEBS6HLOW81BN6I" /sc MINUTE /mo 6 /tr "'C:\HypercomponentCommon\IFEBS6HLOW81BN6.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4488
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IFEBS6HLOW81BN6" /sc ONLOGON /tr "'C:\HypercomponentCommon\IFEBS6HLOW81BN6.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3364
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IFEBS6HLOW81BN6I" /sc MINUTE /mo 14 /tr "'C:\HypercomponentCommon\IFEBS6HLOW81BN6.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2968
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\OEM\WmiPrvSE.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2260
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\OEM\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2608
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\OEM\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2748
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\HypercomponentCommon\dwm.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1632
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\HypercomponentCommon\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3476
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\HypercomponentCommon\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2924
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\HypercomponentCommon\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2576
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\HypercomponentCommon\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2444
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\HypercomponentCommon\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2044
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 12 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1140
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1960
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 13 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3516
            • C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe
              "C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe"
              1⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:564
              • C:\Users\Default User\dllhost.exe
                "C:\Users\Default User\dllhost.exe"
                2⤵
                • Executes dropped EXE
                PID:4060
              • C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe.exe
                "C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe.exe"
                2⤵
                • Executes dropped EXE
                PID:3852
            • C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe
              "C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe"
              1⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1048
              • C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe.exe
                "C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe.exe"
                2⤵
                • Executes dropped EXE
                PID:4876
              • C:\Users\Default User\dllhost.exe
                "C:\Users\Default User\dllhost.exe"
                2⤵
                • Executes dropped EXE
                PID:3984

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            2
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Web Service

            1
            T1102

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
              Filesize

              220B

              MD5

              47085bdd4e3087465355c9bb9bbc6005

              SHA1

              bf0c5b11c20beca45cc9d4298f2a11a16c793a61

              SHA256

              80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

              SHA512

              e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

              Download Submit

            • C:\HypercomponentCommon\cemEzm0xYx1.bat
              Filesize

              105B

              MD5

              5ee2935a1949f69f67601f7375b3e8a3

              SHA1

              6a3229f18db384e57435bd3308298da56aa8c404

              SHA256

              c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

              SHA512

              9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

              Download Submit

            • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
              Filesize

              1.9MB

              MD5

              7be5cea1c84ad0b2a6d2e5b6292c8d80

              SHA1

              631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

              SHA256

              6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

              SHA512

              ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CelestialUpdate.exe.exe.log
              Filesize

              654B

              MD5

              11c6e74f0561678d2cf7fc075a6cc00c

              SHA1

              535ee79ba978554abcb98c566235805e7ea18490

              SHA256

              d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

              SHA512

              32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CelestialUpdate.exe.log
              Filesize

              226B

              MD5

              b92bd19c1a9416298a873dfa43b439b7

              SHA1

              7b96a8874aff3a502363f4168332613ebc53d64e

              SHA256

              1ac8854abd01c202cf82e4ccdf80bf50319c59bc7a02dce2b19cecfedf7dd4ba

              SHA512

              5910691ebdd78a2740117b14f146629874682d196f518f479b8bcb754ed2501a009fc465cb9e3685f7aed8ced7b435690de2b8b8439117abb5f61dc4996387a6

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
              Filesize

              847B

              MD5

              37544b654facecb83555afec67d08b33

              SHA1

              4dc0f5db034801784b01befef5c1d3304145e1dc

              SHA256

              ec084a6c6ecd7d31f1927b0cd926ec03ce346a469f24e5a860e05f2241bd7bf4

              SHA512

              4af827ead52c8769672f58a69fca18484aeba1e59b7ec0527e200f8e3d893bcbc1063ea820260fc0b922985ee3b26c3a6f79b4044fb34f1b58f2e3379971b5f9

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              3eb3833f769dd890afc295b977eab4b4

              SHA1

              e857649b037939602c72ad003e5d3698695f436f

              SHA256

              c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

              SHA512

              c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              91c7142641892d9ebd7682b31c336b75

              SHA1

              05cdb58f14dc2bbe2b8bb2d3158a6cee9e7bfb9f

              SHA256

              e7e8a4def273d0e298b8aac873652004bebb98a7e424f5896d85819068e894c5

              SHA512

              56335db470bd4b44a316170323adbfc76523d62d6cd3d70e6211d22c12fc48e3e6171b7f97bf369272d3c9953b1e622dc908fa9d745db209ac712d7ca4914fa5

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              b97fa7c7c98691e38050dfb0ef047cc9

              SHA1

              8bd19725b5c3301b2515548318e3a9b7d8998713

              SHA256

              3121fdd40fbb0868e4030da9da4e2366da8a0fb10244a71f9e9756ee821d3977

              SHA512

              a2861efa5130aa9a37a95482873aeb64489f5ccd7644a08afa0bd370f1ac370cb90742481d3ffffcdb9fad869ef6d8636959e8c4d5f3395f5904db0944215841

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              c89671578badca1980abd30ee08c6ef4

              SHA1

              79cc06f7e038f551be97625c3c5ea0255b89ee25

              SHA256

              1cf4b698e3120b83ce7b04f5582a430d04c4a47e0bd8fe1d1b136eb7ea141117

              SHA512

              d330c8848fff27bf98f880e58541d08f59a1d8e27ffe1bd6392a65d8057c402eae642f92305303a0a370803f9adba6d5e350e1aeb0f4cea65769d7adc93edf65

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              d70ffa2b32eea9e18b2fa4545d78034d

              SHA1

              30fdd79aaca3a32df1d55ac274fc4f3eb6166522

              SHA256

              72b08887e05ddce58d36058d21002c0d5732c37ca0f2441debb26ec06df34b6d

              SHA512

              d0873d7b14e209e74fb672a00f1111389d33d42edb289f72d1fd00a2a3e29e794b30aac946af5fe815673a7a3f4c0820a39cc6d9215f471e0ab18644d1682f91

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              60b3262c3163ee3d466199160b9ed07d

              SHA1

              994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

              SHA256

              e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

              SHA512

              081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              63efdfabe528917f6d804439f207aed7

              SHA1

              aa44e3d6626852f54c1d6b66782c5966e2b7a0e4

              SHA256

              f02bda67a39cd459e1e917fc79f0c4bf4cebf5ad76ee1022b96edcd599209679

              SHA512

              7717d15a91ceb6179574452d8c5a4b23c14b629629d9ce68df2f480cd049272fa3c509bde843676c9a0a6ae13cb4d9703816b954c81be338783a3d8cfed238b1

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              c7624ea88261de9d6055d4bc1088cecf

              SHA1

              e936415ac7081f46cf77c396a913265029642c70

              SHA256

              352e450eaaf22e12faa13843c7c74769faff177611b6078cb9c1830855ce6f67

              SHA512

              37826824edc629cece6a853a8003cd1c7bd201eb4677de8a1d84801ec8cf1d4f7bdf793ab6308212ccbf67e235dbcee5d72774e0f97558b72d348c8d8d5e022f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe
              Filesize

              4KB

              MD5

              ba88efbe67bb3c04db67a03f222f4e71

              SHA1

              fae1d8c9b3afa5c5f1785ae773e2f1059ecbcd06

              SHA256

              610437e84f7aa35bd6fc757ab7fbb41f32947f1da73e08f167292839867414e3

              SHA512

              b0a73a9189ac81020b26aca0295204f66b16cb319969bcb746eb540582eb35ab727accb1bca36ff76ab1f088219786060d4a20dc7451fd488e41d7f0d2e130dd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CelestialUpdate.exe
              Filesize

              75KB

              MD5

              1c7d67e357a4c6f86fde169b8fa74639

              SHA1

              4168ae0daa5e17cd0928c7542e49bde8490acdb9

              SHA256

              4094fea68e7a41431fe15eaf1ebbf4d88d20c10e01d4c32e4b466757e626964f

              SHA512

              a9b87f16bd144568182d2f2dc19855d57be54b73f3066cbfc299f6132b41cd2cd49fdd4d2921d2dedf17b05f5a244c9b41dc8ff500140cbe760e11daf9038205

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\FKAOR4WHCDP2BBL.exe
              Filesize

              2.2MB

              MD5

              05d87a4a162784fd5256f4118aff32af

              SHA1

              484ed03930ed6a60866b6f909b37ef0d852dbefd

              SHA256

              7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

              SHA512

              3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IFEBS6HLOW81BN6.exe
              Filesize

              185KB

              MD5

              e0c8976957ffdc4fe5555adbe8cb0d0c

              SHA1

              226a764bacfa17b92131993aa85fe63f1dbf347c

              SHA256

              b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

              SHA512

              3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES78F4.tmp
              Filesize

              1KB

              MD5

              368a831d9824c22e9c5bd4ffccda89c4

              SHA1

              801347032fded187eae78ee5a9b8089adde8fec4

              SHA256

              b5e267a2d247f607f8e8f25a0713f8e5c46badb16ea2bdfe71c23154e4bf6cfc

              SHA512

              5fa097ebcb7d4ec97b6ab40875d35b075f50d8120e8917620849cc6690263d79aa5ff6f30e7d764a79f8136de056515259e319c5c7dac458bd2c1dcca0ffe24a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES7980.tmp
              Filesize

              1KB

              MD5

              cf9c7421a50598ef5ed6ccd1eb33c89b

              SHA1

              9eba8caaf9b7ef62677421db01aa83cb03ef3b05

              SHA256

              b3b59ca1025ee77ac4c7d9ed6ac645b5f2a229a0a0c7451c42b339848a190aff

              SHA512

              12c614ed44d071b33dd27245635f6f3dd142b5b5ebc71e492c37145be864dd3c693acd5998fad49359ce7acdfc3c07b07d36548ee709c9a5ef34ce47540c2530

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES7A0D.tmp
              Filesize

              1KB

              MD5

              ea11ce3467e800bf682a1920f1c9e6e1

              SHA1

              5a3cfd94df0c010c93321f6b3febe02e45834aff

              SHA256

              39630de72016e34a96245f84648007cb8aa1d0395bc878a9c8f76252e9673caf

              SHA512

              ac7577c1122e01ec65d45f7fbea20321b2278501820aafc3e7de4c1cebe7e5a119aed7505b7579fe78d56038e7001ee3a66a11d1f6ab29599d0d7041e5d90ea4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_krysixti.u4z.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\svvGmvXnz7.bat
              Filesize

              209B

              MD5

              4cce8e4fac726006714eae0ffae62422

              SHA1

              42875b0deb2bee3e689d01de6e03850638e75e19

              SHA256

              6cadd4f34ec24d92c09caea3399ed7023d29c12dfc1d967a45e6977965bd05e7

              SHA512

              f7b57fe8a5fd5bbd5ff2fd1fbca6f9d9cf8072fbc9d92b0565ca5a9f5b03844031ec0625d82505c5b26fee716653bcda3c5dd76d3be25362210a83b78a2466b0

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\3jk5zgow\3jk5zgow.0.cs
              Filesize

              388B

              MD5

              f0c8dc2d08b82809c3efc6344154189b

              SHA1

              338e7ebbe9a0e74280aee180d08de25eb93443df

              SHA256

              1c5fed96ea3edce02c8c87b095a5b31f73c5887f4cba93324609bb7529c1c7f2

              SHA512

              7d25b7c15ef03649e2502a96d48cbf0ad488d0f2fa0c6c84e0fbc81dd2558e3545066b32fea811a044be88f47b7d7b03c2d3eb815f7611d135b56483271ea77d

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\3jk5zgow\3jk5zgow.cmdline
              Filesize

              258B

              MD5

              0bb1e1902cee9e943b3cfd465a78c442

              SHA1

              428e8e115abc06f74e1229a67f39cb6b5ad5c063

              SHA256

              f848f8cc7d95d40983f56e2e98dd3b76af298ed21667c3fbff89659943dc9e4c

              SHA512

              315c7e080e3e380f6dc9a7c31d27a718d42da12b4f50dcb4694e266a96a3c3ce43b2a689aad7695ff5bd001c4fbed79ba7b94511ce61bc846d50194823b1cce9

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\CSCABE4C6881E744A61A5B88CF75D4CE.TMP
              Filesize

              1KB

              MD5

              6aa228f10d79d9a653efe79815dc2ed0

              SHA1

              2623ec8c101a4e3b367d7a6fd78878fcb03cb005

              SHA256

              34d0afeeb68839bbbab96e8ec72c4f516785b76b95fba68f059b53e3c25995b6

              SHA512

              61ddd21628e3ced5a5f1fed025a83b95ad3972247b083c4a533145f0912b51d7a4fc609e5dfc37ff7a707ccb228d1c79561f8fa659d63af516a23a465804d987

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\fp2x55ut\fp2x55ut.0.cs
              Filesize

              385B

              MD5

              c918ead44a5318f9c8bb8f5d2259ba0c

              SHA1

              de73237bfca8bbb38417ac8264628c75945acfde

              SHA256

              9ac40e5b1d5a49c2bb1a8e7b0d55ff06550d0bfad1fd932d23dec46c67ce88d9

              SHA512

              7432b119933b09d5a20a17533b77bfe54645ff1f46f24af2879325fbfbd3e91a3a46401b8580f2da18f37feaddb5e0d2e00c022c7e9b6cb704925274b26c6118

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\fp2x55ut\fp2x55ut.cmdline
              Filesize

              255B

              MD5

              24dba30f4cb26b75b74aae1517f76654

              SHA1

              909ab0d67ed6c7548628b025e78db8fe79b22d26

              SHA256

              f3eb5dc7eeb4fa9985d68caba0e190a63a2b4552d9093861b1b0225ed94408a8

              SHA512

              76950cf0f3bb956b36ccad4a96b18621d3412d6052f6b93bff83018d7ab370a1e22b76b93f2436339c5e94f8cf32cdc2baf0d4ca6bdf0fe44d5d112ca79950a6

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\iet25ydo\iet25ydo.0.cs
              Filesize

              365B

              MD5

              ab72629991c3c65b3f7defcb8b4a7d24

              SHA1

              b9077a8b7574f8f4fd814e822c68942db0c40e1c

              SHA256

              af67bf51f5d5faf6c2a4348f3025f2439d520dd9ba5feb0bfeedf6116d737169

              SHA512

              e4b408242224a01335f9850714b42de488b4569ee798d676ec956dfd7b6527dca225dcedb46415fd7aaaae6311d28ad742abd25bb493a1b9a9d025a1b3689dba

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\iet25ydo\iet25ydo.cmdline
              Filesize

              235B

              MD5

              a8e67acd32bde76adcece5a51a156246

              SHA1

              806980c30027ac46e93793dc81fd0ecdbe1be7f9

              SHA256

              24f6c3afc0a2c28ae91408947e83d86d3c76f4c9698af67d94edd8eec77b9f90

              SHA512

              6267e5403c204d75cdfe3f17df26457a6edbc90f4e64b19d0137a36e6a0d0ca64f8ea3efd3434165d17c8999ce2b84b4d9ea1da92ab3252ba4847ed905513cb7

              Download Submit

            • \??\c:\Users\Admin\AppData\Roaming\CSC6EC0FCA16BC44E4C8F78DA8627924081.TMP
              Filesize

              1KB

              MD5

              58502b330b268ac115076d090104dcf3

              SHA1

              7109f37a331cfc7dc17eec68b829176b1a08300c

              SHA256

              3384e9fca7486c61f2e835127080b104639684c9224aebb47da658f842f43ea5

              SHA512

              fcc2cbd3a86dce152c94ba773999890cc1b8afd5182cc3a160e62f0c5b543fa289bc51ed7f49c93705b0a8a99d04ee183b29c9c921d4b695c89fdc0d4642f15a

              Download Submit

            • \??\c:\Windows\System32\CSCE449623D20804A59B4FD76FE48C952A.TMP
              Filesize

              1KB

              MD5

              2ddaf10e7350236c8cb4081912188ca2

              SHA1

              2a13673a51e96fef6374a4a6748157f19ebbdbfa

              SHA256

              c4d9cf358c5fef64c8dc24d46b1c43130b5177bdf381d5062e5fd093b3e7e64b

              SHA512

              2edbc7b83b15203e14520a77bbcc777e26d807f438288a10d5e9ea5dae002f00513d6b9c29ffe39b117c8319418087f6394da1949c0bfb3065b76e24260b0861

              Download Submit

            • memory/564-245-0x0000000000F30000-0x0000000000F38000-memory.dmp

              Filesize

              32KB

              Download

            • memory/632-76-0x0000000000EB0000-0x0000000000EE4000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1080-112-0x00000000005B0000-0x0000000000796000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/1080-121-0x00000000028B0000-0x00000000028BE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1080-123-0x00000000028C0000-0x00000000028CC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1080-116-0x00000000028D0000-0x00000000028EC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1080-117-0x000000001B330000-0x000000001B380000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1080-114-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1080-119-0x00000000028F0000-0x0000000002908000-memory.dmp

              Filesize

              96KB

              Download

            • memory/1392-14-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1392-13-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1392-12-0x000002A6FBD80000-0x000002A6FBDA2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1392-20-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1392-17-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1392-16-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1392-15-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3612-61-0x0000000003080000-0x000000000308C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3612-43-0x00007FFB49E33000-0x00007FFB49E35000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3612-60-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3612-0-0x00007FFB49E33000-0x00007FFB49E35000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3612-2-0x00007FFB49E30000-0x00007FFB4A8F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3612-1-0x0000000000EA0000-0x0000000000EBA000-memory.dmp

              Filesize

              104KB

              Download