Overview

overview

10

Static

static

10

Dettex.exe

windows7-x64

10

Dettex.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2025 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dettex.exe

  • Size

    90KB

  • MD5

    1c2a253948135b876e3fe148f45040f1

  • SHA1

    c546d4e05316819469003b332b4bd2a9c4e5f5fd

  • SHA256

    264cfa973e4a1b05c208728074dc9b072c180502494644d324086ba66f791c7c

  • SHA512

    b8e2887c5a7562a001ed013aee2f747aae3e916c85810aff2e857272f75be6c06fd8774a4c2d3676a6fe60dce57f4f9f223092f69036dde4378b71ed9fae7b7f

  • SSDEEP

    1536:4xnmcCQLrqkUScY177xIO0bOU5pXZX8b60/S/OPEp9QcmzhRaA5am:MmWn9Uy76ZbHp8/2O49IFRN5am

Score
10/10
dcratxwormdiscoveryexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:22100

wide-casting.gl.at.ply.gg:22100
Attributes
  • Install_directory

    %AppData%

  • install_file

    Dettex.exe

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 4 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dettex.exe
    "C:\Users\Admin\AppData\Local\Temp\Dettex.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Dettex.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Dettex.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Dettex.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Dettex.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Users\Admin\AppData\Local\Temp\7YKAJA73PRGYGDV.exe
      "C:\Users\Admin\AppData\Local\Temp\7YKAJA73PRGYGDV.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7YKAJA73PRGYGDV" /tr "C:\Users\Admin\AppData\Roaming\7YKAJA73PRGYGDV.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5016
    • C:\Users\Admin\AppData\Local\Temp\K3BPTX7F9I4SRBP.exe
      "C:\Users\Admin\AppData\Local\Temp\K3BPTX7F9I4SRBP.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3328
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3760
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yacmz5g5\yacmz5g5.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4364
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D30.tmp" "c:\Users\Admin\AppData\Roaming\CSC169F0A4E35D4B6EA4A0BDBBACC01A60.TMP"
                7⤵
                  PID:5040
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pepqlokk\pepqlokk.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1012
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DAD.tmp" "c:\Users\Admin\AppData\Roaming\CSC506CE99C2E784FDEB416D510297B297D.TMP"
                  7⤵
                    PID:4432
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y5pkhdqj\y5pkhdqj.cmdline"
                  6⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:4928
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E1B.tmp" "c:\Windows\System32\CSCE96BFC24776543BA87D0A0FF7542D0CD.TMP"
                    7⤵
                      PID:2844
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3568
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\SppExtComObj.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4140
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\lsass.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:228
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3292
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\hyperSurrogateagentCrt.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2708
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3504
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p3khZ6T8xi.bat"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3800
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      7⤵
                        PID:2152
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        7⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1740
                      • C:\Program Files\Windows Media Player\ja-JP\hyperSurrogateagentCrt.exe
                        "C:\Program Files\Windows Media Player\ja-JP\hyperSurrogateagentCrt.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3096
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:436
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:736
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\Sorting\SppExtComObj.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5024
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2204
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\Sorting\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3468
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\HypercomponentCommon\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\HypercomponentCommon\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3096
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\HypercomponentCommon\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1896
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:816
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3080
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3172
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\ja-JP\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2440
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1708
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\ja-JP\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2004
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 5 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1792
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2444
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 9 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1844

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
            Filesize

            220B

            MD5

            47085bdd4e3087465355c9bb9bbc6005

            SHA1

            bf0c5b11c20beca45cc9d4298f2a11a16c793a61

            SHA256

            80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

            SHA512

            e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

            Download Submit

          • C:\HypercomponentCommon\cemEzm0xYx1.bat
            Filesize

            105B

            MD5

            5ee2935a1949f69f67601f7375b3e8a3

            SHA1

            6a3229f18db384e57435bd3308298da56aa8c404

            SHA256

            c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

            SHA512

            9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

            Download Submit

          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            Filesize

            1.9MB

            MD5

            7be5cea1c84ad0b2a6d2e5b6292c8d80

            SHA1

            631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

            SHA256

            6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

            SHA512

            ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperSurrogateagentCrt.exe.log
            Filesize

            1KB

            MD5

            af6acd95d59de87c04642509c30e81c1

            SHA1

            f9549ae93fdb0a5861a79a08f60aa81c4b32377b

            SHA256

            7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

            SHA512

            93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            51cf8df21f531e31f7740b4ec487a48a

            SHA1

            40c6a73b22d71625a62df109aefc92a5f9b9d13e

            SHA256

            263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

            SHA512

            57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e59140d6693b6a0f6a8617b45bdef9fe

            SHA1

            7157a22b2533d10fe8ed91d2c5782b44c79bbcde

            SHA256

            baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

            SHA512

            117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            145039ee65251da29aa337556cab6c61

            SHA1

            5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

            SHA256

            26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

            SHA512

            d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            59d97011e091004eaffb9816aa0b9abd

            SHA1

            1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

            SHA256

            18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

            SHA512

            d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            3072fa0040b347c3941144486bf30c6f

            SHA1

            e6dc84a5bd882198583653592f17af1bf8cbfc68

            SHA256

            da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

            SHA512

            62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            bef1b6183e0668bfe5ae95d306a2c7ec

            SHA1

            5c964d3094437f23dae10f825513c496919fb264

            SHA256

            dddb7a05d06f409bfa09e5fbc42c2c6ee65515a5fa634c5584192b531821eb5c

            SHA512

            7706003e8db84a1c8bdef3bb7c1b90882673b889b6639ed0aad8d0e25775abe95cade3508bd55a0799e8a27048a09dbc0ebf926027ceb0c0b16b3e1968d8f373

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7YKAJA73PRGYGDV.exe
            Filesize

            185KB

            MD5

            e0c8976957ffdc4fe5555adbe8cb0d0c

            SHA1

            226a764bacfa17b92131993aa85fe63f1dbf347c

            SHA256

            b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

            SHA512

            3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\K3BPTX7F9I4SRBP.exe
            Filesize

            2.2MB

            MD5

            05d87a4a162784fd5256f4118aff32af

            SHA1

            484ed03930ed6a60866b6f909b37ef0d852dbefd

            SHA256

            7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

            SHA512

            3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES2D30.tmp
            Filesize

            1KB

            MD5

            d3b9ebe835e4283d7d8b0e175b998d0d

            SHA1

            ce480b25c158676d9dc77b99d3b0bc03c748cf7d

            SHA256

            68ff8002aa724401a3192b8c3af3a5d787b3372cb400f67858a3a9094f2ee164

            SHA512

            f987e6a66d75edea35e8b88a39054a5db54865d418dc7036c5ffd0a2b0039695ce6a6767a641b2bbe798c87ebc34a8bc4156188fc45674b0a68c7f73f4f877f6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES2DAD.tmp
            Filesize

            1KB

            MD5

            e41b3bd3e500e01223caf3be128a7440

            SHA1

            ca6160885c971dc96af2b05eafec9e5e37bb53a5

            SHA256

            6ee5cd17e33635669d8d501d7b9568dfc3558985050a0e0a1c13ab7e99e689f4

            SHA512

            ed8cc30cc9d71e6166adbeb82b507a1573ddc1ed237d00d5df505e5dfcb465b1d7372b770cf2b9f7b4d25f05cdf3650c860cf8e297f8bfb5b06115edb5c1d2d9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES2E1B.tmp
            Filesize

            1KB

            MD5

            9e697a56fd8fd94d6fd46a74f4bf60e3

            SHA1

            8a4f100b90b9bba388059c7c36d5618c1388fed1

            SHA256

            b6fc1f00cc5d0c25aa422e432f05533c6040831f84ea7eed1e2cd5985e01cb38

            SHA512

            bf3e6b319bb2efd07509a64330269bb72a2059b7260be3912f3b246e994d0f5be9a961bae73a5f3830e1b0e1d5f4db0f90e66c8c898cc4729820ba10b692a1d1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_upyag4k2.hcc.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\p3khZ6T8xi.bat
            Filesize

            198B

            MD5

            676587202f074b93957577c2a3b9e3e0

            SHA1

            356581be95a675d62b48314989ea32f8a6a8d4c7

            SHA256

            17b69eedfc7f62bb1a623ae4fa7e796a76ca2d4a533d5bb80a8c66487bc0ace9

            SHA512

            408b4c9bd9d5c3ae9791a82c2aba7d699e373a4c5c0a85f8040645e85cacc5316abc1d216a584306b17f01c9420ee793a13034d9fa39307844f2ff493e875869

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Dettex.exe
            Filesize

            90KB

            MD5

            1c2a253948135b876e3fe148f45040f1

            SHA1

            c546d4e05316819469003b332b4bd2a9c4e5f5fd

            SHA256

            264cfa973e4a1b05c208728074dc9b072c180502494644d324086ba66f791c7c

            SHA512

            b8e2887c5a7562a001ed013aee2f747aae3e916c85810aff2e857272f75be6c06fd8774a4c2d3676a6fe60dce57f4f9f223092f69036dde4378b71ed9fae7b7f

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\pepqlokk\pepqlokk.0.cs
            Filesize

            411B

            MD5

            acaaae0ab82a77dac746115bb87077ee

            SHA1

            ce2a5b8aecf21cbb7003bfe354cc1f44476059e6

            SHA256

            c383086d882e2895c7ab7ded3d49229ceaa82b17cd7f5753b06ffdad783ca076

            SHA512

            65a4a9395b0bcb1dd074cca9b105952a89128f885e404d69e0a3cb29a6d99b6b2ed3cd48fc570c62d7933bae95f52834b00612d1bc60da60b34baf3277d61266

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\pepqlokk\pepqlokk.cmdline
            Filesize

            255B

            MD5

            bf695dc2696bcb9c7d0c6854ec6a6b5f

            SHA1

            c4b55e5a46204e282561284d7dc31ad8400cd7df

            SHA256

            d6bc5f21ff703f3dd8584eeee90f36f689191eb1f101faffdb424060b41beb8e

            SHA512

            f294f57f1b4977907b6c791ffdf45589346b814650fe3fae6abe5aafd622ea8f8f3a588f10475d4fe657b2bb99227ff81760426c4fcc9ab8cc4a3f3bdbff2882

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\y5pkhdqj\y5pkhdqj.0.cs
            Filesize

            391B

            MD5

            ffbcafd2ce080c25ffafff034c922b49

            SHA1

            c675bbc0d043774aedbe6188909a3391254cb126

            SHA256

            333b19b25a5d9ebb2da454f83c26270940b26fb6b418e986f253556d9fd849e1

            SHA512

            563a89c0df6c8e85dcfe019c69211cf4d2146b7f7f4e3f1ca40e39aaa6ecb3aa101ed855f430ccc9a6820f8b04e5d60c992fce07ec5d8d4d075d0095efd037a3

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\y5pkhdqj\y5pkhdqj.cmdline
            Filesize

            235B

            MD5

            413d40e5b5dae5e98a0497efab8bb132

            SHA1

            34902a68a9059e12f7f7ecf7b564e695fb4e9aa5

            SHA256

            f1744c30a0589ebe7d63add6024e6ce954f7d8f97db78d509cbaa288851d86dc

            SHA512

            daa7c3c3a495ec402e8053d048b37d987fcfc5530f3df8ba526a0ab8f14b6117fd9d0f15f806222c08698d7bc6d2e425db3c80db597deb9005f1ea6344e66fb6

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\yacmz5g5\yacmz5g5.0.cs
            Filesize

            402B

            MD5

            f87af0150209590777d1ea5a53844ed8

            SHA1

            5d69718573240b663887cdac0df3a6f47d99a863

            SHA256

            bc3a380fcc70d5c31dcda874b03f1dd57bda2358ed7b46c5036ec963f267cf13

            SHA512

            390c348f7d59d5b7157cec3003b071f9e99891760f808b3a999ffaf84e4f322a8cdb6ac603dbbc47f390a0dedb8b6009438a0507acac59734ceda00df3fe6a42

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\yacmz5g5\yacmz5g5.cmdline
            Filesize

            246B

            MD5

            6d85ecace4f5dcd3f9c1edb17ecc7ba2

            SHA1

            e0e2cfbdbc37decde8f6e96b71b72f5777690d88

            SHA256

            05fd882867974eba23ec4c2af3965531f7f8c92dea871d20501ad54e88490713

            SHA512

            c344e6cd8265ec714019b54d6cfed74740403d0320f3acb2be8324f13cb380826bcbb142eb0c9c8398274c45dc38bf9fb4f7c4b057beb1976bb62ec8436709dc

            Download Submit

          • \??\c:\Users\Admin\AppData\Roaming\CSC169F0A4E35D4B6EA4A0BDBBACC01A60.TMP
            Filesize

            1KB

            MD5

            b43f0903e84abc06f367a815922c4cce

            SHA1

            8ed4163f681568f846b52d3f2439466d79ab5f70

            SHA256

            15a898ea4a87931e2b31bb87fea34de25d494c6f94a590dd53c1aaa5f665a780

            SHA512

            5970d0a479e86c40350d3537567d2ef17612a37b72fa58953dc1418e985bb9140af4f98f0b450504c7f302824fa6d81e399121fb1ac906c50b3afa8aa083b6d1

            Download Submit

          • \??\c:\Users\Admin\AppData\Roaming\CSC506CE99C2E784FDEB416D510297B297D.TMP
            Filesize

            1KB

            MD5

            8e656d74d2667c9bfa05beac4c1f6738

            SHA1

            9eceb7df1523d213c4e1a9d6ccee70a2feed9233

            SHA256

            e00aa1963f2950ee880c9092be17a397bddf0f966a3bcedaa8b43b44756f9b57

            SHA512

            4733d0085f209eb4460d97f8568cc06c104192da371fb72633275cdfdec1c65621960f8e2e381525c6e125220a3aff735d17c0448db2f3ee3cb2af55151b896f

            Download Submit

          • \??\c:\Windows\System32\CSCE96BFC24776543BA87D0A0FF7542D0CD.TMP
            Filesize

            1KB

            MD5

            2fd2b90e7053b01e6af25701a467eb1f

            SHA1

            68801a13cebba82c24f67a9d7c886fcefcf01a51

            SHA256

            12b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527

            SHA512

            081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af

            Download Submit

          • memory/2156-72-0x0000000000720000-0x0000000000754000-memory.dmp

            Filesize

            208KB

            Download

          • memory/2992-108-0x000000001ADE0000-0x000000001ADF8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2992-110-0x000000001ADA0000-0x000000001ADAE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2992-112-0x000000001ADB0000-0x000000001ADBC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2992-105-0x000000001ADC0000-0x000000001ADDC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2992-106-0x000000001AE30000-0x000000001AE80000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2992-103-0x00000000023B0000-0x00000000023BE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2992-101-0x00000000000B0000-0x0000000000296000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/3508-58-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3508-0-0x00007FFB82543000-0x00007FFB82545000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3508-57-0x00007FFB82543000-0x00007FFB82545000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3508-60-0x0000000001390000-0x000000000139C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3508-2-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3508-1-0x0000000000D50000-0x0000000000D6C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4056-15-0x000002A0A1A80000-0x000002A0A1AA2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4056-18-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4056-5-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4056-4-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4056-3-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

            Filesize

            10.8MB

            Download