Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/01/2025, 07:02

General

  • Target

    XClient.exe

  • Size

    33KB

  • MD5

    843daa234f9b31c8f22c433971b0b086

  • SHA1

    3c5f573f61e89c1a113fe907e5831e4be5dc5a4c

  • SHA256

    f965e1f1dcbf5efaa48c4e4d14691e6d378d9caec1352a85ee06d0ebfc43eca7

  • SHA512

    0da56ef71bebb09550cb666b6aa72d0f36e7aff12212da8fd523dd0450a211226d8106c136951d483813a76455b6ae12f711e6ea6513b3ff63c304b5d93fbfd0

  • SSDEEP

    384:nl+PkjD9+E5MFs7iui8L7zKM42pfL3iB7OxVqWqKRApkFXBLTsOZwpGN2v99Ikun:l+CD93W03v42JiB70lVF49jXOjhwbi

Malware Config

Extracted

Family

xworm

Version

5.0

C2

general-hebrew.gl.at.ply.gg:24614

Mutex

cBWzGpKKIzANTO2p

Attributes
  • install_file

    svchost.exe

aes.plain

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Detect Xworm Payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Drops startup file 2 IoCs
  • Executes dropped EXE 13 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 3 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:1764
        • C:\Windows\system32\sc.exe
          "C:\Windows\system32\sc.exe" qc windefend
          3⤵
          • Launches sc.exe
          PID:3620
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
          3⤵
            PID:1164
          • C:\Windows\system32\whoami.exe
            "C:\Windows\system32\whoami.exe" /groups
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4108
          • C:\Windows\system32\net1.exe
            "C:\Windows\system32\net1.exe" stop windefend
            3⤵
              PID:4152
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
              3⤵
              • Launches sc.exe
              PID:2432
        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
          "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
          1⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Users\Admin\AppData\Local\Temp\XYR269UW2X56RGZ.exe
            "C:\Users\Admin\AppData\Local\Temp\XYR269UW2X56RGZ.exe"
            2⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4356
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XYR269UW2X56RGZ" /tr "C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe"
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1012
          • C:\Users\Admin\AppData\Local\Temp\LRZDBCUY9IYTYZA.exe
            "C:\Users\Admin\AppData\Local\Temp\LRZDBCUY9IYTYZA.exe"
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:892
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4268
                • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
                  "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
                  5⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:644
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0zgyju0l\0zgyju0l.cmdline"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4708
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E2D.tmp" "c:\Users\Admin\AppData\Roaming\CSCF795A17B2C2B41F3B1AD1B76ECBE216.TMP"
                      7⤵
                        PID:1892
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lly4cse5\lly4cse5.cmdline"
                      6⤵
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:3284
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EC9.tmp" "c:\Windows\System32\CSCA3B127F226C34C09975C583660B9125C.TMP"
                        7⤵
                          PID:4760
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2420
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1736
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2144
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1204
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\dllhost.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1616
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2072
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w5I23rwOVM.bat"
                        6⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2036
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          7⤵
                            PID:4588
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            7⤵
                              PID:4916
                            • C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
                              "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
                              7⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4396
                  • C:\Users\Admin\AppData\Local\Temp\AJLF0KZUL5VL5NH.exe
                    "C:\Users\Admin\AppData\Local\Temp\AJLF0KZUL5VL5NH.exe"
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5076
                  • C:\Users\Admin\AppData\Local\Temp\TOBT66RBMHPKUAF.exe
                    "C:\Users\Admin\AppData\Local\Temp\TOBT66RBMHPKUAF.exe"
                    2⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2972
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:3016
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1376
                        • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
                          "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4088
                  • C:\Windows\system32\sc.exe
                    "C:\Windows\system32\sc.exe" qc windefend
                    2⤵
                    • Launches sc.exe
                    PID:4588
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
                    2⤵
                      PID:1896
                    • C:\Windows\system32\whoami.exe
                      "C:\Windows\system32\whoami.exe" /groups
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2848
                    • C:\Windows\system32\net1.exe
                      "C:\Windows\system32\net1.exe" start TrustedInstaller
                      2⤵
                        PID:4400
                      • C:\Windows\system32\net1.exe
                        "C:\Windows\system32\net1.exe" start lsass
                        2⤵
                          PID:2392
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2872
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3100
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2408
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4396
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "XClient" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2876
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:784
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2244
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1416
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:436
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2836
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3024
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1516
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4488
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4304
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:816
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 8 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5084
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4724
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 14 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4388
                      • C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe
                        C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:328
                        • C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe
                          "C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4136
                        • C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe
                          "C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2060
                      • C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe
                        C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe
                        1⤵
                        • Executes dropped EXE
                        PID:1636
                        • C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe
                          "C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4768
                        • C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe
                          "C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1136

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe

                        Filesize

                        220B

                        MD5

                        47085bdd4e3087465355c9bb9bbc6005

                        SHA1

                        bf0c5b11c20beca45cc9d4298f2a11a16c793a61

                        SHA256

                        80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

                        SHA512

                        e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

                      • C:\HypercomponentCommon\cemEzm0xYx1.bat

                        Filesize

                        105B

                        MD5

                        5ee2935a1949f69f67601f7375b3e8a3

                        SHA1

                        6a3229f18db384e57435bd3308298da56aa8c404

                        SHA256

                        c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

                        SHA512

                        9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

                      • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe

                        Filesize

                        1.9MB

                        MD5

                        7be5cea1c84ad0b2a6d2e5b6292c8d80

                        SHA1

                        631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

                        SHA256

                        6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

                        SHA512

                        ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XYR269UW2X56RGZ.exe.exe.log

                        Filesize

                        654B

                        MD5

                        2cbbb74b7da1f720b48ed31085cbd5b8

                        SHA1

                        79caa9a3ea8abe1b9c4326c3633da64a5f724964

                        SHA256

                        e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                        SHA512

                        ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XYR269UW2X56RGZ.exe.log

                        Filesize

                        226B

                        MD5

                        4ae344179932dc8e2c6fe2079f9753ef

                        SHA1

                        60eacc624412b1f34809780769e3b212f138ea9c

                        SHA256

                        3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4

                        SHA512

                        fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

                        Filesize

                        847B

                        MD5

                        2940b232afa412901f8ae5651c790f93

                        SHA1

                        f79bd5d1433c803515e2d9a016396344187beea2

                        SHA256

                        16f4a7736a0c2aee54256d3d75ce4c0816fabf130b3b92340deca34c5f5fda43

                        SHA512

                        553d5491c9bc358c7ce8a95caa445e882ab4bf744a2f5be1b2131c20f27321f65121389fd076558ba415f322fdad6ed36a05902e5c55cbbeace371182890af27

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperSurrogateagentCrt.exe.log

                        Filesize

                        1KB

                        MD5

                        1126a1de0a15000f1687b171641ffea6

                        SHA1

                        dcc99b2446d05b8f0f970e3e9105198a20ca9e78

                        SHA256

                        b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7

                        SHA512

                        6cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                        Filesize

                        2KB

                        MD5

                        627073ee3ca9676911bee35548eff2b8

                        SHA1

                        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                        SHA256

                        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                        SHA512

                        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        d0a4a3b9a52b8fe3b019f6cd0ef3dad6

                        SHA1

                        fed70ce7834c3b97edbd078eccda1e5effa527cd

                        SHA256

                        21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

                        SHA512

                        1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        aa4f31835d07347297d35862c9045f4a

                        SHA1

                        83e728008935d30f98e5480fba4fbccf10cefb05

                        SHA256

                        99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

                        SHA512

                        ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        05b3cd21c1ec02f04caba773186ee8d0

                        SHA1

                        39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

                        SHA256

                        911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

                        SHA512

                        e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

                      • C:\Users\Admin\AppData\Local\Temp\LRZDBCUY9IYTYZA.exe

                        Filesize

                        2.2MB

                        MD5

                        05d87a4a162784fd5256f4118aff32af

                        SHA1

                        484ed03930ed6a60866b6f909b37ef0d852dbefd

                        SHA256

                        7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

                        SHA512

                        3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

                      • C:\Users\Admin\AppData\Local\Temp\RES3E2D.tmp

                        Filesize

                        1KB

                        MD5

                        966c3c4130576f866b7dda5389008bba

                        SHA1

                        a03b77bbb0d216e80a7e5d9594952769ba1536df

                        SHA256

                        237c801cedd0bee5dfa978ba3f672a11745caad48bff317968e721073b46678d

                        SHA512

                        b21679d3eb3c3d49e07999ba1eac11d8c4c41c1bb71a0db62bf27818c48573f361c8e442cda10ac927a343019d7d0b9210dee565e4728723e948e534ffe0a64f

                      • C:\Users\Admin\AppData\Local\Temp\RES3EC9.tmp

                        Filesize

                        1KB

                        MD5

                        f84b95dedf30aa9cb2c09b97cd74ebc3

                        SHA1

                        54ddbff0c173cb3d7dc83da35b6fa2fa651ec191

                        SHA256

                        a5180d0d61b692430b18668f7d0e93b245faa3042211eef4cbcf015cd9e35773

                        SHA512

                        3dd4d0c565b14c85789f4fda17d01d6acc8f6cb368f8be79046c2f93f1deffeed3889ef96f22442f75e4bceae44037f75c1ffbfde129af3ef71312b4d8d2ea81

                      • C:\Users\Admin\AppData\Local\Temp\XYR269UW2X56RGZ.exe

                        Filesize

                        185KB

                        MD5

                        e0c8976957ffdc4fe5555adbe8cb0d0c

                        SHA1

                        226a764bacfa17b92131993aa85fe63f1dbf347c

                        SHA256

                        b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

                        SHA512

                        3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3eibmzg.i1e.ps1

                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      • C:\Users\Admin\AppData\Local\Temp\w5I23rwOVM.bat

                        Filesize

                        242B

                        MD5

                        51aec62800cff2d4e9e46f61a7b7fa5e

                        SHA1

                        07c58b2368ac4b3778c8e1cd2278dc0329b969a8

                        SHA256

                        a682bb7e16b003a17835b35dcc158cf0d6ffd23fcd48d113a53ee615f4935a5f

                        SHA512

                        9044f8533adf481ad3b8b2c0ec64bc82dca056e1f7dd3b57e4ed8a512c2769ba07843f011dba4d0be441438578368fd67926e2b429fbcf1f9833f55b65dbd2ea

                      • C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe

                        Filesize

                        4KB

                        MD5

                        7caba83aa0ef3e8f737463976122f611

                        SHA1

                        e536b19809aaa465567236a0a087956df70b7de4

                        SHA256

                        6c71c2773fadc1ab065e8a8d7d9f7ce22f4609aaf56cdc9093933827fd5241e5

                        SHA512

                        b4823bbdeb09f063b7e43f254bc4f8c493679d014a97b5d32f9526380c8325b75a86f1bdb430d8e195a776c76cda9b8edee068952d7facf7d376dd6b3beb57dd

                      • \??\c:\Users\Admin\AppData\Local\Temp\0zgyju0l\0zgyju0l.0.cs

                        Filesize

                        410B

                        MD5

                        37f5a9a57874bad23c138af94db88d83

                        SHA1

                        068393b859ecac7149964811151e65de8197ea09

                        SHA256

                        a8dfeea710d60fc171b6f10d04daeeafa6ccefa350d5e6c742b5956d7a2d9045

                        SHA512

                        6dc279942f05b9a2d09fa12b22c9e8b311b2a7fed07195896af4750a186111ab6085a8fe80bda4c512c37b21c6302bdaafd562458b004f75eb6b921944832721

                      • \??\c:\Users\Admin\AppData\Local\Temp\0zgyju0l\0zgyju0l.cmdline

                        Filesize

                        255B

                        MD5

                        6800d1d4666bb507385da4f61d24e45f

                        SHA1

                        b7b3b4aee28a397d9b880b6e66396d0f6b699f30

                        SHA256

                        8e5a092385cb01337ac1607b5765d9ccbb0ee9169f8bd8f63cdc4439f98c22c2

                        SHA512

                        8fad52d1c1f97c248496f27b3aae5081963a432b6464a9d6ea52b6ab6991738291e06fdb454b9d7f8d70d2b01e80c497e554aecc3645c131c847909c9e402165

                      • \??\c:\Users\Admin\AppData\Local\Temp\lly4cse5\lly4cse5.0.cs

                        Filesize

                        390B

                        MD5

                        1320a555a60d66f718f658ceb7165b5d

                        SHA1

                        d11a1bd46b0a73830a38129a95f5c5d6595d4613

                        SHA256

                        565a161d30e7eec2b69d5e96cf82ed289b7917077ceb473baf4311f62f5feb59

                        SHA512

                        0f440af6ba8b7d57c035a0050236f99b648c331c5d35f35624ac91676bc575e8b2c5379d04d78f0083e04c48b4202985884e0412d74cdb276445b72539948b65

                      • \??\c:\Users\Admin\AppData\Local\Temp\lly4cse5\lly4cse5.cmdline

                        Filesize

                        235B

                        MD5

                        87d2c478967a60821c35447f5a9c72d3

                        SHA1

                        2433b2facfe2154175a0a884a1b10a7890f6517d

                        SHA256

                        e439b0352ed015c12b66eaf143ca6a90ffa4fb77ee34ecb1f05d6347ba2bab9b

                        SHA512

                        0b6b04727a0d3fb448db4683a2d484b49a5c3abf013fcd4b73087558a4248233bf4470784c3d60b18e06fddcab6aa1b2aa470e6fd46ec5f0d1017ce9a335db29

                      • \??\c:\Users\Admin\AppData\Roaming\CSCF795A17B2C2B41F3B1AD1B76ECBE216.TMP

                        Filesize

                        1KB

                        MD5

                        dfca71d425836f13c24edf5df990b85f

                        SHA1

                        02ca2fdb1821421d9730d252ad4502e65de681b2

                        SHA256

                        5f61a298aa04433130705593559fcf56e71df59cac700fc6217badbd1efe239d

                        SHA512

                        c5e87166303f0a48f38b1715caee2fb2d54522210e7f64e08a346a73910b66cb947a9ccbc355939d6a626d017ce408628c5d717436129e0fea1f1c5f2a0b1318

                      • \??\c:\Windows\System32\CSCA3B127F226C34C09975C583660B9125C.TMP

                        Filesize

                        1KB

                        MD5

                        5312a26d06282ef9ae358ed7609d9bb5

                        SHA1

                        0ba9ce38a2b4bf3de2b3d6f589488caf95e24b55

                        SHA256

                        c50e76bfb6328f826406d6ee365f7eb2936eb2be622d2dd08b144e1fce606246

                        SHA512

                        4d3724e6bca4ff31c21d321567f684856ea35133a23de706b1c7f62d40642509d871fc3745739e798b003f832fa7bdc3de11f03da6c88e3507def0fd0047e525

                      • memory/328-199-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

                        Filesize

                        32KB

                      • memory/644-59-0x0000000000E00000-0x0000000000FE6000-memory.dmp

                        Filesize

                        1.9MB

                      • memory/644-68-0x000000001CA60000-0x000000001CA78000-memory.dmp

                        Filesize

                        96KB

                      • memory/644-65-0x000000001CA40000-0x000000001CA5C000-memory.dmp

                        Filesize

                        112KB

                      • memory/644-72-0x000000001BB70000-0x000000001BB7C000-memory.dmp

                        Filesize

                        48KB

                      • memory/644-70-0x0000000003080000-0x000000000308E000-memory.dmp

                        Filesize

                        56KB

                      • memory/644-63-0x0000000003020000-0x000000000302E000-memory.dmp

                        Filesize

                        56KB

                      • memory/644-66-0x000000001CAB0000-0x000000001CB00000-memory.dmp

                        Filesize

                        320KB

                      • memory/1072-110-0x000000001F300000-0x000000001F828000-memory.dmp

                        Filesize

                        5.2MB

                      • memory/1072-205-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

                        Filesize

                        32KB

                      • memory/1072-1-0x0000000000580000-0x000000000058E000-memory.dmp

                        Filesize

                        56KB

                      • memory/1072-2-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1072-3-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1072-207-0x000000001BBF0000-0x000000001BBFE000-memory.dmp

                        Filesize

                        56KB

                      • memory/1072-0-0x00007FF9D6B73000-0x00007FF9D6B75000-memory.dmp

                        Filesize

                        8KB

                      • memory/1072-4-0x0000000002810000-0x000000000281C000-memory.dmp

                        Filesize

                        48KB

                      • memory/1072-87-0x000000001C0F0000-0x000000001C1A0000-memory.dmp

                        Filesize

                        704KB

                      • memory/2144-124-0x0000024FEA3D0000-0x0000024FEA3F2000-memory.dmp

                        Filesize

                        136KB

                      • memory/4356-61-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4356-17-0x0000000000240000-0x0000000000274000-memory.dmp

                        Filesize

                        208KB

                      • memory/4356-16-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4356-26-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4356-27-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

                        Filesize

                        10.8MB