Analysis Overview
SHA256
581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590
Threat Level: Known bad
The file 581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590 was found to be: Known bad.
Malicious Activity Summary
Detects PlugX Payload
PlugX
Executes dropped EXE
Checks computer location settings
Unexpected DNS network traffic destination
Loads dropped DLL
Deletes itself
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-25 17:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 17:36
Reported
2022-06-25 17:41
Platform
win7-20220414-en
Max time kernel
152s
Max time network
149s
Command Line
Signatures
Detects PlugX Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe | N/A |
Loads dropped DLL
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 112.213.109.35 | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39004300320033003200440046003000460037004600300039003900440042000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
"C:\Users\Admin\AppData\Local\Temp\581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe"
C:\ProgramData\SxS\NvST.exe
"C:\ProgramData\SxS\NvST.exe" 100 1908
C:\ProgramData\SxS\NvST.exe
"C:\ProgramData\SxS\NvST.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 268
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | kr.942m.com | udp |
| HK | 112.213.109.35:53 | kr.942m.com | tcp |
Files
memory/1964-54-0x00000000756E1000-0x00000000756E3000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
memory/1908-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.xml
| MD5 | 5af8722a02124aa720907d3f3715d43f |
| SHA1 | 18dcff37f7b061ce2c121e47eef0ffc58527019b |
| SHA256 | ee7370500f1d172985f0be1059557a6d6b36525d9cc2dae456398c635315ce25 |
| SHA512 | cfbeccdcd59ed48f50b7b006fcdb73581c69163932e4f1240e7515ea6848813971bffa081af9cd03eb3828f2403d559e6e14a59bcae73f9252ed48a964f512af |
memory/1908-66-0x0000000000410000-0x0000000000510000-memory.dmp
memory/1908-67-0x0000000000280000-0x00000000002AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
C:\ProgramData\SxS\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
C:\ProgramData\SxS\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
\ProgramData\SxS\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
C:\ProgramData\SxS\NvST.xml
| MD5 | 5af8722a02124aa720907d3f3715d43f |
| SHA1 | 18dcff37f7b061ce2c121e47eef0ffc58527019b |
| SHA256 | ee7370500f1d172985f0be1059557a6d6b36525d9cc2dae456398c635315ce25 |
| SHA512 | cfbeccdcd59ed48f50b7b006fcdb73581c69163932e4f1240e7515ea6848813971bffa081af9cd03eb3828f2403d559e6e14a59bcae73f9252ed48a964f512af |
C:\ProgramData\SxS\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
\ProgramData\SxS\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
memory/268-77-0x0000000000130000-0x000000000014A000-memory.dmp
memory/268-79-0x0000000000000000-mapping.dmp
memory/1216-81-0x0000000000440000-0x000000000046C000-memory.dmp
memory/1552-82-0x00000000002A0000-0x00000000002CC000-memory.dmp
memory/268-83-0x0000000000270000-0x000000000029C000-memory.dmp
memory/1204-86-0x0000000000000000-mapping.dmp
memory/1204-88-0x00000000002E0000-0x000000000030C000-memory.dmp
memory/268-89-0x0000000000270000-0x000000000029C000-memory.dmp
memory/1204-90-0x00000000002E0000-0x000000000030C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 17:36
Reported
2022-06-25 17:42
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects PlugX Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 112.213.109.35 | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003400430041003300320037004400390039003100410042003900420037000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\NvST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
"C:\Users\Admin\AppData\Local\Temp\581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe"
C:\ProgramData\SxS\NvST.exe
"C:\ProgramData\SxS\NvST.exe" 100 2196
C:\ProgramData\SxS\NvST.exe
"C:\ProgramData\SxS\NvST.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 4280
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | kr.942m.com | udp |
| HK | 112.213.109.35:53 | kr.942m.com | tcp |
| US | 8.248.21.254:80 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| IE | 13.69.239.72:443 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
Files
memory/2196-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.xml
| MD5 | 5af8722a02124aa720907d3f3715d43f |
| SHA1 | 18dcff37f7b061ce2c121e47eef0ffc58527019b |
| SHA256 | ee7370500f1d172985f0be1059557a6d6b36525d9cc2dae456398c635315ce25 |
| SHA512 | cfbeccdcd59ed48f50b7b006fcdb73581c69163932e4f1240e7515ea6848813971bffa081af9cd03eb3828f2403d559e6e14a59bcae73f9252ed48a964f512af |
memory/2196-136-0x0000000002150000-0x0000000002250000-memory.dmp
memory/2196-137-0x0000000001FA0000-0x0000000001FCC000-memory.dmp
C:\ProgramData\SxS\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
C:\ProgramData\SxS\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
C:\ProgramData\SxS\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
C:\ProgramData\SxS\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
C:\ProgramData\SxS\NvST.xml
| MD5 | 5af8722a02124aa720907d3f3715d43f |
| SHA1 | 18dcff37f7b061ce2c121e47eef0ffc58527019b |
| SHA256 | ee7370500f1d172985f0be1059557a6d6b36525d9cc2dae456398c635315ce25 |
| SHA512 | cfbeccdcd59ed48f50b7b006fcdb73581c69163932e4f1240e7515ea6848813971bffa081af9cd03eb3828f2403d559e6e14a59bcae73f9252ed48a964f512af |
C:\ProgramData\SxS\NvST.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
C:\ProgramData\SxS\NvSmartMax.dll
| MD5 | 3e2640a52a808af29c38e4f3acd602a8 |
| SHA1 | c6c216cac0872f30f6072966cc50d0df8e74892e |
| SHA256 | 0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c |
| SHA512 | 9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a |
memory/4280-145-0x0000000000000000-mapping.dmp
memory/4868-146-0x0000000000E30000-0x0000000000E5C000-memory.dmp
memory/3932-147-0x0000000002150000-0x000000000217C000-memory.dmp
memory/4280-148-0x0000000001330000-0x000000000135C000-memory.dmp
memory/1888-149-0x0000000000000000-mapping.dmp
memory/1888-150-0x0000000001310000-0x000000000133C000-memory.dmp
memory/4280-151-0x0000000001330000-0x000000000135C000-memory.dmp
memory/1888-152-0x0000000001310000-0x000000000133C000-memory.dmp