Analysis Overview
SHA256
9422644a39273f689b2bcfa94551a4bc4815ed9c2efc4871367449051fc7f3a5
Threat Level: Known bad
The file Nexus Release V1.3.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
xmrig
XMRig Miner payload
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Stops running service(s)
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-10 18:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 18:06
Reported
2024-06-10 18:07
Platform
win11-20240426-en
Max time kernel
52s
Max time network
51s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\dllhost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\dllhost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\nexus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\nexus.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\nexus.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cnlnqv.exe | N/A |
| N/A | N/A | C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" | C:\Users\Admin\dllhost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3848 set thread context of 5080 | N/A | C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe | C:\Windows\system32\conhost.exe |
| PID 3848 set thread context of 3132 | N/A | C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe | C:\Windows\system32\svchost.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\nexus.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\nexus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\nexus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\nexus.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nexus Release V1.3.exe
"C:\Users\Admin\AppData\Local\Temp\Nexus Release V1.3.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHMAdwBlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBuAGUAeAB1AHMAbABvAGEAZABlAHIAOgAgAFIAdQBuACAAQQBzACAAQQBkAG0AaQBuACAASQBmACAASQBuAGoAZQBjAHQAaQBvAG4AIABGAGEAaQBsAHMAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHkAdABwACMAPgA="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAYgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAeABiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbQBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYgBqACMAPgA="
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\dllhost.exe
"C:\Users\Admin\dllhost.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\nexus.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
C:\Users\Admin\AppData\Local\Temp\cnlnqv.exe
"C:\Users\Admin\AppData\Local\Temp\cnlnqv.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "HDNFMUHS"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "HDNFMUHS"
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM opera.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM iexplore.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM brave.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM vivaldi.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.21.9.180:443 | u.cubeupload.com | tcp |
| NL | 91.92.241.69:5555 | tcp | |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| NL | 91.92.241.69:6060 | 91.92.241.69 | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 172.67.204.206:443 | freeimage.host | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| NL | 91.92.241.69:6060 | 91.92.241.69 | tcp |
| N/A | 127.0.0.1:51020 | tcp |
Files
memory/1440-0-0x0000000072F7E000-0x0000000072F7F000-memory.dmp
memory/1440-1-0x00000000025A0000-0x00000000025D6000-memory.dmp
memory/3676-2-0x0000000072F70000-0x0000000073721000-memory.dmp
memory/3676-4-0x0000000005260000-0x000000000588A000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 3e6c1096a23926c810b813adfbc333d2 |
| SHA1 | 3d40f0d09f0e6c1baf1afaa089ea43f40193e77e |
| SHA256 | 2b8d89fecfcbf467962b4f0cdf456482eab5b0eb7c51e015e86119cf61afe51c |
| SHA512 | b8d31b44d22bb37638f878fb52ee9d984dc47f82a31ddc278915170a687bba68c7d4998154ff34a4feb3c2fc3bff8ec2d5cb9927039a8fba980d3413b8028240 |
memory/3676-7-0x0000000072F70000-0x0000000073721000-memory.dmp
memory/3676-10-0x0000000072F70000-0x0000000073721000-memory.dmp
memory/1440-11-0x0000000072F70000-0x0000000073721000-memory.dmp
memory/3676-43-0x0000000005180000-0x00000000051E6000-memory.dmp
C:\Users\Admin\dllhost.exe
| MD5 | cc7686bf7c7d81f59196d5cc3cab3348 |
| SHA1 | ac39079f223f87d404c421c48239f913b12f00a8 |
| SHA256 | 49c175257966f191a2abce16d8533d359fc27ecf6512da870a9c59937914d5f7 |
| SHA512 | 940cfb37c1f5e5dbd86cc14d5a0a85dfaf889754051d4fc0d0afbe7bedceaec91b5f36b873b5e24cd081432db1b7d61df72a198681b9ab8e3a9b57197cfb58ae |
memory/3676-41-0x0000000005090000-0x00000000050F6000-memory.dmp
memory/3676-12-0x0000000004F70000-0x0000000004F92000-memory.dmp
memory/3676-46-0x0000000005990000-0x0000000005CE7000-memory.dmp
memory/3872-47-0x0000000000B20000-0x0000000000B38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdkmjodk.nyb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3676-93-0x0000000005E30000-0x0000000005E7C000-memory.dmp
memory/3676-91-0x0000000005E10000-0x0000000005E2E000-memory.dmp
memory/3676-624-0x0000000007440000-0x0000000007ABA000-memory.dmp
memory/3676-674-0x0000000006330000-0x000000000634A000-memory.dmp
memory/3676-979-0x0000000008070000-0x0000000008616000-memory.dmp
memory/1440-1044-0x0000000074C20000-0x0000000074C6C000-memory.dmp
memory/1440-1055-0x0000000006C40000-0x0000000006CE4000-memory.dmp
memory/3676-1066-0x0000000007020000-0x00000000070B2000-memory.dmp
memory/1440-1054-0x0000000006C10000-0x0000000006C2E000-memory.dmp
memory/1440-1043-0x0000000006020000-0x0000000006054000-memory.dmp
memory/1440-1106-0x0000000006E30000-0x0000000006E3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\nexus.exe
| MD5 | 67a0b0ec2ec3bbca08a8e5ab340ee55f |
| SHA1 | c1a5705876eeb0cb37791391828a3db104b5454a |
| SHA256 | 994ebcf28a2fd62b3d807d393f959c26ff0286da91b11be9f517ebb9f43b8c08 |
| SHA512 | aaccadb3351c67f59904d19f7705cd01559bb418ee092c9ba8d0cf75dbb079e1e0d5ca8e1a7f16b8fadc97b32d21d96b3112aea019c7a9e74015f2cad5cb4f3a |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\python310.dll
| MD5 | 384349987b60775d6fc3a6d202c3e1bd |
| SHA1 | 701cb80c55f859ad4a31c53aa744a00d61e467e5 |
| SHA256 | f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8 |
| SHA512 | 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5 |
memory/1440-1109-0x0000000007030000-0x00000000070C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\VCRUNTIME140.dll
| MD5 | 11d9ac94e8cb17bd23dea89f8e757f18 |
| SHA1 | d4fb80a512486821ad320c4fd67abcae63005158 |
| SHA256 | e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e |
| SHA512 | aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778 |
memory/1440-1116-0x0000000006FC0000-0x0000000006FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\_lzma.pyd
| MD5 | 5a77a1e70e054431236adb9e46f40582 |
| SHA1 | be4a8d1618d3ad11cfdb6a366625b37c27f4611a |
| SHA256 | f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e |
| SHA512 | 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635 |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\_socket.pyd
| MD5 | 5dd51579fa9b6a06336854889562bec0 |
| SHA1 | 99c0ed0a15ed450279b01d95b75c162628c9be1d |
| SHA256 | 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c |
| SHA512 | 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | b45e82a398713163216984f2feba88f6 |
| SHA1 | eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839 |
| SHA256 | 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8 |
| SHA512 | b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
| MD5 | 11c5008e0ba2caa8adf7452f0aaafd1e |
| SHA1 | 764b33b749e3da9e716b8a853b63b2f7711fcc7c |
| SHA256 | bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14 |
| SHA512 | fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | 78d421a4e6b06b5561c45b9a5c6f86b1 |
| SHA1 | c70747d3f2d26a92a0fe0b353f1d1d01693929ac |
| SHA256 | f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823 |
| SHA512 | 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012 |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\_queue.pyd
| MD5 | c9ee37e9f3bffd296ade10a27c7e5b50 |
| SHA1 | b7eee121b2918b6c0997d4889cff13025af4f676 |
| SHA256 | 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a |
| SHA512 | c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
| MD5 | a40ff441b1b612b3b9f30f28fa3c680d |
| SHA1 | 42a309992bdbb68004e2b6b60b450e964276a8fc |
| SHA256 | 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08 |
| SHA512 | 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\_cffi_backend.pyd
| MD5 | ebb660902937073ec9695ce08900b13d |
| SHA1 | 881537acead160e63fe6ba8f2316a2fbbb5cb311 |
| SHA256 | 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd |
| SHA512 | 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24 |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\charset_normalizer\md__mypyc.pyd
| MD5 | 494f5b9adc1cfb7fdb919c9b1af346e1 |
| SHA1 | 4a5fddd47812d19948585390f76d5435c4220e6b |
| SHA256 | ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051 |
| SHA512 | 2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd
| MD5 | f33ca57d413e6b5313272fa54dbc8baa |
| SHA1 | 4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44 |
| SHA256 | 9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664 |
| SHA512 | f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
| MD5 | cfb9e0a73a6c9d6d35c2594e52e15234 |
| SHA1 | b86042c96f2ce6d8a239b7d426f298a23df8b3b9 |
| SHA256 | 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6 |
| SHA512 | 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2 |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\libssl-1_1.dll
| MD5 | bd857f444ebbf147a8fcd1215efe79fc |
| SHA1 | 1550e0d241c27f41c63f197b1bd669591a20c15b |
| SHA256 | b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf |
| SHA512 | 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\libcrypto-1_1.dll
| MD5 | 63c4f445b6998e63a1414f5765c18217 |
| SHA1 | 8c1ac1b4290b122e62f706f7434517077974f40e |
| SHA256 | 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2 |
| SHA512 | aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd |
memory/1440-1142-0x0000000006FF0000-0x0000000006FFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Cipher\_raw_ctr.pyd
| MD5 | c6b20332b4814799e643badffd8df2cd |
| SHA1 | e7da1c1f09f6ec9a84af0ab0616afea55a58e984 |
| SHA256 | 61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8 |
| SHA512 | d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 9d28433ea8ffbfe0c2870feda025f519 |
| SHA1 | 4cc5cf74114d67934d346bb39ca76f01f7acc3e2 |
| SHA256 | fc296145ae46a11c472f99c5be317e77c840c2430fbb955ce3f913408a046284 |
| SHA512 | 66b4d00100d4143ea72a3f603fb193afa6fd4efb5a74d0d17a206b5ef825e4cc5af175f5fb5c40c022bde676ba7a83087cb95c9f57e701ca4e7f0a2fce76e599 |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Hash\_SHA256.pyd
| MD5 | a442ea85e6f9627501d947be3c48a9dd |
| SHA1 | d2dec6e1be3b221e8d4910546ad84fe7c88a524d |
| SHA256 | 3dbcb4d0070be355e0406e6b6c3e4ce58647f06e8650e1ab056e1d538b52b3d3 |
| SHA512 | 850a00c7069ffdba1efe1324405da747d7bd3ba5d4e724d08a2450b5a5f15a69a0d3eaf67cef943f624d52a4e2159a9f7bdaeafdc6c689eacea9987414250f3b |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Cipher\_Salsa20.pyd
| MD5 | 371776a7e26baeb3f75c93a8364c9ae0 |
| SHA1 | bf60b2177171ba1c6b4351e6178529d4b082bda9 |
| SHA256 | 15257e96d1ca8480b8cb98f4c79b6e365fe38a1ba9638fc8c9ab7ffea79c4762 |
| SHA512 | c23548fbcd1713c4d8348917ff2ab623c404fb0e9566ab93d147c62e06f51e63bdaa347f2d203fe4f046ce49943b38e3e9fa1433f6455c97379f2bc641ae7ce9 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Util\_cpuid_c.pyd
| MD5 | 4d9c33ae53b38a9494b6fbfa3491149e |
| SHA1 | 1a069e277b7e90a3ab0dcdee1fe244632c9c3be4 |
| SHA256 | 0828cad4d742d97888d3dfce59e82369317847651bba0f166023cb8aca790b2b |
| SHA512 | bdfbf29198a0c7ed69204bf9e9b6174ebb9e3bee297dd1eb8eb9ea6d7caf1cc5e076f7b44893e58ccf3d0958f5e3bdee12bd090714beb5889836ee6f12f0f49e |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Cipher\_raw_ocb.pyd
| MD5 | d48bffa1af800f6969cfb356d3f75aa6 |
| SHA1 | 2a0d8968d74ebc879a17045efe86c7fb5c54aee6 |
| SHA256 | 4aa5e9ce7a76b301766d3ecbb06d2e42c2f09d0743605a91bf83069fefe3a4de |
| SHA512 | 30d14ad8c68b043cc49eafb460b69e83a15900cb68b4e0cbb379ff5ba260194965ef300eb715308e7211a743ff07fa7f8779e174368dcaa7f704e43068cc4858 |
memory/1440-1172-0x0000000007000000-0x0000000007015000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Hash\_ghash_clmul.pyd
| MD5 | c89becc2becd40934fe78fcc0d74d941 |
| SHA1 | d04680df546e2d8a86f60f022544db181f409c50 |
| SHA256 | e5b6e58d6da8db36b0673539f0c65c80b071a925d2246c42c54e9fcdd8ca08e3 |
| SHA512 | 715b3f69933841baadc1c30d616db34e6959fd9257d65e31c39cd08c53afa5653b0e87b41dcc3c5e73e57387a1e7e72c0a668578bd42d5561f4105055f02993c |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Hash\_ghash_portable.pyd
| MD5 | c4cc05d3132fdfb05089f42364fc74d2 |
| SHA1 | da7a1ae5d93839577bbd25952a1672c831bc4f29 |
| SHA256 | 8f3d92de840abb5a46015a8ff618ff411c73009cbaa448ac268a5c619cf84721 |
| SHA512 | c597c70b7af8e77beeebf10c32b34c37f25c741991581d67cf22e0778f262e463c0f64aa37f92fbc4415fe675673f3f92544e109e5032e488f185f1cfbc839fe |
memory/1440-1182-0x00000000070F0000-0x000000000710A000-memory.dmp
memory/1720-1173-0x000001F6CC710000-0x000001F6CC732000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Protocol\_scrypt.pyd
| MD5 | ba46602b59fcf8b01abb135f1534d618 |
| SHA1 | eff5608e05639a17b08dca5f9317e138bef347b5 |
| SHA256 | b1bab0e04ac60d1e7917621b03a8c72d1ed1f0251334e9fa12a8a1ac1f516529 |
| SHA512 | a5e2771623da697d8ea2e3212fbdde4e19b4a12982a689d42b351b244efba7efa158e2ed1a2b5bc426a6f143e7db810ba5542017ab09b5912b3ecc091f705c6e |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Hash\_SHA1.pyd
| MD5 | ab0bcb36419ea87d827e770a080364f6 |
| SHA1 | 6d398f48338fb017aacd00ae188606eb9e99e830 |
| SHA256 | a927548abea335e6bcb4a9ee0a949749c9e4aa8f8aad481cf63e3ac99b25a725 |
| SHA512 | 3580fb949acee709836c36688457908c43860e68a36d3410f3fa9e17c6a66c1cdd7c081102468e4e92e5f42a0a802470e8f4d376daa4ed7126818538e0bd0bc4 |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Util\_strxor.pyd
| MD5 | 8f4313755f65509357e281744941bd36 |
| SHA1 | 2aaf3f89e56ec6731b2a5fa40a2fe69b751eafc0 |
| SHA256 | 70d90ddf87a9608699be6bbedf89ad469632fd0adc20a69da07618596d443639 |
| SHA512 | fed2b1007e31d73f18605fb164fee5b46034155ab5bb7fe9b255241cfa75ff0e39749200eb47a9ab1380d9f36f51afba45490979ab7d112f4d673a0c67899ef4 |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Cipher\_raw_ofb.pyd
| MD5 | 4d9182783ef19411ebd9f1f864a2ef2f |
| SHA1 | ddc9f878b88e7b51b5f68a3f99a0857e362b0361 |
| SHA256 | c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd |
| SHA512 | 8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185 |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 43bbe5d04460bd5847000804234321a6 |
| SHA1 | 3cae8c4982bbd73af26eb8c6413671425828dbb7 |
| SHA256 | faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45 |
| SHA512 | dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 20708935fdd89b3eddeea27d4d0ea52a |
| SHA1 | 85a9fe2c7c5d97fd02b47327e431d88a1dc865f7 |
| SHA256 | 11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375 |
| SHA512 | f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b |
C:\Users\Admin\AppData\Local\Temp\onefile_2336_133625164073833115\Crypto\Cipher\_raw_ecb.pyd
| MD5 | fee13d4fb947835dbb62aca7eaff44ef |
| SHA1 | 7cc088ab68f90c563d1fe22d5e3c3f9e414efc04 |
| SHA256 | 3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543 |
| SHA512 | dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2 |
memory/1440-1183-0x00000000070E0000-0x00000000070E8000-memory.dmp
memory/1440-1196-0x0000000072F70000-0x0000000073721000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 6e2dd918b2c22ec9d38424b34577d88b |
| SHA1 | ce9b5ec7934ace13a02d64f494ec8cf6de8ce5c9 |
| SHA256 | 037e7f2cd9d518cafd37f55edee61feac13b4dfdd35f67b41d7af525d93b7f0f |
| SHA512 | fe292b07ea0f7db690e00640f29b5cf7de32ddcdc887c24075801e1b7ad756e94dab31e297efff6c9def49ec3ac20e22c71ba40afb7e4fb75bf0678b64328eca |
C:\Users\Admin\AppData\Local\Temp\cnlnqv.exe
| MD5 | 1994ad04639f3d12c7bbfa37feb3434f |
| SHA1 | 4979247e5a9771286a91827851527e5dbfb80c8e |
| SHA256 | c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c |
| SHA512 | adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43 |
memory/5080-1240-0x0000000140000000-0x000000014000D000-memory.dmp
memory/5080-1239-0x0000000140000000-0x000000014000D000-memory.dmp
memory/5080-1238-0x0000000140000000-0x000000014000D000-memory.dmp
memory/5080-1237-0x0000000140000000-0x000000014000D000-memory.dmp
memory/5080-1236-0x0000000140000000-0x000000014000D000-memory.dmp
memory/5080-1243-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3132-1245-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1251-0x0000021950190000-0x00000219501B0000-memory.dmp
memory/3132-1249-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1248-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1247-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1244-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1246-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1250-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1253-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1252-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1256-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1255-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3132-1254-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3676-1257-0x0000000072F70000-0x0000000073721000-memory.dmp
memory/3676-1258-0x0000000072F70000-0x0000000073721000-memory.dmp
memory/3676-1271-0x0000000072F70000-0x0000000073721000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | fa6f33c3e5d4fcf946460ae408c7f486 |
| SHA1 | 6daa6958f640d75953227faedaef4da75f313e7b |
| SHA256 | f95ace74a8e3a280802b65a7a06e4f4cb30ddd9b4d1ac8e4e337541171b2e4d1 |
| SHA512 | 3835b7b6cc01930b33880fb77b7e95428d01af0975d4ce2f694f1d7d3c9342f4d066ce82b4e0961f520cd22b3dab7f5ec73aae835d563fbaaad53dc6da0d7f72 |