Analysis Overview
SHA256
44e029dd6210c4906a82e1f16dd5ebed434efd225dafb92fc560e6ff6d1ee948
Threat Level: Known bad
The file 09345699.js was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Blocklisted process makes network request
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-01 16:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-01 16:49
Reported
2023-06-01 16:52
Platform
win7-20230220-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Qakbot/Qbot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI50E9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB1CE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6cb08e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6cb08c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\6cb08c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\09345699.js
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C8" "0000000000000490"
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garokelka.com | udp |
| NL | 217.195.153.225:443 | garokelka.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab4C01.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | b5fcc55cffd66f38d548e8b63206c5e6 |
| SHA1 | 79db08ababfa33a4f644fa8fe337195b5aba44c7 |
| SHA256 | 7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1 |
| SHA512 | aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649 |
C:\Windows\Installer\MSI50E9.tmp
| MD5 | 84582448976f91c7b85a9289112d5dfc |
| SHA1 | 0fd91858edae24942722121c5bbe8d851ecd82d6 |
| SHA256 | 8b86429a795d8cae800a229a94df9141974f18c541d27e04af589962cc36044c |
| SHA512 | d68f0d7dd6631d18c72cd85f6fd04935d2a123f276c7df0d166b1c0c13e9118610b30d7509579069a1e20e4bbb49f758a6ee3ec92b44d65d369df2263cc01971 |
C:\Config.Msi\6cb08d.rbs
| MD5 | 1819aae44a74096bbe0ba41195c29b57 |
| SHA1 | 51ed973983b3223afb6217c11c4136cb84fc92d6 |
| SHA256 | 342a6c51454810ef8bf251c311b856107a5008bb9f00ff0112119308c06ec2fc |
| SHA512 | 3272adfd5a289e0e153f076795626424a0a3e7c72caa496dbed1d9ed0e6025c2e7993a7906bb068bd487f704203a55762ed861de5f79765570f59507c0e31e5b |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | b0a30ac60658d778ace59353d19c6764 |
| SHA1 | 7b2d1b208c94b0d37904503f35625c8b37586d8f |
| SHA256 | c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d |
| SHA512 | 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696 |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | b0a30ac60658d778ace59353d19c6764 |
| SHA1 | 7b2d1b208c94b0d37904503f35625c8b37586d8f |
| SHA256 | c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d |
| SHA512 | 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696 |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | b0a30ac60658d778ace59353d19c6764 |
| SHA1 | 7b2d1b208c94b0d37904503f35625c8b37586d8f |
| SHA256 | c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d |
| SHA512 | 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696 |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | b0a30ac60658d778ace59353d19c6764 |
| SHA1 | 7b2d1b208c94b0d37904503f35625c8b37586d8f |
| SHA256 | c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d |
| SHA512 | 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696 |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | b0a30ac60658d778ace59353d19c6764 |
| SHA1 | 7b2d1b208c94b0d37904503f35625c8b37586d8f |
| SHA256 | c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d |
| SHA512 | 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696 |
memory/1564-128-0x0000000000170000-0x0000000000173000-memory.dmp
memory/1564-130-0x0000000000180000-0x00000000001A4000-memory.dmp
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
| MD5 | 0d4c9f15ce74465c59ae36a27f98c817 |
| SHA1 | 9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a |
| SHA256 | d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a |
| SHA512 | 9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1060-136-0x00000000000F0000-0x00000000000F2000-memory.dmp
memory/1060-137-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1060-143-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1060-144-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1060-145-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1060-146-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1060-147-0x00000000000C0000-0x00000000000E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-01 16:49
Reported
2023-06-01 16:52
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Qakbot/Qbot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE7C6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e56e769.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI740C.tmp | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\09345699.js
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garokelka.com | udp |
| NL | 217.195.153.225:443 | garokelka.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.153.195.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.250.217.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| IE | 13.69.239.73:443 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 8.238.178.254:80 | tcp | |
| NL | 8.238.178.254:80 | tcp | |
| NL | 8.238.178.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp |
Files
C:\Windows\Installer\MSI740C.tmp
| MD5 | 6ae8d648f8a9146b7f95b3a7073575d0 |
| SHA1 | f980c6e727aeb59bf3e6e77d3169448989995ad0 |
| SHA256 | e4740d41deca81aedd912cc1f1cb5a52dbf9a8d7dfdaa8adbcb6da119379fe3d |
| SHA512 | 50b30cee011918cd584c08b64871373edd5284af3cbaef04174ec48c63ab35ae8de8e85d35d1c2e9bfb389fcf1d9a7dcf0f246c958191beacd0e14557a65e054 |
C:\Config.Msi\e56e768.rbs
| MD5 | 379d34377a77bc33f20a6f5ccb7e6f82 |
| SHA1 | 43b5dc4ccb006bf632d3a6be1ee6437ca4d8a7bc |
| SHA256 | 4adefbf654ed39c6ce87251ab5f7e3168ec45ef82259a4f6f814dd4f77cf1215 |
| SHA512 | 979fdc69c0a1742181213ee75131c5a0652a0fe56c62cb1d4626dac36b60743ab42e7c4d7d2d5342b9d148b830cfa972a73076387a0151a5149dddb6e60e33be |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | f8090ce52ba92370700730571eae8324 |
| SHA1 | a23475ba810e5aa65de0b3b6b566a3407015e4a1 |
| SHA256 | 34185364f0df3da1b86d02067a7e6641ac0e89cb8f03da38186c3bb2413c9dfb |
| SHA512 | d0659e9b21dc8a8ef14543ff480133ef4c220e737dc91b13df6564c4f505ded6f51b7d6822cc7e08f00d711b2afce8042bba3148d70bbcc7cc4f65d74a6b967d |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
| MD5 | 0d4c9f15ce74465c59ae36a27f98c817 |
| SHA1 | 9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a |
| SHA256 | d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a |
| SHA512 | 9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | f8090ce52ba92370700730571eae8324 |
| SHA1 | a23475ba810e5aa65de0b3b6b566a3407015e4a1 |
| SHA256 | 34185364f0df3da1b86d02067a7e6641ac0e89cb8f03da38186c3bb2413c9dfb |
| SHA512 | d0659e9b21dc8a8ef14543ff480133ef4c220e737dc91b13df6564c4f505ded6f51b7d6822cc7e08f00d711b2afce8042bba3148d70bbcc7cc4f65d74a6b967d |
memory/1532-165-0x00000000009A0000-0x00000000009A3000-memory.dmp
memory/1532-166-0x00000000009B0000-0x00000000009D4000-memory.dmp
memory/2384-171-0x0000000000DE0000-0x0000000000DE2000-memory.dmp
memory/2384-172-0x0000000000DB0000-0x0000000000DD4000-memory.dmp
memory/2384-178-0x0000000000DB0000-0x0000000000DD4000-memory.dmp
memory/2384-179-0x0000000000DB0000-0x0000000000DD4000-memory.dmp
memory/2384-180-0x0000000000DB0000-0x0000000000DD4000-memory.dmp
memory/2384-181-0x0000000000DB0000-0x0000000000DD4000-memory.dmp
memory/2384-182-0x0000000000DB0000-0x0000000000DD4000-memory.dmp
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3465b196-19a7-4dc8-9a83-b28a3081ed43}_OnDiskSnapshotProp
| MD5 | a2e5fa84771bd7d437ce2e143fef16d3 |
| SHA1 | e67f90bb92fd5902bc0a073c630d1fdbc9667423 |
| SHA256 | 0082d4cbaad0c100cf30acef0e7e896bddabaa55a89c102f7f3c95cc53b9d09d |
| SHA512 | 69795c027e619cdf7d9507786bf0349316286f17d942f615bba850b434a427dbc946f0cdc64e89f56d84288e40bd7eb6fee0e02a5140f9812f8ea69d95f8beba |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | b9d924a15f53d4fa564bd4d403d71d9a |
| SHA1 | 4b42857c08be8b39bb6840cec2bd56253a2f05ce |
| SHA256 | 9d4432c8ce4eef54dbf3c5fd45503c77941235465aea7e5230e26c58abc104ef |
| SHA512 | 75cb67a44baefa3dfc68dd83f88b1ff9d45d9447e76565a14a0c8a211b7e5bd28587a9468d1f5da0caae134448c8149bdf3570120dfe178e91818526f406e6bb |