Analysis Overview
SHA256
c1b321e20412cb39fecc341752b686333c4afc0847d4506da546a1e8435d48df
Threat Level: Shows suspicious behavior
The file ad608ab178c9a8c65cab94afee5c0d4b was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates connected drives
Drops file in System32 directory
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 01:44
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 01:44
Reported
2024-02-29 01:47
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
115s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MKFX.EXE = "C:\\PerfLogs\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\AHEXWA.EXE | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| File created | C:\Windows\SysWOW64\Ms7002.dll | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\AHEXWA.EXE" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Users\\AHEXWA.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Users\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\AHEXWA.EXE %1" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\AHEXWA.EXE %1" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\AHEXWA.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2260 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | C:\Windows\SysWOW64\Regsvr32.exe |
| PID 2260 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | C:\Windows\SysWOW64\Regsvr32.exe |
| PID 2260 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | C:\Windows\SysWOW64\Regsvr32.exe |
| PID 2260 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | C:\Users\svchost.exe |
| PID 2260 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | C:\Users\svchost.exe |
| PID 2260 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | C:\Users\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe
"C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
C:\Users\svchost.exe
C:\Users\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/2260-0-0x0000000000760000-0x0000000000761000-memory.dmp
C:\filedebug
| MD5 | b86c8a6a00f21ca1af8d56cdedf2987b |
| SHA1 | ab4f2967c3bb442ea2725f9e41510f05a0776726 |
| SHA256 | c941fada3cd19d790b77a5a47a56701157e5e862ca46f0efc6e7259d645d967a |
| SHA512 | 0d4a3f818d9e5f86a8f49b1aae3a9b5a921dbf1663e85de5368c141133d0e19d19bd218d86cc36a1a299d82c6172acce226b3e75e4aaaa8a6fde92bf28cd9520 |
C:\Users\AHEXWA.EXE
| MD5 | b7e146ae5c14da75a4ff97661114e228 |
| SHA1 | 230cfbc778cba01f13d1d926d72d02f5c2225aaa |
| SHA256 | 21c5c1682498a03f24c1ac2e837895505fd577cbec8749a2f4d5729ca5c2b3ba |
| SHA512 | 30a872633bbbb21809b5d77dc0cbee596447af5c2f3068d22a71c6ec26601e56560f68dc7686fe1c8c339544652e6e3e07de30f76150e43c68a2b031f5f30d55 |
C:\Windows\SysWOW64\Ms7002.dll
| MD5 | 876a2a99b81968f5b26e3cbe12063d2b |
| SHA1 | 7afa8f33b691b2651b65eb07220cc2fda4b7537c |
| SHA256 | f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0 |
| SHA512 | ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1 |
memory/4388-25-0x0000000002700000-0x0000000002701000-memory.dmp
memory/2260-26-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-27-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-28-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-29-0x0000000002700000-0x0000000002701000-memory.dmp
memory/4388-30-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-31-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-32-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-33-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-34-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-35-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-36-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-37-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-38-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-39-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-40-0x0000000000400000-0x000000000047D000-memory.dmp
memory/4388-41-0x0000000000400000-0x000000000047D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 01:44
Reported
2024-02-29 01:47
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FDWWZF.EXE = "C:\\Users\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\FDWWZF.EXE | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| File created | C:\Windows\SysWOW64\Ms7002.dll | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\FDWWZF.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Users\\FDWWZF.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\FDWWZF.EXE" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\PerfLogs\\UAUW.EXE %1" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\FDWWZF.EXE %1" | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe
"C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
Network
Files
memory/2620-2-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\FDWWZF.EXE
| MD5 | b034b7e210d854c426fef9630b142738 |
| SHA1 | 58334b34fc07d8c7367d353e7a5d0657d8fee57d |
| SHA256 | 8994327d4bea6e722ded97bccfe96ba552de6988f1ea18b2762eea046c9f8ac7 |
| SHA512 | 20e29c821a32261fa842f79481a84c16b43d7b08479ad8d4ca8fce8d9269cbb812633191357e760b1c06c989709210a550dce32bc64df8e4840b1c590eba17e4 |
C:\Windows\SysWOW64\Ms7002.dll
| MD5 | 876a2a99b81968f5b26e3cbe12063d2b |
| SHA1 | 7afa8f33b691b2651b65eb07220cc2fda4b7537c |
| SHA256 | f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0 |
| SHA512 | ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1 |
memory/2620-20-0x0000000000400000-0x000000000047D000-memory.dmp