Malware Analysis Report

2025-01-22 12:25

Sample ID 240515-2s4emage26
Target 4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics
SHA256 65a947038ce1565127fa77b13bfc9a21d55e3a6226af2e352693d79bc4fc34c9
Tags
aspackv2 bootkit persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

65a947038ce1565127fa77b13bfc9a21d55e3a6226af2e352693d79bc4fc34c9

Threat Level: Shows suspicious behavior

The file 4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Deletes itself

ASPack v2.12-2.42

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 22:51

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 22:51

Reported

2024-05-15 22:54

Platform

win7-20240221-en

Max time kernel

147s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hyybb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hyybb.exe N/A
N/A N/A \??\c:\Program Files\ktrsr\ybwry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\flate = "c:\\Program Files\\ktrsr\\ybwry.exe \"c:\\Program Files\\ktrsr\\ybwry.dll\",inflate" \??\c:\Program Files\ktrsr\ybwry.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\y: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\ktrsr\ybwry.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\ktrsr\ybwry.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\ktrsr\ybwry.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\ktrsr C:\Users\Admin\AppData\Local\Temp\hyybb.exe N/A
File created \??\c:\Program Files\ktrsr\ybwry.dll C:\Users\Admin\AppData\Local\Temp\hyybb.exe N/A
File created \??\c:\Program Files\ktrsr\ybwry.exe C:\Users\Admin\AppData\Local\Temp\hyybb.exe N/A
File opened for modification \??\c:\Program Files\ktrsr\ybwry.exe C:\Users\Admin\AppData\Local\Temp\hyybb.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\ktrsr\ybwry.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\ktrsr\ybwry.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\ktrsr\ybwry.exe N/A
N/A N/A \??\c:\Program Files\ktrsr\ybwry.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\ktrsr\ybwry.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hyybb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 308 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 308 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 308 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 308 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\hyybb.exe
PID 308 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\hyybb.exe
PID 308 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\hyybb.exe
PID 308 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\hyybb.exe
PID 2604 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\hyybb.exe \??\c:\Program Files\ktrsr\ybwry.exe
PID 2604 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\hyybb.exe \??\c:\Program Files\ktrsr\ybwry.exe
PID 2604 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\hyybb.exe \??\c:\Program Files\ktrsr\ybwry.exe
PID 2604 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\hyybb.exe \??\c:\Program Files\ktrsr\ybwry.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\hyybb.exe "C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\hyybb.exe

C:\Users\Admin\AppData\Local\Temp\\hyybb.exe "C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"

\??\c:\Program Files\ktrsr\ybwry.exe

"c:\Program Files\ktrsr\ybwry.exe" "c:\Program Files\ktrsr\ybwry.dll",inflate C:\Users\Admin\AppData\Local\Temp\hyybb.exe

Network

Country Destination Domain Proto
US 107.163.56.241:18530 107.163.56.241 tcp
US 107.163.43.143:12388 107.163.43.143 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.240:18963 tcp
US 107.163.56.240:18963 tcp
US 107.163.56.240:18963 tcp
US 107.163.56.240:18963 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.251:6658 tcp

Files

memory/2320-0-0x0000000000400000-0x00000000004923AF-memory.dmp

memory/2320-2-0x0000000000400000-0x00000000004923AF-memory.dmp

\Users\Admin\AppData\Local\Temp\hyybb.exe

MD5 3df179c4aa3d729e55c8bf7d98bb7585
SHA1 71c60d0f9b1cac99ce06cf3e0121261ef55b5d16
SHA256 4e134dad8e6297d15e6eafb2968504888d0eb51ce6bfc21a9ec931f35f0eecbf
SHA512 f0c1c2c1bfc1aa2f9e60e308ea25580fffe29abc4295e214a77159146dd00945302617d47a510344f21ccae053b74f0dcf38dfa6c4afeeb740c8b53f5330aaa9

memory/2604-9-0x0000000000400000-0x00000000004923AF-memory.dmp

memory/308-8-0x0000000000210000-0x00000000002A3000-memory.dmp

memory/308-7-0x0000000000210000-0x00000000002A3000-memory.dmp

\Program Files\ktrsr\ybwry.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2604-16-0x0000000000400000-0x00000000004923AF-memory.dmp

\??\c:\Program Files\ktrsr\ybwry.dll

MD5 02329f312ecd0f35b6e1601d8d9908e7
SHA1 7b9b771c8b747c05c56d1087d578aa5f9293d340
SHA256 c8811ea2f951becf89ffcaecafeda03f87367e0d14234bc7b98bf19b45102e82
SHA512 93cd1ab96f507987a9fe00b23479d2b753e2adf60047b83135fde46b2dd6627082c93a4c56f2b18ac6112b31831af7489dbbced2c53ce3d826f559e1f1709ee0

memory/2688-23-0x0000000010000000-0x0000000010074000-memory.dmp

memory/2688-24-0x0000000010000000-0x0000000010074000-memory.dmp

memory/2688-25-0x0000000010000000-0x0000000010074000-memory.dmp

memory/2688-28-0x0000000010000000-0x0000000010074000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 22:51

Reported

2024-05-15 22:54

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avrby.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avrby.exe N/A
N/A N/A \??\c:\Program Files\wwdkdo\ofdov.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\Program Files\wwdkdo\ofdov.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\flate = "c:\\Program Files\\wwdkdo\\ofdov.exe \"c:\\Program Files\\wwdkdo\\ofdov.dll\",inflate" \??\c:\Program Files\wwdkdo\ofdov.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\wwdkdo\ofdov.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\wwdkdo\ofdov.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\wwdkdo\ofdov.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\wwdkdo C:\Users\Admin\AppData\Local\Temp\avrby.exe N/A
File created \??\c:\Program Files\wwdkdo\ofdov.dll C:\Users\Admin\AppData\Local\Temp\avrby.exe N/A
File created \??\c:\Program Files\wwdkdo\ofdov.exe C:\Users\Admin\AppData\Local\Temp\avrby.exe N/A
File opened for modification \??\c:\Program Files\wwdkdo\ofdov.exe C:\Users\Admin\AppData\Local\Temp\avrby.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\wwdkdo\ofdov.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\wwdkdo\ofdov.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\wwdkdo\ofdov.exe N/A
N/A N/A \??\c:\Program Files\wwdkdo\ofdov.exe N/A
N/A N/A \??\c:\Program Files\wwdkdo\ofdov.exe N/A
N/A N/A \??\c:\Program Files\wwdkdo\ofdov.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\wwdkdo\ofdov.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\avrby.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\avrby.exe "C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\avrby.exe

C:\Users\Admin\AppData\Local\Temp\\avrby.exe "C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"

\??\c:\Program Files\wwdkdo\ofdov.exe

"c:\Program Files\wwdkdo\ofdov.exe" "c:\Program Files\wwdkdo\ofdov.dll",inflate C:\Users\Admin\AppData\Local\Temp\avrby.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.226:443 www.bing.com tcp
US 8.8.8.8:53 226.83.221.88.in-addr.arpa udp
US 107.163.56.241:18530 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 107.163.43.143:12388 tcp
US 107.163.56.251:6658 tcp
US 8.8.8.8:53 251.56.163.107.in-addr.arpa udp
US 107.163.56.240:18963 107.163.56.240 tcp
US 107.163.56.240:18963 107.163.56.240 tcp
US 8.8.8.8:53 240.56.163.107.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 107.163.56.240:18963 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 107.163.56.251:6658 tcp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 56.242.123.52.in-addr.arpa udp
US 107.163.56.251:6658 tcp

Files

memory/2272-0-0x0000000000400000-0x00000000004923AF-memory.dmp

memory/2272-2-0x0000000000400000-0x00000000004923AF-memory.dmp

C:\Users\Admin\AppData\Local\Temp\avrby.exe

MD5 f2722a709fe210b556598a4f33125839
SHA1 d96c4b8c1d4c83f62353970d0bb4ea8adc87f92c
SHA256 4d10e77adb85b199395fe44afbd90d0ce228e8062ccbc60abd5b4e8d1bcc5ce8
SHA512 79f995c170539e3d38601aab2bdc677bf9df24ff9a2eb59848a4f7565b5ece7a73c0c8f458f947891f9dccf610b5f911eca637db0e94be09cb7c9d09a59736de

memory/3648-6-0x0000000000400000-0x00000000004923AF-memory.dmp

C:\Program Files\wwdkdo\ofdov.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/3648-11-0x0000000000400000-0x00000000004923AF-memory.dmp

\??\c:\Program Files\wwdkdo\ofdov.dll

MD5 2876a1e964b815ca511f6fe4e97df24d
SHA1 240710045a1284050dcf15ce7a35eb7c163a5990
SHA256 630ee4ea7ac9dbad821e46f6f8262701c8de26b2b6da105b0d4eaa9170e83caa
SHA512 d15fadd8336f02c0d52b964d290a496c48bed449097af8929ed10cd73222dfc34afb06c9f69a7c8719edf60288d93ba378e4ebd7c8d863c7f01fc71c7a9ef346

memory/2792-15-0x0000000010000000-0x0000000010074000-memory.dmp

memory/2792-18-0x0000000010000000-0x0000000010074000-memory.dmp

memory/2792-19-0x0000000010000000-0x0000000010074000-memory.dmp