Analysis Overview
SHA256
0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2
Threat Level: Known bad
The file 0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Qakbot family
Qakbot/Qbot
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 20:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 20:39
Reported
2024-11-20 20:41
Platform
win7-20241023-en
Max time kernel
97s
Max time network
17s
Command Line
Signatures
Qakbot family
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Dfciko = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ulizmchuv = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\4d124ce4 = f8bb5699a2ba3730430141380e268b43fadfc1ad2d09e94e97dd1de22b6aef199d755b0545a9df647948f7329103beb0c2306f354ab494bf6bd7eb71bf557e20bef5d84036fb17c24008aa6731eac60067f29d0bc38cb19f73879dcedff59db154d2ea5f6c02fc471463e94d05fa44ec2f369e4cb1171ef4c1e5f1c0c983371142dd45a39d84314b12b047080db79415635e29 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\4f536c98 = 7f56a4ab027e5de46beefc2bb986a83993d0834fc35b553f7812ad83219f5c201816ad426cdb6089ff57c0e5d997ee68fdc6b0e52a6460d8b527072e363ce1498838fc34b291c56cc7975f | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\f7ef0bfd = 31bf1cc83ca67045fe5bc1b4e5bd6502 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\8ae74477 = 8d42d6009e4744933518e52e13584171ed8df8441b741dbc7f43a26f169452b3b0310aa0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\f5ae2b81 = 7c61e02bd6028938047b6e0b7708bb2a671413f0eadc4863c1b45f86d7eaf129b01bdebb0be73a8a8ed064e1312d3500eed1ddaf1a53403b4b5e784474a6f12fd41cd4510361f9c686a36066dd628a5a7d60d5923b1ad103f4fb17b5c476508d0bb91f6752476e57822b361d3d38e318 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\7c4f35c = 1c408ab892e301a13cafcf6d3aaa5e1506e0ae49fea4e492cdcd4afeceb5547f2ff34fecfd38ccef132f8368edebc9244e5d440f983e9968d1a8e3cce9e87db0d9e1299be78f353f1b094dc509b505460acee318be2e32112b8b748781d1 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Awfcdaj | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\788d9caa = abf811732701d0b679e91a682c78ed360cccc15f24cfac67bea3339ae7c35093ba0d652a3371e62e3d9a150c8de71d6b33217d686f6b9b73f58fbd88c6c728f02d18e166a496135cb98f58be32468a | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\325b2312 = 1847229c778bb1723db3aef94c8112ac5edb4bd867e9bb1bbefb391131d6b9d37755f6f0b645a889e8611877a3b06cdc3b8488bfcdf9214d9d386cae45c83d9ed9e15b32f1e98b8303f114e4 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\788d9caa = abf806732701e5db5cbaff96ab5b6d28fcab0a09c6ae685e8b7d4ad54f686d4a48b2501dbcde9a42253f9df53651f54f6961f7b4658692b60ec9d077062177f49589278a555156bee0a552dd62d19801d89ae160da63d89de8c72bafd80044a886382abe | C:\Windows\SysWOW64\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn micrvxligw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll\"" /SC ONCE /Z /ST 20:41 /ET 20:53
C:\Windows\system32\taskeng.exe
taskeng.exe {9BCA5A4F-365B-4188-B185-ACD2CBF55478} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Dfciko" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ulizmchuv" /d "0"
Network
Files
memory/1788-1-0x0000000074FB0000-0x00000000750A3000-memory.dmp
memory/1788-4-0x0000000074FB0000-0x00000000750A3000-memory.dmp
memory/1788-3-0x000000007508F000-0x0000000075095000-memory.dmp
memory/1788-0-0x0000000074FB0000-0x00000000750A3000-memory.dmp
memory/2508-5-0x00000000000B0000-0x00000000000B2000-memory.dmp
memory/2508-7-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/1788-8-0x0000000074FB0000-0x00000000750A3000-memory.dmp
memory/2508-11-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2508-13-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2508-14-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2508-12-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2508-15-0x0000000000080000-0x00000000000A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll
| MD5 | 44e60ee86b4cb4188bdd08e3b49c0bf5 |
| SHA1 | c271311550ce154650896787afef4a3f8ae86620 |
| SHA256 | 0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2 |
| SHA512 | 193619bda32192c7ac61a8ed427cde79ca8aa2d77775bc714cfcb564915b3d7967cfc338877a27e633030aff30f1ce35c3056979e56941dafb9dc85e015e1e03 |
memory/1812-20-0x0000000074670000-0x0000000074763000-memory.dmp
memory/1812-21-0x0000000074670000-0x0000000074763000-memory.dmp
memory/1812-24-0x0000000074670000-0x0000000074763000-memory.dmp
memory/1828-26-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/1828-28-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/1828-27-0x0000000000080000-0x00000000000A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 20:39
Reported
2024-11-20 20:41
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
97s
Command Line
Signatures
Qakbot family
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ydgdxc = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Oexepotiakf = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\8f82410 = 468368145399893f67b8c181e099d97d4cae5ff90919a6ffe684444b5b11f1d585934bbc49e0ac1f167942118fc59baceaac7bfd83a201b5cef22e850cd7cd0788ad0f0af9ef8d146fc85b4a4805e4868b94477617f2e6d88f7895788fd04d5a569284b95039209249eb | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\77b14be6 = c6e2f182e0f4a928585b22423ec08a9fb89afa9e35d6d537a0aec0f08c6bfe01f5908b4c2e24b30468dc63b58bfeed64d97b2025b304b90d5079a7e7f785a8dfa5e9e39f04dee7d5ff7c38b2c0308b0abc20a3ea129a77ef2db39b234f6e92facc5bd44972c1d5d1 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\fa92fccd = fb8e264a2365a2dd364f2ae2820fb1ddc20b8277c8ffb65df35351f7d8e7a33205a007736cb7afa9777d6d3e7513b7b13c8b1d648491bd93876c6e47c1c090f4f86c4a6394caa30fb5d670b7b81779e473f61bab42acf17ee85ad8411763 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\cf0d2c83 = f26326f132a63a3940c004422dfddec2685a32e819dbb9b4cd3436b7abbca591237262be4c296814a7f96d4b6797b84755f61254f78ff1c413eae2b102e8f8ba9c8a4bc4678a7e5ba524dbba69ef5120cd1226e9f025fbc256b9d13636d3ded94269469840476110bbd789e31b20637dd945929817f79f1b6591aa8dcf14c5227368fed42a2a6a096cf7b3ca9376972d740a90b1f57e3d57095e3d952b615a097cd58b5b920c25c019a89fd427e3b7ef515447244746a1efb34b702375b30def4aa7d84f778a | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\cd4c0cff = 722b23307bc44c2aa02208c748f8ebf3f81d4f94e8335bd869f4c5b5f09f3e89fa941e87879a9c0cd2e7353be0c982aa747b3caecc72d7206c7ead1237ad146a | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\75f06b9a = c68fb9c245ff8b68d672b7f2d900bf36372dc36e5cb40904ca76e346b8eb30816616d0d8dcdca4dfca29a06457e96ec554c0c4a23de7cccaaa63239170972d05c6b6f60d530acfb4ef6201f46aa1694e36900651d61b4297a804e556fb2beba54b6eca1176d254735c9e69ff9aec0936d678 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\fa92fccd = fb8e314a236597ede2e365ff6411599f21e848f630a71d15030c0436ad09ee3b981e2fd3a928b9a3c2b74b8b8ca8738e4760556e8660f3ffac3584c91c810677404b8b86efd95c5d60 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\b0444375 = 112b97bcdcfae281b7013c2956e27dbab5d81080acb2bc9e6717c59ad7f0a6cfde89dacb62dccf55a61f28c26e58ff282898335bef434f0f4ac3a833f566cfda1bff5df7d42773fd9f28b714518b5b32c27f614e2902b5d08b9695eeefb5ca071948c8de0bcc0f1803 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\85db933b = 875741f27f3e40e61ba8cc64a4f7672a56661e510e77479b403f2596c4e0316abacb478b2a93dd135dd01e2a232824a358ccfc91c7af18e9e3fdc341b89f93b69ddeb4b5695e7fb64ab8f5cf6dee930d10612e1f5b6639f22d145d2b5a384a4c0023271c5507dbc9d6ece8 | C:\Windows\SysWOW64\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hgneaeot /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll\"" /SC ONCE /Z /ST 20:41 /ET 20:53
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Oexepotiakf" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ydgdxc" /d "0"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1152-0-0x0000000074AE0000-0x0000000074BD3000-memory.dmp
memory/1152-1-0x0000000074BBF000-0x0000000074BC5000-memory.dmp
memory/1152-2-0x0000000074AE0000-0x0000000074BD3000-memory.dmp
memory/1152-3-0x0000000074AE0000-0x0000000074BD3000-memory.dmp
memory/2312-5-0x0000000000D50000-0x0000000000D71000-memory.dmp
memory/1152-6-0x0000000074AE0000-0x0000000074BD3000-memory.dmp
memory/2312-9-0x0000000000D50000-0x0000000000D71000-memory.dmp
memory/2312-10-0x0000000000D50000-0x0000000000D71000-memory.dmp
memory/2312-11-0x0000000000D50000-0x0000000000D71000-memory.dmp
memory/2312-13-0x0000000000D50000-0x0000000000D71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll
| MD5 | 44e60ee86b4cb4188bdd08e3b49c0bf5 |
| SHA1 | c271311550ce154650896787afef4a3f8ae86620 |
| SHA256 | 0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2 |
| SHA512 | 193619bda32192c7ac61a8ed427cde79ca8aa2d77775bc714cfcb564915b3d7967cfc338877a27e633030aff30f1ce35c3056979e56941dafb9dc85e015e1e03 |
memory/2488-17-0x0000000074A50000-0x0000000074B43000-memory.dmp
memory/2488-18-0x0000000074A50000-0x0000000074B43000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2488-21-0x0000000074A50000-0x0000000074B43000-memory.dmp
memory/4184-23-0x0000000000940000-0x0000000000961000-memory.dmp
memory/4184-24-0x0000000000940000-0x0000000000961000-memory.dmp
memory/4184-25-0x0000000000940000-0x0000000000961000-memory.dmp