Analysis Overview
SHA256
9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae
Threat Level: Known bad
The file 9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:49
Reported
2024-04-06 23:51
Platform
win7-20240220-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\hxgiy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\hxgiy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /P" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /H" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /J" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /n" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /z" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /V" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /k" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /S" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /w" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /x" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /O" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /U" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /C" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /o" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /u" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /y" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /d" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /h" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /Q" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /L" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /Z" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /b" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /i" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /l" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /N" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /r" | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /G" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /c" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /X" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /E" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /W" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /a" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /I" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /D" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /s" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /q" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /v" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /M" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /j" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /p" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /Y" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /F" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /R" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /m" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /T" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /f" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /B" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /K" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /e" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /g" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /t" | C:\Users\Admin\hxgiy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /r" | C:\Users\Admin\hxgiy.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\hxgiy.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | C:\Users\Admin\hxgiy.exe |
| PID 2220 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | C:\Users\Admin\hxgiy.exe |
| PID 2220 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | C:\Users\Admin\hxgiy.exe |
| PID 2220 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | C:\Users\Admin\hxgiy.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe
"C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe"
C:\Users\Admin\hxgiy.exe
"C:\Users\Admin\hxgiy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 104.155.138.21:8000 | ns1.player1532.com | tcp |
Files
\Users\Admin\hxgiy.exe
| MD5 | 7db439e0fd30bf4068ac79dd6e143689 |
| SHA1 | 00706906ea9873f52a539e9092130350aba4c294 |
| SHA256 | 44ba7604f0b5b3f89833698446bfab61bbbb37522fe94c3e049792b55d23f899 |
| SHA512 | bf1eda9f1de9de6d3cec29f98f286421ba16a996921e2e9d573e894c9806e218691efb90dd00c50d4750b69fc46f254312801ce767ec1f48dd7af8de99543d17 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:49
Reported
2024-04-06 23:51
Platform
win10v2004-20240319-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\fqvod.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\fqvod.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /L" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /D" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /n" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /k" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /d" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /c" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /F" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /l" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /x" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /W" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /I" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /b" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /w" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /B" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /j" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /K" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /Q" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /a" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /V" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /O" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /f" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /E" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /X" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /R" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /u" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /s" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /Y" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /r" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /M" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /e" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /T" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /P" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /A" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /H" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /h" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /i" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /o" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /z" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /q" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /m" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /G" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /S" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /g" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /N" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /p" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /C" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /v" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /y" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /j" | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /t" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /U" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /J" | C:\Users\Admin\fqvod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /Z" | C:\Users\Admin\fqvod.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\fqvod.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2408 wrote to memory of 4360 | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | C:\Users\Admin\fqvod.exe |
| PID 2408 wrote to memory of 4360 | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | C:\Users\Admin\fqvod.exe |
| PID 2408 wrote to memory of 4360 | N/A | C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe | C:\Users\Admin\fqvod.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe
"C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe"
C:\Users\Admin\fqvod.exe
"C:\Users\Admin\fqvod.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2156 --field-trial-handle=3408,i,16599691418790971742,134777455365707676,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.83.221.88.in-addr.arpa | udp |
| GB | 13.105.221.15:443 | tcp | |
| NL | 142.251.36.42:443 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\fqvod.exe
| MD5 | f0359ee92b409fe3322e39f7e844836d |
| SHA1 | d9aa0bc5881b80a767aa459c3a5c455af2b3984a |
| SHA256 | c668cf4b459578780500096063cd86a9fe62b94563a7d1693252edb05499b75d |
| SHA512 | fb6c968500edcf3667c1e90121112168ce4b26f9fe7faa17439384a741d017a308494a4e1586e9310d546c25687dc8efb2cb31fdcc30e6bd4d5d3d53cdc546e4 |
memory/4728-35-0x0000021298A40000-0x0000021298A50000-memory.dmp
memory/4728-51-0x0000021298B40000-0x0000021298B50000-memory.dmp
memory/4728-67-0x00000212A0E90000-0x00000212A0E91000-memory.dmp
memory/4728-69-0x00000212A0EC0000-0x00000212A0EC1000-memory.dmp
memory/4728-70-0x00000212A0EC0000-0x00000212A0EC1000-memory.dmp
memory/4728-71-0x00000212A0FD0000-0x00000212A0FD1000-memory.dmp