Malware Analysis Report

2025-03-14 23:13

Sample ID 240406-3t24mafc75
Target 9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae
SHA256 9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae

Threat Level: Known bad

The file 9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:49

Reported

2024-04-06 23:51

Platform

win7-20240220-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\hxgiy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\hxgiy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /P" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /H" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /J" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /n" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /z" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /V" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /k" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /S" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /w" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /x" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /O" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /U" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /C" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /o" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /u" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /y" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /d" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /h" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /Q" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /L" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /Z" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /b" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /i" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /l" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /N" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /r" C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /G" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /c" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /X" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /E" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /W" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /a" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /I" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /D" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /s" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /q" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /v" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /M" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /j" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /p" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /Y" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /F" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /R" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /m" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /T" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /f" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /B" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /K" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /e" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /g" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /t" C:\Users\Admin\hxgiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxgiy = "C:\\Users\\Admin\\hxgiy.exe /r" C:\Users\Admin\hxgiy.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A
N/A N/A C:\Users\Admin\hxgiy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe

"C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe"

C:\Users\Admin\hxgiy.exe

"C:\Users\Admin\hxgiy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.player1532.com udp
US 104.155.138.21:8000 ns1.player1532.com tcp

Files

\Users\Admin\hxgiy.exe

MD5 7db439e0fd30bf4068ac79dd6e143689
SHA1 00706906ea9873f52a539e9092130350aba4c294
SHA256 44ba7604f0b5b3f89833698446bfab61bbbb37522fe94c3e049792b55d23f899
SHA512 bf1eda9f1de9de6d3cec29f98f286421ba16a996921e2e9d573e894c9806e218691efb90dd00c50d4750b69fc46f254312801ce767ec1f48dd7af8de99543d17

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:49

Reported

2024-04-06 23:51

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\fqvod.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fqvod.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /L" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /D" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /n" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /k" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /d" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /c" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /F" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /l" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /x" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /W" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /I" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /b" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /w" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /B" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /j" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /K" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /Q" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /a" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /V" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /O" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /f" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /E" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /X" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /R" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /u" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /s" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /Y" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /r" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /M" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /e" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /T" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /P" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /A" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /H" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /h" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /i" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /o" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /z" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /q" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /m" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /G" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /S" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /g" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /N" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /p" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /C" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /v" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /y" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /j" C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /t" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /U" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /J" C:\Users\Admin\fqvod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvod = "C:\\Users\\Admin\\fqvod.exe /Z" C:\Users\Admin\fqvod.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe N/A
N/A N/A C:\Users\Admin\fqvod.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe

"C:\Users\Admin\AppData\Local\Temp\9e655b3e3f389d11cdb87fce266f346fc9641247fd7961261993493b71a0d3ae.exe"

C:\Users\Admin\fqvod.exe

"C:\Users\Admin\fqvod.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2156 --field-trial-handle=3408,i,16599691418790971742,134777455365707676,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.player1532.com udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 160.83.221.88.in-addr.arpa udp
GB 13.105.221.15:443 tcp
NL 142.251.36.42:443 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

C:\Users\Admin\fqvod.exe

MD5 f0359ee92b409fe3322e39f7e844836d
SHA1 d9aa0bc5881b80a767aa459c3a5c455af2b3984a
SHA256 c668cf4b459578780500096063cd86a9fe62b94563a7d1693252edb05499b75d
SHA512 fb6c968500edcf3667c1e90121112168ce4b26f9fe7faa17439384a741d017a308494a4e1586e9310d546c25687dc8efb2cb31fdcc30e6bd4d5d3d53cdc546e4

memory/4728-35-0x0000021298A40000-0x0000021298A50000-memory.dmp

memory/4728-51-0x0000021298B40000-0x0000021298B50000-memory.dmp

memory/4728-67-0x00000212A0E90000-0x00000212A0E91000-memory.dmp

memory/4728-69-0x00000212A0EC0000-0x00000212A0EC1000-memory.dmp

memory/4728-70-0x00000212A0EC0000-0x00000212A0EC1000-memory.dmp

memory/4728-71-0x00000212A0FD0000-0x00000212A0FD1000-memory.dmp