Malware Analysis Report

2025-03-15 06:04

Sample ID 240512-p2s9ssfe2w
Target setup查看6034.exe
SHA256 191b71de6de80fa56d2f9337dad82638a7959acc21ca4030e710cd373342efc1
Tags
vmprotect upx persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

191b71de6de80fa56d2f9337dad82638a7959acc21ca4030e710cd373342efc1

Threat Level: Likely malicious

The file setup查看6034.exe was found to be: Likely malicious.

Malicious Activity Summary

vmprotect upx persistence

Downloads MZ/PE file

UPX packed file

VMProtect packed file

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 12:49

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 12:49

Reported

2024-05-12 12:55

Platform

win7-20231129-en

Max time kernel

252s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\colorcpl.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\微软OneDrive = "C:\\Users\\Public\\Documents\\jvfudyfm\\1715518229.lnk" C:\Windows\System32\colorcpl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\colorcpl.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\360\360Safe\safemon\360tray.exe C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Windows\System32\colorcpl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\colorcpl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe

"C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe"

C:\Windows\System32\colorcpl.exe

"C:\Windows\System32\colorcpl.exe"

Network

Country Destination Domain Proto
HK 206.238.198.114:6666 tcp
HK 206.238.198.114:6666 tcp
HK 47.76.232.8:80 47.76.232.8 tcp

Files

memory/3044-0-0x000000013F380000-0x0000000140374000-memory.dmp

memory/3044-2-0x000000013F389000-0x000000014031C000-memory.dmp

memory/3044-1-0x000000013F380000-0x0000000140374000-memory.dmp

memory/3044-3-0x000000013F380000-0x0000000140374000-memory.dmp

memory/2992-4-0x000007FEF72F0000-0x000007FEF733C000-memory.dmp

memory/2992-6-0x0000000002090000-0x0000000002091000-memory.dmp

memory/2992-5-0x0000000002090000-0x0000000002091000-memory.dmp

memory/3044-7-0x000000013F380000-0x0000000140374000-memory.dmp

memory/3044-8-0x000000013F389000-0x000000014031C000-memory.dmp

memory/2992-9-0x0000000003070000-0x00000000030B9000-memory.dmp

memory/2992-11-0x0000000003070000-0x00000000030B9000-memory.dmp

memory/2992-12-0x0000000003070000-0x00000000030B9000-memory.dmp

memory/2992-10-0x0000000003070000-0x00000000030B9000-memory.dmp

memory/2992-14-0x0000000003070000-0x00000000030B9000-memory.dmp

memory/2992-13-0x0000000003150000-0x00000000031CE000-memory.dmp

memory/2992-16-0x0000000003070000-0x00000000030B9000-memory.dmp

memory/2992-15-0x0000000003070000-0x00000000030B9000-memory.dmp

memory/2992-17-0x0000000003070000-0x00000000030B9000-memory.dmp

memory/2992-18-0x0000000180000000-0x000000018008D000-memory.dmp

memory/2992-26-0x0000000003070000-0x00000000030B9000-memory.dmp

memory/2992-28-0x0000000180000000-0x0000000180057000-memory.dmp

C:\Users\Public\Documents\jvfudyfm\1715518226.exe

MD5 829d3fb946e1d7d424b9f9a72897b9e4
SHA1 9a344d01ff925ac1b3c707c0d5ad06b804d3ba44
SHA256 e9241316c5aa46e0d4a06fcfe45993adbbb08ab49e40c4c6f0287240bd0a58b5
SHA512 a0052e53295b61be33745a94d8783c351cb6b44566979f0dd7079c7b360f3b8e074948f6a9adbdefa2d7298ac6e39bddcc70e54b9ca7ba62f1fa329b7b3e063b

memory/2992-50-0x0000000180000000-0x0000000180089000-memory.dmp

memory/2992-56-0x0000000003BA0000-0x0000000003C14000-memory.dmp

memory/2992-63-0x000007FEF72F0000-0x000007FEF733C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 12:49

Reported

2024-05-12 12:55

Platform

win10v2004-20240508-en

Max time kernel

300s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\微软OneDrive = "C:\\Users\\Public\\Documents\\xjbemzdb\\1715518244.lnk" C:\Windows\System32\colorcpl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\colorcpl.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\360\360Safe\safemon\360tray.exe C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Windows\System32\colorcpl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\colorcpl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe C:\Windows\System32\colorcpl.exe
PID 4520 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe C:\Windows\System32\colorcpl.exe
PID 4520 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe C:\Windows\System32\colorcpl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe

"C:\Users\Admin\AppData\Local\Temp\setup查看6034.exe"

C:\Windows\System32\colorcpl.exe

"C:\Windows\System32\colorcpl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
HK 206.238.198.114:6666 tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 114.198.238.206.in-addr.arpa udp
HK 206.238.198.114:6666 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
HK 47.76.232.8:80 47.76.232.8 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8.232.76.47.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4520-1-0x00007FF616C50000-0x00007FF617C44000-memory.dmp

memory/4520-0-0x00007FF616C50000-0x00007FF617C44000-memory.dmp

memory/4520-2-0x00007FF616C59000-0x00007FF617BEC000-memory.dmp

memory/4520-3-0x00007FF616C50000-0x00007FF617C44000-memory.dmp

memory/2688-4-0x0000029A652D0000-0x0000029A652D1000-memory.dmp

memory/4520-5-0x00007FF616C50000-0x00007FF617C44000-memory.dmp

memory/4520-6-0x00007FF616C59000-0x00007FF617BEC000-memory.dmp

memory/2688-7-0x0000029A66EB0000-0x0000029A66EF9000-memory.dmp

memory/2688-8-0x0000029A66EB0000-0x0000029A66EF9000-memory.dmp

memory/2688-9-0x0000029A66EB0000-0x0000029A66EF9000-memory.dmp

memory/2688-10-0x0000029A66EB0000-0x0000029A66EF9000-memory.dmp

memory/2688-11-0x0000029A66EB0000-0x0000029A66EF9000-memory.dmp

memory/2688-12-0x0000029A66EB0000-0x0000029A66EF9000-memory.dmp

memory/2688-13-0x0000029A66EB0000-0x0000029A66EF9000-memory.dmp

memory/2688-14-0x0000000180000000-0x000000018008D000-memory.dmp

memory/2688-22-0x0000029A66EB0000-0x0000029A66EF9000-memory.dmp

memory/2688-25-0x0000000180000000-0x0000000180057000-memory.dmp

C:\Users\Public\Downloads\QQgames.exe

MD5 829d3fb946e1d7d424b9f9a72897b9e4
SHA1 9a344d01ff925ac1b3c707c0d5ad06b804d3ba44
SHA256 e9241316c5aa46e0d4a06fcfe45993adbbb08ab49e40c4c6f0287240bd0a58b5
SHA512 a0052e53295b61be33745a94d8783c351cb6b44566979f0dd7079c7b360f3b8e074948f6a9adbdefa2d7298ac6e39bddcc70e54b9ca7ba62f1fa329b7b3e063b

memory/2688-42-0x0000029A7A1B0000-0x0000029A7A239000-memory.dmp

memory/2688-48-0x0000029A7A240000-0x0000029A7A2B4000-memory.dmp

memory/2688-41-0x0000029A66EB0000-0x0000029A66EF9000-memory.dmp