joker | 9d77877a6ca2fcb1f906206306f65fb808c6fe5a41f7710f9e21bbbe6109daf8

Analysis

max time kernel
153s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

炫舞助手抽奖挂3.0.9-B秒抽版.exe
Size

32KB
MD5

919ff2f4140ec176c7e601bc1628fd90
SHA1

e62c286586952335be84ee874e968ffb00c262c6
SHA256

c9d04a8514692f3451d4e9c04ecf04ec7e4dd408274cd5dab6f42a679ac6dee9
SHA512

8ef647fd456903403bf7d24d80f2abebad040aa823792e01a0d5c802e1e15406715dc5c7a61cda9d02dcac0c3967690e4ddf678be50f19d6bf995a8e811edf53
SSDEEP

384:s85ujj+jr85eEVPBytTlN1M+YCuQcPP4YBAmqZP4YBAmq8k:stjyjw5eEVPstTlzM+YnQcl+/+8k

Score

10^/10

joker aspackv2 evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x000b000000012752-67.dat	aspack_v212_v242
behavioral3/files/0x000b000000012752-74.dat	aspack_v212_v242
behavioral3/files/0x000b000000012752-79.dat	aspack_v212_v242
behavioral3/files/0x000b000000012752-78.dat	aspack_v212_v242
behavioral3/files/0x000b000000012752-77.dat	aspack_v212_v242
behavioral3/files/0x000b000000012752-110.dat	aspack_v212_v242
behavioral3/files/0x000b000000012752-120.dat	aspack_v212_v242
behavioral3/files/0x000b000000012752-119.dat	aspack_v212_v242
behavioral3/files/0x000b000000012752-122.dat	aspack_v212_v242

Executes dropped EXE 5 IoCs

pid	Process
672	p.exe
1804	p.exe
796	2071.exe
1812	svchost.exe
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-Z568-11d2-9CBD-0000F87A369E}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-Z568-11d2-9CBD-0000F87A369E}\ = "Zou568"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-Z568-11d2-9CBD-0000F87A369E}\stubpath = "C:\\WINDOWS\\zoues\\svchost.exe"	svchost.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Loads dropped DLL 23 IoCs

pid	Process
1380	wg.dat
672	p.exe
672	p.exe
1380	wg.dat
672	p.exe
1804	p.exe
1804	p.exe
796	2071.exe
796	2071.exe
1804	p.exe
1812	svchost.exe
1812	svchost.exe
1380	wg.dat
1380	wg.dat
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
796	2071.exe
796	2071.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sys.sys	2071.exe
File created	C:\Windows\SysWOW64\intel.dll	2071.exe
File opened for modification	C:\Windows\SysWOW64\history.log	2071.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\iexplore.exe	2071.exe
File created	C:\Program Files\iexplore.exe	2071.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\WINDOWS\Help\windowsz32.txt	p.exe
File created	C:\WINDOWS\zoues\svchost.exe	p.exe
File opened for modification	C:\WINDOWS\zoues\svchost.exe	p.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3996	796	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000009d570a1da118831d7cbc8aaf207feef4edcb0bd2457ca10602520ad6748d8351000000000e8000000002000020000000fd5713c9ca124b147aba6322e0b5787bf04896d1b3f3a29aa07fda8fa4a972af90000000d2b8cf7859ca6e7a11e7a548e61ffbedfc456f9903116ff9bf5852d7b9afcf04cacf83d2fdeb1b283ed7d82944907548a63796ee577f71c01fca556acf2d75c4f62fb03f0ce2ca799ed4f3d9f6f601c3b96914a766920be6f77366b2010fb0d46c40e357c6eeb33222d65282243523f675f98dab5caca127b23146f6bbb8d0bfb9eb470a2c629cddd639066bbf8352dd40000000ef32fa1c8892049c0f0ed9c9253dd0b2ce6ced04313828c9d56ef64141946f8e97e9df631056cb5f395e51e9333eabe75c83c253f381b9efd8ab2340ce839858	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370338825"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C54423D1-37EF-11ED-9843-7ADD0904B6AC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a4cb9ffccbd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.1wly.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\1wly.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\1wly.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	炫舞助手抽奖挂3.0.9-B秒抽版.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\1wly.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.1wly.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C5AF41B1-37EF-11ED-9843-7ADD0904B6AC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.wj95.com/"	炫舞助手抽奖挂3.0.9-B秒抽版.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
1812	svchost.exe
796	2071.exe
796	2071.exe
796	2071.exe
796	2071.exe
796	2071.exe
796	2071.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe
Token: SeBackupPrivilege	1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1784	iexplore.exe
1156	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
1156	iexplore.exe
1156	iexplore.exe
1784	iexplore.exe
1784	iexplore.exe
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1380	1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe	26
PID 1348 wrote to memory of 1380	1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe	26
PID 1348 wrote to memory of 1380	1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe	26
PID 1348 wrote to memory of 1380	1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe	26
PID 1348 wrote to memory of 1380	1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe	26
PID 1348 wrote to memory of 1380	1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe	26
PID 1348 wrote to memory of 1380	1348	炫舞助手抽奖挂3.0.9-B秒抽版.exe	26
PID 1380 wrote to memory of 672	1380	wg.dat	27
PID 1380 wrote to memory of 672	1380	wg.dat	27
PID 1380 wrote to memory of 672	1380	wg.dat	27
PID 1380 wrote to memory of 672	1380	wg.dat	27
PID 1380 wrote to memory of 672	1380	wg.dat	27
PID 1380 wrote to memory of 672	1380	wg.dat	27
PID 1380 wrote to memory of 672	1380	wg.dat	27
PID 672 wrote to memory of 1804	672	p.exe	30
PID 672 wrote to memory of 1804	672	p.exe	30
PID 672 wrote to memory of 1804	672	p.exe	30
PID 672 wrote to memory of 1804	672	p.exe	30
PID 672 wrote to memory of 1804	672	p.exe	30
PID 672 wrote to memory of 1804	672	p.exe	30
PID 672 wrote to memory of 1804	672	p.exe	30
PID 1380 wrote to memory of 796	1380	wg.dat	29
PID 1380 wrote to memory of 796	1380	wg.dat	29
PID 1380 wrote to memory of 796	1380	wg.dat	29
PID 1380 wrote to memory of 796	1380	wg.dat	29
PID 1380 wrote to memory of 796	1380	wg.dat	29
PID 1380 wrote to memory of 796	1380	wg.dat	29
PID 1380 wrote to memory of 796	1380	wg.dat	29
PID 1804 wrote to memory of 1812	1804	p.exe	31
PID 1804 wrote to memory of 1812	1804	p.exe	31
PID 1804 wrote to memory of 1812	1804	p.exe	31
PID 1804 wrote to memory of 1812	1804	p.exe	31
PID 1804 wrote to memory of 1812	1804	p.exe	31
PID 1804 wrote to memory of 1812	1804	p.exe	31
PID 1804 wrote to memory of 1812	1804	p.exe	31
PID 1380 wrote to memory of 1640	1380	wg.dat	32
PID 1380 wrote to memory of 1640	1380	wg.dat	32
PID 1380 wrote to memory of 1640	1380	wg.dat	32
PID 1380 wrote to memory of 1640	1380	wg.dat	32
PID 1380 wrote to memory of 1640	1380	wg.dat	32
PID 1380 wrote to memory of 1640	1380	wg.dat	32
PID 1380 wrote to memory of 1640	1380	wg.dat	32
PID 1640 wrote to memory of 1156	1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe	34
PID 1640 wrote to memory of 1156	1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe	34
PID 1640 wrote to memory of 1156	1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe	34
PID 1640 wrote to memory of 1156	1640	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe	34
PID 796 wrote to memory of 1784	796	2071.exe	35
PID 796 wrote to memory of 1784	796	2071.exe	35
PID 796 wrote to memory of 1784	796	2071.exe	35
PID 796 wrote to memory of 1784	796	2071.exe	35
PID 1784 wrote to memory of 1072	1784	iexplore.exe	37
PID 1784 wrote to memory of 1072	1784	iexplore.exe	37
PID 1784 wrote to memory of 1072	1784	iexplore.exe	37
PID 1156 wrote to memory of 1940	1156	iexplore.exe	36
PID 1156 wrote to memory of 1940	1156	iexplore.exe	36
PID 1156 wrote to memory of 1940	1156	iexplore.exe	36
PID 1784 wrote to memory of 1072	1784	iexplore.exe	37
PID 1784 wrote to memory of 1072	1784	iexplore.exe	37
PID 1784 wrote to memory of 1072	1784	iexplore.exe	37
PID 1156 wrote to memory of 1940	1156	iexplore.exe	36
PID 1784 wrote to memory of 1072	1784	iexplore.exe	37
PID 1156 wrote to memory of 1940	1156	iexplore.exe	36
PID 1156 wrote to memory of 1940	1156	iexplore.exe	36
PID 1156 wrote to memory of 1940	1156	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\炫舞助手抽奖挂3.0.9-B秒抽版.exe
"C:\Users\Admin\AppData\Local\Temp\炫舞助手抽奖挂3.0.9-B秒抽版.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\wg.dat
  C:\Users\Admin\AppData\Local\Temp\wg.dat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\p.exe
    "C:\Users\Admin\AppData\Local\Temp\p.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Users\Admin\AppData\Local\Temp\p.exe
      C:\Users\Admin\AppData\Local\Temp\p.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\WINDOWS\zoues\svchost.exe
        
        C:\WINDOWS\zoues\svchost.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1812
- - C:\Users\Admin\AppData\Local\Temp\2071.exe
    "C:\Users\Admin\AppData\Local\Temp\2071.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://ad.tjchajian.com:82/ip.html?id=2071
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1068
      4⤵
      Loads dropped DLL
      Program crash
      PID:3996
- - C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
    "C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1wly.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31665f1a7eb87ea3c16f6ec4d1bdeab0

SHA1
d50cadae0fbe0b64938919d4b60bf46931b5f325

SHA256
d269705b1e9786e9027eaeb2317cbe02b0b0f62b7a45e4a85ed181f972b54c8a

SHA512
a91995ce83c883fb1f6ba545344221c8910cd3372ce12401572d0efe784a6b7ba158fba2ca5713fdc555f48582973a36a6da32237a8616a3201bd1fb7c22fb93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C54423D1-37EF-11ED-9843-7ADD0904B6AC}.dat

Filesize
4KB

MD5
13f05d64c14471726cb7058c8bdec0d9

SHA1
311144832a5cb1ed4821841fabafcebf17cd4f6f

SHA256
55d8ba5f4e1d912feee9f5ea0e9d151bb8820cb082b9ea9ced356137e29b52bb

SHA512
05c715e2b991fda5288663446b80fa2040771e34ddbc375d9807dc664ce8fe90ae59c0e60daa2d320952bf4f28c5b56c5a87af06d3c9e1f454db775720b5ca83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C5AF41B1-37EF-11ED-9843-7ADD0904B6AC}.dat

Filesize
3KB

MD5
e8db232eb983a2b3a59798145b17edfb

SHA1
69ff40224448f3b8c477789968d4cd49f2403202

SHA256
c26292352ef40b0432268e31a073826d711aea18c826ed00f37ddc39fbc8be8f

SHA512
bdd9e0cc2eb5c00d003257dc341f226487eabe24ef1abcac9a179992a4e988cba4b1cee0b350c7d2f7acaf9dcd137225ce16b3a58d46155e6c9fadf01afebff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
C:\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
C:\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4BX1IH8Q.txt

Filesize
606B

MD5
4ccbe3794c72103c7c9fee41f5d97590

SHA1
f1d6a56535aa97bf2a4a59afa1742a9b3b064b2e

SHA256
2ea9df723e01d7a2684563a251f225756f0414ff1ccf01015445b85b472fdcd2

SHA512
0190acf16236d2f7afffe4705ff4e406986d49b44defc73df28af434f58c662616f44175291c90a6ca20235bf2a8b2a0ca1a292af97eeb9d8bc57669c9e18cc6

Download Submit
C:\WINDOWS\zoues\svchost.exe

Filesize
33KB

MD5
b8299a947177ce0dc668af3ff05c46fa

SHA1
e82e614cffffbfc2ff2b0f3130abd495cbf76b44

SHA256
ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

SHA512
f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

Download Submit
C:\Windows\zoues\svchost.exe

Filesize
33KB

MD5
b8299a947177ce0dc668af3ff05c46fa

SHA1
e82e614cffffbfc2ff2b0f3130abd495cbf76b44

SHA256
ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

SHA512
f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

Download Submit
\??\c:\WINDOWS\Help\windowsz32.txt

Filesize
39B

MD5
be563affdf84703821ba6e23d9ed6de7

SHA1
5d6d472ddcec06861872e9bf7d18589c4b37e982

SHA256
32d7619b9c9011c023d94e7c8d6fd234d85813d7ec7cf7cf3e74f45588c95ccc

SHA512
18e6016982f3b2a0a0b618a5e76b641303893a8d50f41a324c4e63254f7cb7e1c7fa6dd6a6f48753e34a633d268477638768bd3b8a897e8a8910d12457f4c685

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
\Windows\SysWOW64\intel.dll

Filesize
142KB

MD5
5b6ae60afa76e99a591556ba5bdc0acb

SHA1
e3f12b7fe4337a55c9e859a5ceec95f749cf457b

SHA256
7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

SHA512
4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

Download Submit
\Windows\SysWOW64\intel.dll

Filesize
142KB

MD5
5b6ae60afa76e99a591556ba5bdc0acb

SHA1
e3f12b7fe4337a55c9e859a5ceec95f749cf457b

SHA256
7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

SHA512
4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

Download Submit
\Windows\zoues\svchost.exe

Filesize
33KB

MD5
b8299a947177ce0dc668af3ff05c46fa

SHA1
e82e614cffffbfc2ff2b0f3130abd495cbf76b44

SHA256
ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

SHA512
f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

Download Submit
\Windows\zoues\svchost.exe

Filesize
33KB

MD5
b8299a947177ce0dc668af3ff05c46fa

SHA1
e82e614cffffbfc2ff2b0f3130abd495cbf76b44

SHA256
ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

SHA512
f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

Download Submit
\Windows\zoues\svchost.exe

Filesize
33KB

MD5
b8299a947177ce0dc668af3ff05c46fa

SHA1
e82e614cffffbfc2ff2b0f3130abd495cbf76b44

SHA256
ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

SHA512
f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

Download Submit
memory/796-95-0x0000000000210000-0x0000000000256000-memory.dmp

Filesize
280KB

Download
memory/796-126-0x0000000000210000-0x0000000000256000-memory.dmp

Filesize
280KB

Download
memory/796-80-0x0000000000210000-0x0000000000256000-memory.dmp

Filesize
280KB

Download
memory/796-111-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/796-96-0x00000000001A0000-0x00000000001E6000-memory.dmp

Filesize
280KB

Download
memory/796-81-0x0000000000210000-0x0000000000256000-memory.dmp

Filesize
280KB

Download
memory/1348-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1348-57-0x0000000001FC0000-0x0000000002189000-memory.dmp

Filesize
1.8MB

Download
memory/1348-58-0x0000000001FC0000-0x0000000002189000-memory.dmp

Filesize
1.8MB

Download
memory/1380-94-0x00000000029F0000-0x0000000002A36000-memory.dmp

Filesize
280KB

Download
memory/1380-59-0x0000000000400000-0x00000000005C8B3B-memory.dmp

Filesize
1.8MB

Download
memory/1380-97-0x0000000000400000-0x00000000005C8B3B-memory.dmp

Filesize
1.8MB

Download
memory/1380-98-0x00000000029F0000-0x0000000002D92000-memory.dmp

Filesize
3.6MB

Download
memory/1640-109-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/1640-115-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/1640-116-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/1640-117-0x0000000077240000-0x00000000773C0000-memory.dmp

Filesize
1.5MB

Download
memory/1640-108-0x0000000077240000-0x00000000773C0000-memory.dmp

Filesize
1.5MB

Download
memory/1640-107-0x0000000000F80000-0x0000000001322000-memory.dmp

Filesize
3.6MB

Download
memory/1640-106-0x0000000000F80000-0x0000000001322000-memory.dmp

Filesize
3.6MB

Download
memory/1640-105-0x0000000000F80000-0x0000000001322000-memory.dmp

Filesize
3.6MB

Download
memory/1640-99-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download