558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f

Analysis

max time kernel
63s
max time network
69s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Size

375KB
MD5

63357aa3becc702b55eaae59c47c088a
SHA1

4fa92ae801dcd294b859aaeb917a5933dcbf0d88
SHA256

558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f
SHA512

b56cddb625cea6ee1c2e83430cde96eae63967c21f5e20323265a3b2eb04d876b42ab0be9eb1df1c25f98669ff28a2e10c1c46364114d726c701304dcf961af1
SSDEEP

6144:Bs3SpxXr3+f+zWZu+mJcJTnR5XB0lP1l4ndym8iV6OaUwuKgu6vn7tl2Ysrs9N/n:cSpx73I+z8Ucpnj+Pj4nv8OaUVKguiLn

Score

9^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\version.dll	acprotect
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\version.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

honorzone.exehonorzonep.exe

pid process

856 honorzone.exe
1988 honorzonep.exe

pid	process
856	honorzone.exe
1988	honorzonep.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\version.dll	upx
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\version.dll	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1624 cmd.exe

pid	process
1624	cmd.exe

Loads dropped DLL 25 IoCs

Processes:

558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exehonorzonep.exehonorzone.exe

pid	process
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
1988	honorzonep.exe
1988	honorzonep.exe
1988	honorzonep.exe
856	honorzone.exe
856	honorzone.exe
856	honorzone.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\honorzone = "\"C:\\Users\\Admin\\AppData\\Roaming\\honorzone\\honorzone.exe\" subcmd"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\honorzoneP = "\"C:\\Users\\Admin\\AppData\\Roaming\\honorzone\\honorzonep.exe\" subcmd"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A599A91D-88AE-4561-939B-EEE293665C75}	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A599A91D-88AE-4561-939B-EEE293665C75}\ = "Honorzone SubTap"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A599A91D-88AE-4561-939B-EEE293665C75}\NoExplorer = "1"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2024 sc.exe
1368 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

468 schtasks.exe
1080 schtasks.exe

pid	process
2024	sc.exe
1368	sc.exe

pid	process
468	schtasks.exe
1080	schtasks.exe

Modifies registry class 51 IoCs

Processes:

558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj.1\CLSID	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\CurVer\ = "honorzone_dll.honorzone_Obj.1"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\honorzone\\honorzone.dll"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\HELPDIR\	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib\ = "{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj.1	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\TypeLib	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\TypeLib\ = "{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\honorzone_dll.DLL	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\CurVer	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ = "Ihonorzone_Obj"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\ = "Honorzone SubTap"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\VersionIndependentProgID	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\InprocServer32	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\FLAGS	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\HELPDIR	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4DCE947D-3040-4F5F-9390-7C057C1BD755}\ = "honorzone_dll"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\honorzone_dll.DLL\AppID = "{4DCE947D-3040-4F5F-9390-7C057C1BD755}"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj.1\CLSID\ = "{A599A91D-88AE-4561-939B-EEE293665C75}"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ = "Ihonorzone_Obj"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib\Version = "1.0"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\0	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ProxyStubClsid32	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\AppID = "{4DCE947D-3040-4F5F-9390-7C057C1BD755}"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\VersionIndependentProgID\ = "honorzone_dll.honorzone_Obj"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ProxyStubClsid32	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib\ = "{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib\Version = "1.0"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj.1\ = "honorzone_Obj Class"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\CLSID\ = "{A599A91D-88AE-4561-939B-EEE293665C75}"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\FLAGS\ = "0"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\0\win32	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\ = "honorzone_Obj Class"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\ProgID	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\Programmable	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\honorzone\\honorzone.dll"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\InprocServer32\ThreadingModel = "Apartment"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\ = "honorzone_dll 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4DCE947D-3040-4F5F-9390-7C057C1BD755}	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\CLSID	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\ProgID\ = "honorzone_dll.honorzone_Obj.1"	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exehonorzone.exehonorzonep.exe

pid	process
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
856	honorzone.exe
1988	honorzonep.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

honorzone.exehonorzonep.exe

pid process

856 honorzone.exe
1988 honorzonep.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

honorzone.exehonorzonep.exe

pid process

856 honorzone.exe
856 honorzone.exe
1988 honorzonep.exe
1988 honorzonep.exe

pid	process
856	honorzone.exe
1988	honorzonep.exe

pid	process
856	honorzone.exe
856	honorzone.exe
1988	honorzonep.exe
1988	honorzonep.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.execmd.execmd.exehonorzone.exehonorzonep.exe

description	pid	process	target process
PID 2020 wrote to memory of 1472	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1472	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1472	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1472	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1472	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1472	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1472	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 1472 wrote to memory of 1080	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 1080	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 1080	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 1080	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 1080	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 1080	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 1080	1472	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1008	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1008	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1008	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1008	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1008	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1008	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1008	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 1008 wrote to memory of 468	1008	cmd.exe	schtasks.exe
PID 1008 wrote to memory of 468	1008	cmd.exe	schtasks.exe
PID 1008 wrote to memory of 468	1008	cmd.exe	schtasks.exe
PID 1008 wrote to memory of 468	1008	cmd.exe	schtasks.exe
PID 1008 wrote to memory of 468	1008	cmd.exe	schtasks.exe
PID 1008 wrote to memory of 468	1008	cmd.exe	schtasks.exe
PID 1008 wrote to memory of 468	1008	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 856	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzone.exe
PID 2020 wrote to memory of 856	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzone.exe
PID 2020 wrote to memory of 856	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzone.exe
PID 2020 wrote to memory of 856	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzone.exe
PID 2020 wrote to memory of 856	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzone.exe
PID 2020 wrote to memory of 856	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzone.exe
PID 2020 wrote to memory of 856	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzone.exe
PID 2020 wrote to memory of 1988	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzonep.exe
PID 2020 wrote to memory of 1988	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzonep.exe
PID 2020 wrote to memory of 1988	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzonep.exe
PID 2020 wrote to memory of 1988	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzonep.exe
PID 2020 wrote to memory of 1988	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzonep.exe
PID 2020 wrote to memory of 1988	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzonep.exe
PID 2020 wrote to memory of 1988	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	honorzonep.exe
PID 2020 wrote to memory of 1624	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1624	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1624	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1624	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1624	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1624	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 2020 wrote to memory of 1624	2020	558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe	cmd.exe
PID 856 wrote to memory of 2024	856	honorzone.exe	sc.exe
PID 856 wrote to memory of 2024	856	honorzone.exe	sc.exe
PID 856 wrote to memory of 2024	856	honorzone.exe	sc.exe
PID 856 wrote to memory of 2024	856	honorzone.exe	sc.exe
PID 856 wrote to memory of 2024	856	honorzone.exe	sc.exe
PID 856 wrote to memory of 2024	856	honorzone.exe	sc.exe
PID 856 wrote to memory of 2024	856	honorzone.exe	sc.exe
PID 1988 wrote to memory of 1368	1988	honorzonep.exe	sc.exe
PID 1988 wrote to memory of 1368	1988	honorzonep.exe	sc.exe
PID 1988 wrote to memory of 1368	1988	honorzonep.exe	sc.exe
PID 1988 wrote to memory of 1368	1988	honorzonep.exe	sc.exe
PID 1988 wrote to memory of 1368	1988	honorzonep.exe	sc.exe
PID 1988 wrote to memory of 1368	1988	honorzonep.exe	sc.exe
PID 1988 wrote to memory of 1368	1988	honorzonep.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe
"C:\Users\Admin\AppData\Local\Temp\558ca215b8fd55f26823ec242701fc7f087ce68d4aa48e4bc2a9db2c3d683f8f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /C schtasks /Create /F /TN "Windowshonorzone" /SC ONLOGON /TR "'C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe' schcmd" /rL HIGHEST
2⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /F /TN "Windowshonorzone" /SC ONLOGON /TR "'C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe' schcmd" /rL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /C schtasks /Create /F /TN "WindowsHZP" /SC ONLOGON /TR "'C:\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe' schcmd" /rL HIGHEST
2⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /F /TN "WindowsHZP" /SC ONLOGON /TR "'C:\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe' schcmd" /rL HIGHEST
3⤵
- Creates scheduled task(s)
PID:468

C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe
"C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe" Updatecmd
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\sc.exe
sc query npf
3⤵
- Launches sc.exe
PID:2024

C:\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe
"C:\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe" Updatecmd
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\sc.exe
sc query npf
3⤵
- Launches sc.exe
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /c \DelUS.bat
2⤵
- Deletes itself
PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
264B

MD5
9267066e64f446cbc918f56d02ef2cfd

SHA1
8c370f99ecc048d8d5d58c40d059b57531d8ce90

SHA256
5c6292eb548d1d940622687601c48115f03344d78a35f7d9da1d58d7be36d368

SHA512
1c5ea5294ba484f891af5952984a43aef12859f493b4101eccfe63027b37da67e4e36ba4624c319a4f900f3e33187d1663e8c1e7b51d630ad1cb0b3d4773c0e1

Download Submit
C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
388KB

MD5
9d8e6d3d98af7a5c20e68b67f1a9991b

SHA1
28d8dfe877b311079dd1d27481690e24917730fe

SHA256
39a434aceb9658315bf69395a64ff8c1684c73efec2aa8b6ef00aee4d5aea030

SHA512
0d9c5eda267abac55f0324577126739ebb04a7aa14b09b6909e7d04bf26cb2532d48744b3f871968b8ff323a70ef65632fa10c1e2f271d5ee95c8d5cc873a3d0

Download Submit
C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
388KB

MD5
9d8e6d3d98af7a5c20e68b67f1a9991b

SHA1
28d8dfe877b311079dd1d27481690e24917730fe

SHA256
39a434aceb9658315bf69395a64ff8c1684c73efec2aa8b6ef00aee4d5aea030

SHA512
0d9c5eda267abac55f0324577126739ebb04a7aa14b09b6909e7d04bf26cb2532d48744b3f871968b8ff323a70ef65632fa10c1e2f271d5ee95c8d5cc873a3d0

Download Submit
C:\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe

Filesize
344KB

MD5
fab8d4cfe749202fe33fbcfdb42ca8ee

SHA1
3c120c399b8f492cca40c7d5755948a1f6f2b6b6

SHA256
3a04e2353c384790f1c9045f861279c1eb02ef2c0055b9eaa6840c02beefb9f8

SHA512
7d052d05a7478e9184ec5627f803e5cd2ea7312016113bd6ddcc80e5602ac69bc99c4f1ed309b7561f8a5eb637f534fd243465da1b45ebad7f91b641ce9c37ba

Download Submit
C:\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe

Filesize
344KB

MD5
fab8d4cfe749202fe33fbcfdb42ca8ee

SHA1
3c120c399b8f492cca40c7d5755948a1f6f2b6b6

SHA256
3a04e2353c384790f1c9045f861279c1eb02ef2c0055b9eaa6840c02beefb9f8

SHA512
7d052d05a7478e9184ec5627f803e5cd2ea7312016113bd6ddcc80e5602ac69bc99c4f1ed309b7561f8a5eb637f534fd243465da1b45ebad7f91b641ce9c37ba

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\DLLWebCount.dll

Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\IEKill.dll

Filesize
28KB

MD5
090f0ab18996feae6c0a62d83b2149c6

SHA1
5292898561ad88630088ae22fb877dfc7146ee77

SHA256
914536dd97645de7789666da5dc03d02f4fbe0593214678e6e1982a02a8a1c4d

SHA512
2fccda2cb95583fdb184b7edaa7ae088ca484e06d020159bf9776e36b660c6672812b7e821b111fa52d63ad5e2ce70602dc117edc2eba3c46029653c5ef5ffc6

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\IEKill.dll

Filesize
28KB

MD5
090f0ab18996feae6c0a62d83b2149c6

SHA1
5292898561ad88630088ae22fb877dfc7146ee77

SHA256
914536dd97645de7789666da5dc03d02f4fbe0593214678e6e1982a02a8a1c4d

SHA512
2fccda2cb95583fdb184b7edaa7ae088ca484e06d020159bf9776e36b660c6672812b7e821b111fa52d63ad5e2ce70602dc117edc2eba3c46029653c5ef5ffc6

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\SelfDelete.dll

Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
\Users\Admin\AppData\Local\Temp\nstE37F.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.dll

Filesize
148KB

MD5
a70691a95c6064384ec4de2b4e3bce5a

SHA1
6e6676eddc35becbd0df2cc8564b7ada325269ef

SHA256
36ca367164c329eef682852772ad3a3d77ab5c53b3e3fcaf8a4da742409e294f

SHA512
56e46f7390abc43d9ab4d36d110c7173f9ca676bca134d503bdfa7c2c7077d428e0016c304d61630bc34e676776332800815ed488e327731d791ace0f73b221f

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
388KB

MD5
9d8e6d3d98af7a5c20e68b67f1a9991b

SHA1
28d8dfe877b311079dd1d27481690e24917730fe

SHA256
39a434aceb9658315bf69395a64ff8c1684c73efec2aa8b6ef00aee4d5aea030

SHA512
0d9c5eda267abac55f0324577126739ebb04a7aa14b09b6909e7d04bf26cb2532d48744b3f871968b8ff323a70ef65632fa10c1e2f271d5ee95c8d5cc873a3d0

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
388KB

MD5
9d8e6d3d98af7a5c20e68b67f1a9991b

SHA1
28d8dfe877b311079dd1d27481690e24917730fe

SHA256
39a434aceb9658315bf69395a64ff8c1684c73efec2aa8b6ef00aee4d5aea030

SHA512
0d9c5eda267abac55f0324577126739ebb04a7aa14b09b6909e7d04bf26cb2532d48744b3f871968b8ff323a70ef65632fa10c1e2f271d5ee95c8d5cc873a3d0

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
388KB

MD5
9d8e6d3d98af7a5c20e68b67f1a9991b

SHA1
28d8dfe877b311079dd1d27481690e24917730fe

SHA256
39a434aceb9658315bf69395a64ff8c1684c73efec2aa8b6ef00aee4d5aea030

SHA512
0d9c5eda267abac55f0324577126739ebb04a7aa14b09b6909e7d04bf26cb2532d48744b3f871968b8ff323a70ef65632fa10c1e2f271d5ee95c8d5cc873a3d0

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
388KB

MD5
9d8e6d3d98af7a5c20e68b67f1a9991b

SHA1
28d8dfe877b311079dd1d27481690e24917730fe

SHA256
39a434aceb9658315bf69395a64ff8c1684c73efec2aa8b6ef00aee4d5aea030

SHA512
0d9c5eda267abac55f0324577126739ebb04a7aa14b09b6909e7d04bf26cb2532d48744b3f871968b8ff323a70ef65632fa10c1e2f271d5ee95c8d5cc873a3d0

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
388KB

MD5
9d8e6d3d98af7a5c20e68b67f1a9991b

SHA1
28d8dfe877b311079dd1d27481690e24917730fe

SHA256
39a434aceb9658315bf69395a64ff8c1684c73efec2aa8b6ef00aee4d5aea030

SHA512
0d9c5eda267abac55f0324577126739ebb04a7aa14b09b6909e7d04bf26cb2532d48744b3f871968b8ff323a70ef65632fa10c1e2f271d5ee95c8d5cc873a3d0

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe

Filesize
344KB

MD5
fab8d4cfe749202fe33fbcfdb42ca8ee

SHA1
3c120c399b8f492cca40c7d5755948a1f6f2b6b6

SHA256
3a04e2353c384790f1c9045f861279c1eb02ef2c0055b9eaa6840c02beefb9f8

SHA512
7d052d05a7478e9184ec5627f803e5cd2ea7312016113bd6ddcc80e5602ac69bc99c4f1ed309b7561f8a5eb637f534fd243465da1b45ebad7f91b641ce9c37ba

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe

Filesize
344KB

MD5
fab8d4cfe749202fe33fbcfdb42ca8ee

SHA1
3c120c399b8f492cca40c7d5755948a1f6f2b6b6

SHA256
3a04e2353c384790f1c9045f861279c1eb02ef2c0055b9eaa6840c02beefb9f8

SHA512
7d052d05a7478e9184ec5627f803e5cd2ea7312016113bd6ddcc80e5602ac69bc99c4f1ed309b7561f8a5eb637f534fd243465da1b45ebad7f91b641ce9c37ba

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe

Filesize
344KB

MD5
fab8d4cfe749202fe33fbcfdb42ca8ee

SHA1
3c120c399b8f492cca40c7d5755948a1f6f2b6b6

SHA256
3a04e2353c384790f1c9045f861279c1eb02ef2c0055b9eaa6840c02beefb9f8

SHA512
7d052d05a7478e9184ec5627f803e5cd2ea7312016113bd6ddcc80e5602ac69bc99c4f1ed309b7561f8a5eb637f534fd243465da1b45ebad7f91b641ce9c37ba

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe

Filesize
344KB

MD5
fab8d4cfe749202fe33fbcfdb42ca8ee

SHA1
3c120c399b8f492cca40c7d5755948a1f6f2b6b6

SHA256
3a04e2353c384790f1c9045f861279c1eb02ef2c0055b9eaa6840c02beefb9f8

SHA512
7d052d05a7478e9184ec5627f803e5cd2ea7312016113bd6ddcc80e5602ac69bc99c4f1ed309b7561f8a5eb637f534fd243465da1b45ebad7f91b641ce9c37ba

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzonep.exe

Filesize
344KB

MD5
fab8d4cfe749202fe33fbcfdb42ca8ee

SHA1
3c120c399b8f492cca40c7d5755948a1f6f2b6b6

SHA256
3a04e2353c384790f1c9045f861279c1eb02ef2c0055b9eaa6840c02beefb9f8

SHA512
7d052d05a7478e9184ec5627f803e5cd2ea7312016113bd6ddcc80e5602ac69bc99c4f1ed309b7561f8a5eb637f534fd243465da1b45ebad7f91b641ce9c37ba

Download Submit
memory/468-76-0x0000000000000000-mapping.dmp

Download
memory/856-82-0x0000000000000000-mapping.dmp

Download
memory/1008-74-0x0000000000000000-mapping.dmp

Download
memory/1080-68-0x0000000000000000-mapping.dmp

Download
memory/1368-103-0x0000000000000000-mapping.dmp

Download
memory/1472-66-0x0000000000000000-mapping.dmp

Download
memory/1624-90-0x0000000000000000-mapping.dmp

Download
memory/1988-86-0x0000000000000000-mapping.dmp

Download
memory/2020-72-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2020-71-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/2020-70-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2024-102-0x0000000000000000-mapping.dmp

Download