94b4b84bcc41a9aa26bf1de7ddba594fff7c1b104a56b842a0093ce756feaace

Analysis

max time kernel
3s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04bd93a2ddcd25faff37e39b498051f6.exe
Size

18KB
MD5

04bd93a2ddcd25faff37e39b498051f6
SHA1

25e5ec4580d0f60901850e2ed861af0e897db778
SHA256

94b4b84bcc41a9aa26bf1de7ddba594fff7c1b104a56b842a0093ce756feaace
SHA512

73f639133d87fadccf9fb0b9085c1f75c2b6e582c86f5eb55c9833389597729f206e52077fcdf596437de7b4d9f8dce57d073e63c6edfd58da910896eea27e19
SSDEEP

384:IPx766GhJEAH0cZqwnwo25oVjrRm59IUzcT64WzPaqB2B57bgoMjVo:yk/aA5wo22jrRSDSGPJB2/b7Mj6

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4384	zscqahlp.exe
4488	zscqahlp.exe
4576	zscqahlp.exe
4668	zscqahlp.exe
4740	zscqahlp.exe
4844	zscqahlp.exe
4924	zscqahlp.exe
5000	zscqahlp.exe
5088	zscqahlp.exe
1800	zscqahlp.exe

Loads dropped DLL 20 IoCs

pid	Process
1956	04bd93a2ddcd25faff37e39b498051f6.exe
1956	04bd93a2ddcd25faff37e39b498051f6.exe
4384	zscqahlp.exe
4384	zscqahlp.exe
4488	zscqahlp.exe
4488	zscqahlp.exe
4576	zscqahlp.exe
4576	zscqahlp.exe
4668	zscqahlp.exe
4668	zscqahlp.exe
4740	zscqahlp.exe
4740	zscqahlp.exe
4844	zscqahlp.exe
4844	zscqahlp.exe
4924	zscqahlp.exe
4924	zscqahlp.exe
5000	zscqahlp.exe
5000	zscqahlp.exe
5088	zscqahlp.exe
5088	zscqahlp.exe

Installs/modifies Browser Helper Object 2 TTPs 20 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	04bd93a2ddcd25faff37e39b498051f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	04bd93a2ddcd25faff37e39b498051f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	04bd93a2ddcd25faff37e39b498051f6.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	04bd93a2ddcd25faff37e39b498051f6.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File created	C:\Windows\SysWOW64\zscqahlp.exe	04bd93a2ddcd25faff37e39b498051f6.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	04bd93a2ddcd25faff37e39b498051f6.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File created	C:\Windows\SysWOW64\ypcqghlp.dll	04bd93a2ddcd25faff37e39b498051f6.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File created	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	04bd93a2ddcd25faff37e39b498051f6.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	04bd93a2ddcd25faff37e39b498051f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	04bd93a2ddcd25faff37e39b498051f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	04bd93a2ddcd25faff37e39b498051f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}	04bd93a2ddcd25faff37e39b498051f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	04bd93a2ddcd25faff37e39b498051f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	04bd93a2ddcd25faff37e39b498051f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1956	04bd93a2ddcd25faff37e39b498051f6.exe
1956	04bd93a2ddcd25faff37e39b498051f6.exe
1956	04bd93a2ddcd25faff37e39b498051f6.exe
1956	04bd93a2ddcd25faff37e39b498051f6.exe
1956	04bd93a2ddcd25faff37e39b498051f6.exe
1956	04bd93a2ddcd25faff37e39b498051f6.exe
4384	zscqahlp.exe
4384	zscqahlp.exe
4488	zscqahlp.exe
4488	zscqahlp.exe
4576	zscqahlp.exe
4576	zscqahlp.exe
4668	zscqahlp.exe
4668	zscqahlp.exe
4740	zscqahlp.exe
4740	zscqahlp.exe
4844	zscqahlp.exe
4844	zscqahlp.exe
4924	zscqahlp.exe
4924	zscqahlp.exe
5000	zscqahlp.exe
5000	zscqahlp.exe
5088	zscqahlp.exe
5088	zscqahlp.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	04bd93a2ddcd25faff37e39b498051f6.exe
Token: SeDebugPrivilege	4384	zscqahlp.exe
Token: SeDebugPrivilege	4488	zscqahlp.exe
Token: SeDebugPrivilege	4576	zscqahlp.exe
Token: SeDebugPrivilege	4668	zscqahlp.exe
Token: SeDebugPrivilege	4740	zscqahlp.exe
Token: SeDebugPrivilege	4844	zscqahlp.exe
Token: SeDebugPrivilege	4924	zscqahlp.exe
Token: SeDebugPrivilege	5000	zscqahlp.exe
Token: SeDebugPrivilege	5088	zscqahlp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1508	1956	04bd93a2ddcd25faff37e39b498051f6.exe	28
PID 1956 wrote to memory of 1508	1956	04bd93a2ddcd25faff37e39b498051f6.exe	28
PID 1956 wrote to memory of 1508	1956	04bd93a2ddcd25faff37e39b498051f6.exe	28
PID 1956 wrote to memory of 1508	1956	04bd93a2ddcd25faff37e39b498051f6.exe	28
PID 1956 wrote to memory of 4384	1956	04bd93a2ddcd25faff37e39b498051f6.exe	30
PID 1956 wrote to memory of 4384	1956	04bd93a2ddcd25faff37e39b498051f6.exe	30
PID 1956 wrote to memory of 4384	1956	04bd93a2ddcd25faff37e39b498051f6.exe	30
PID 1956 wrote to memory of 4384	1956	04bd93a2ddcd25faff37e39b498051f6.exe	30
PID 4384 wrote to memory of 4464	4384	zscqahlp.exe	60
PID 4384 wrote to memory of 4464	4384	zscqahlp.exe	60
PID 4384 wrote to memory of 4464	4384	zscqahlp.exe	60
PID 4384 wrote to memory of 4464	4384	zscqahlp.exe	60
PID 4384 wrote to memory of 4488	4384	zscqahlp.exe	59
PID 4384 wrote to memory of 4488	4384	zscqahlp.exe	59
PID 4384 wrote to memory of 4488	4384	zscqahlp.exe	59
PID 4384 wrote to memory of 4488	4384	zscqahlp.exe	59
PID 4488 wrote to memory of 4564	4488	zscqahlp.exe	57
PID 4488 wrote to memory of 4564	4488	zscqahlp.exe	57
PID 4488 wrote to memory of 4564	4488	zscqahlp.exe	57
PID 4488 wrote to memory of 4564	4488	zscqahlp.exe	57
PID 4488 wrote to memory of 4576	4488	zscqahlp.exe	56
PID 4488 wrote to memory of 4576	4488	zscqahlp.exe	56
PID 4488 wrote to memory of 4576	4488	zscqahlp.exe	56
PID 4488 wrote to memory of 4576	4488	zscqahlp.exe	56
PID 4576 wrote to memory of 4644	4576	zscqahlp.exe	54
PID 4576 wrote to memory of 4644	4576	zscqahlp.exe	54
PID 4576 wrote to memory of 4644	4576	zscqahlp.exe	54
PID 4576 wrote to memory of 4644	4576	zscqahlp.exe	54
PID 4576 wrote to memory of 4668	4576	zscqahlp.exe	52
PID 4576 wrote to memory of 4668	4576	zscqahlp.exe	52
PID 4576 wrote to memory of 4668	4576	zscqahlp.exe	52
PID 4576 wrote to memory of 4668	4576	zscqahlp.exe	52
PID 4668 wrote to memory of 4720	4668	zscqahlp.exe	51
PID 4668 wrote to memory of 4720	4668	zscqahlp.exe	51
PID 4668 wrote to memory of 4720	4668	zscqahlp.exe	51
PID 4668 wrote to memory of 4720	4668	zscqahlp.exe	51
PID 4668 wrote to memory of 4740	4668	zscqahlp.exe	50
PID 4668 wrote to memory of 4740	4668	zscqahlp.exe	50
PID 4668 wrote to memory of 4740	4668	zscqahlp.exe	50
PID 4668 wrote to memory of 4740	4668	zscqahlp.exe	50
PID 4740 wrote to memory of 4800	4740	zscqahlp.exe	32
PID 4740 wrote to memory of 4800	4740	zscqahlp.exe	32
PID 4740 wrote to memory of 4800	4740	zscqahlp.exe	32
PID 4740 wrote to memory of 4800	4740	zscqahlp.exe	32
PID 4740 wrote to memory of 4844	4740	zscqahlp.exe	48
PID 4740 wrote to memory of 4844	4740	zscqahlp.exe	48
PID 4740 wrote to memory of 4844	4740	zscqahlp.exe	48
PID 4740 wrote to memory of 4844	4740	zscqahlp.exe	48
PID 4844 wrote to memory of 4904	4844	zscqahlp.exe	47
PID 4844 wrote to memory of 4904	4844	zscqahlp.exe	47
PID 4844 wrote to memory of 4904	4844	zscqahlp.exe	47
PID 4844 wrote to memory of 4904	4844	zscqahlp.exe	47
PID 4844 wrote to memory of 4924	4844	zscqahlp.exe	46
PID 4844 wrote to memory of 4924	4844	zscqahlp.exe	46
PID 4844 wrote to memory of 4924	4844	zscqahlp.exe	46
PID 4844 wrote to memory of 4924	4844	zscqahlp.exe	46
PID 4924 wrote to memory of 4980	4924	zscqahlp.exe	34
PID 4924 wrote to memory of 4980	4924	zscqahlp.exe	34
PID 4924 wrote to memory of 4980	4924	zscqahlp.exe	34
PID 4924 wrote to memory of 4980	4924	zscqahlp.exe	34
PID 4924 wrote to memory of 5000	4924	zscqahlp.exe	35
PID 4924 wrote to memory of 5000	4924	zscqahlp.exe	35
PID 4924 wrote to memory of 5000	4924	zscqahlp.exe	35
PID 4924 wrote to memory of 5000	4924	zscqahlp.exe	35

C:\Users\Admin\AppData\Local\Temp\04bd93a2ddcd25faff37e39b498051f6.exe
"C:\Users\Admin\AppData\Local\Temp\04bd93a2ddcd25faff37e39b498051f6.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259410786.bat
  2⤵
  PID:1508
- C:\Windows\SysWOW64\zscqahlp.exe
  C:\Windows\system32\zscqahlp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\zscqahlp.exe
    C:\Windows\system32\zscqahlp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259442314.bat
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259411238.bat
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259442314.bat
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441893.bat
  2⤵
  PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259411426.bat
1⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259411800.bat
1⤵
PID:4980

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259412081.bat
  2⤵
  PID:5056
- C:\Windows\SysWOW64\zscqahlp.exe
  C:\Windows\system32\zscqahlp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259412674.bat
1⤵
PID:1908

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800
- C:\Windows\SysWOW64\zscqahlp.exe
  C:\Windows\system32\zscqahlp.exe
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259422705.bat
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\zscqahlp.exe
    C:\Windows\system32\zscqahlp.exe
    3⤵
    PID:6116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259468319.bat
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\zscqahlp.exe
      C:\Windows\system32\zscqahlp.exe
      4⤵
      PID:1044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259469739.bat
        5⤵
        
        PID:536
    - - C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        5⤵
        
        PID:1528
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259472297.bat
        6⤵
        
        PID:6008
      - C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        6⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259473155.bat
        7⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        7⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259475589.bat
        8⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        8⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259477242.bat
        9⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        9⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259510205.bat
        10⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259509035.bat
        9⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259508302.bat
        8⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259506056.bat
        7⤵
        
        PID:7436
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259504371.bat
        6⤵
        
        PID:6660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259502390.bat
        5⤵
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259499176.bat
      4⤵
      PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259498786.bat
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259453218.bat
  2⤵
  PID:5984

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259412362.bat
1⤵
PID:1812

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259447618.bat
  2⤵
  PID:6040

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259411660.bat
1⤵
PID:4904

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259442361.bat
  2⤵
  PID:2216

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259442376.bat
  2⤵
  PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259411379.bat
1⤵
PID:4720

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259442033.bat
  2⤵
  PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259411332.bat
1⤵
PID:4644

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259442376.bat
  2⤵
  PID:6032

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259411285.bat
1⤵
PID:4564

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
PID:6076
- C:\Windows\SysWOW64\zscqahlp.exe
  C:\Windows\system32\zscqahlp.exe
  2⤵
  PID:8108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259479348.bat
    3⤵
    PID:8144
- - C:\Windows\SysWOW64\zscqahlp.exe
    C:\Windows\system32\zscqahlp.exe
    3⤵
    PID:5152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259481907.bat
      4⤵
      PID:5692
  - - C:\Windows\SysWOW64\zscqahlp.exe
      C:\Windows\system32\zscqahlp.exe
      4⤵
      PID:4220
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259501781.bat
        5⤵
        
        PID:4192
    - - C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        5⤵
        
        PID:8024
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259505650.bat
        6⤵
        
        PID:8008
      - C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        6⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259512904.bat
        7⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        7⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259521297.bat
        8⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        8⤵
        
        PID:3908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259534822.bat
      4⤵
      PID:6060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259512702.bat
    3⤵
    PID:8164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259478974.bat
  2⤵
  PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259511079.bat
  2⤵
  PID:5240

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259477679.bat
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259410786.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259441893.bat

Filesize
197B

MD5
2aa4193156cf2a46de9d2f5ee1758b87

SHA1
691228e26f489df4043caab1990b7609e3f1420d

SHA256
c8e2d183d93cb7e568128215672d73bda9357c5b90632691f4404ce437569c74

SHA512
2ba6396ead1c008b74b4ba9f176f45dba0126e84336d88844feb264906f51319f6bc86fedbd60c20e07ff02eb5605f3451d0c476266189b1d65acc3c5e21eb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259442314.bat

Filesize
242B

MD5
32cf344d4cbe7bd66daf54960f102543

SHA1
791389f480801b3e255139e044192c40ebc198ca

SHA256
06039815b122471c2e56e35cebe0bca734ba598a0fae8faffce2e851354023a2

SHA512
da583215039e2880bd9c0871ddd34671dacbbec829f561cfa2556188a109f2ed9c5c0b554f897cb24153b29256f42607be0b372f128b3f77ff740a989b881995

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259442361.bat

Filesize
121B

MD5
c2c0873091165aeac1ca8b123e633948

SHA1
00c5eded4d1d987c07591bc2cba9d24f8a1ca643

SHA256
0eeb85cae44714f166d04bc76ffc4232001a4ab111b0bf3e89cb1efe94f49146

SHA512
dbd1e6fda9d9bef507000c9d859b818569e61e493b83da93029232a36edca33f627f62b0d90cb72c062ff5f6d4c7b7e9153989b7b355bed7d7663ccd12a5be12

Download Submit
C:\Windows\SysWOW64\xscqbhlp.sys

Filesize
520B

MD5
071d51dcb49436aafb73e1e5257097b0

SHA1
c73a7a19ffd0921ebe49be4657f567e8380c5966

SHA256
35092ba6b22d9b89063741a3c056835d8e725b54ac2b2edc13138b5971bb01a4

SHA512
371a64990a7176ee26c887a5c0dab1f25ff0c8900c836a0274ad11ff2817a824ee69f7949ab4cc0b25bdde7c9752c309f1917e3503f574959480cee3b4ffde4b

Download Submit
C:\Windows\SysWOW64\ypcqghlp.dll

Filesize
320KB

MD5
1ff1c4954ee3674596dcdcc5ad25279e

SHA1
18a0823df71ded2ff0a4d51ad4c5c16a8d73f8cc

SHA256
e5af51ec871a0e6962edffc305c3d22b697047af334330f91b4344cf90b4acbc

SHA512
d8b75b98c933d8d59f067e20392177c532b0ad93738fb4ed66f2b19c074e2aa29b5c83e06ed521aae628e1201361e7a7671b6bb919331d73a5d8f47f2333bd4d

Download Submit
C:\Windows\SysWOW64\ypcqghlp.dll

Filesize
526KB

MD5
f295784e34bc4345ce692968cf85e308

SHA1
590650c0278bce55f4a93e3a6c715addcb2eb4e5

SHA256
47c44ba5988d8216e45e62cbf3c391aa47419759ed14ac5d113e213f2aea03ee

SHA512
9697e13e17b4335f1bc7dca3ee79af850785446ebeec89fa1143ebac43b8ce4bb132a436572724f5167f4659db4bcd279d91292e582b3dac82a7c5f799e32a78

Download Submit
C:\Windows\SysWOW64\ypcqghlp.dll

Filesize
526KB

MD5
e1b047125ec900b87b04fab83be3739a

SHA1
fc33821162981122fd035f01565d506e24f1aa2c

SHA256
c8a1f61884b68af3d55443e3112c6cbbd2d77e09fbf660c085415982fe1f05d9

SHA512
b91430cfc1d8b16395bf538e45535020a29d08f1ad758bd2374954efa44085620a6643296fe6a8b9a074e19f201906642e2dea4a2b8fb676a0b57fb9a99cf636

Download Submit
C:\Windows\SysWOW64\ypcqghlp.dll

Filesize
209KB

MD5
bb2c15d5bb43bb17a4af32114a6153c3

SHA1
a2d31f5ee76df4230cb7683017bd575eb183c443

SHA256
254c2e7f744b5028c7121fd1fb06edbfb140e2260cc042760c1b15a93380c91c

SHA512
c53b51ccba0ab4633d1487ad27e9cdb260951d64e5337062a1c7a7ce007cba28c731a7ff8dee2d314556a3e18170d28c8f6482053251f8dd47dd494184ae06be

Download Submit
C:\Windows\SysWOW64\zscqahlp.exe

Filesize
9KB

MD5
77f148f084406d06ec2cad64b48017b9

SHA1
4b554b40668201bd2c415e0b2f0ded2355e6708b

SHA256
27b216114bf46203a6f17b410aa019941c9e1c7006a17b6779400eff7edf74c4

SHA512
0e8f39accfcccdde95d50037f989cf6823bba5cc168748cfa5d09fb038b8d755f2478d5ebe0061ef18415dce54b49ce01aa82f18c5fd697ca22fc406ec604ad6

Download Submit
\Windows\SysWOW64\zscqahlp.exe

Filesize
18KB

MD5
04bd93a2ddcd25faff37e39b498051f6

SHA1
25e5ec4580d0f60901850e2ed861af0e897db778

SHA256
94b4b84bcc41a9aa26bf1de7ddba594fff7c1b104a56b842a0093ce756feaace

SHA512
73f639133d87fadccf9fb0b9085c1f75c2b6e582c86f5eb55c9833389597729f206e52077fcdf596437de7b4d9f8dce57d073e63c6edfd58da910896eea27e19

Download Submit
\Windows\SysWOW64\zscqahlp.exe

Filesize
16KB

MD5
45cb2427e90ff5a02785efb32ced37d5

SHA1
99f1c94058a149aef9c2acccf30e57d184ef0425

SHA256
a37901344a674918c046ef88092a2175c05b0b995365b88ff6b4ead8ac509832

SHA512
a3f942ed3b0bbfaed00616ce258dacbad6e73e1977ab1e7c77bfe6286a7213e47092d72f526f7076572b282bbfabaf77162d4d762906be4b93106db6980f603a

Download Submit
memory/1044-4293-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1044-10354-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1044-4292-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1044-10355-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1528-5309-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1528-10409-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1528-10410-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1528-5310-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1800-2170-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1800-2172-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1956-1025-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1956-1033-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1956-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1956-1121-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1956-1098-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4384-1049-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4384-1046-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4384-1136-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4384-1133-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4384-1034-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4488-1681-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/4488-1061-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/4576-2173-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/4576-2171-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/4576-1073-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/4668-2183-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/4668-1092-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/4740-2184-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/4740-1099-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/4844-2185-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4844-1109-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4924-1129-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/5000-1135-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/5088-2165-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/5152-11450-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/5152-11449-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/6000-3265-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6000-6326-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6000-6327-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6000-3263-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6056-6328-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/6056-10418-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/6076-10357-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/6076-11448-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/6076-10356-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/6076-11447-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/6116-3276-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6116-7344-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6816-8371-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6816-8369-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6816-10732-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/6816-10421-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/7800-8372-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/7800-10422-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/7800-10733-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/7800-8370-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/7860-10420-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/7860-10419-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/7860-7345-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/7860-8361-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/8108-10408-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/8108-10407-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/8108-11451-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/8108-11452-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download