Malware Analysis Report

2025-08-05 10:48

Sample ID 241017-bd84fsxaqn
Target 5003c5673c08278f3d95eddd000a9864_JaffaCakes118
SHA256 6b7adbf5d4477933d39c9c9c2cac7e67a0bed10882ed02fffc6f3316829a9903
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6b7adbf5d4477933d39c9c9c2cac7e67a0bed10882ed02fffc6f3316829a9903

Threat Level: Shows suspicious behavior

The file 5003c5673c08278f3d95eddd000a9864_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 01:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 01:02

Reported

2024-10-17 01:05

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\HaoZip\HaoZipC.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZip.chm C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\msvcr80.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipShell.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZip.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipCompress.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipImage.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipFormats.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\UNACEV2.DLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\Rar.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\ZipNew.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\HZ~8527.tmp C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\HZ~8547.tmp C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\lang\HaoZipLang_chs.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\好压免责声明.txt C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\7zNew.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\TarNew.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\RarNew.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\config\HaoZip.hzs C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipLoader.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\Benchmark.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipVersion.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\sfx\HaoZip7zSetup.sfx C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\temp\pending.hzt C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\HZ~9CDB.tmp C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\HaoZipLang.ini C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\Microsoft.VC80.CRT.manifest C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipExt.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\config\temp\pending.hzt C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z30 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r05 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "HaoZip.rar.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.zip.split\shell\open\command C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.z\shell\open\command C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r03\ = "HaoZip.rar.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r98 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z60 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.arj\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r74 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\HaoZipBackup = "7-Zip\\.rar" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iso\HaoZipBackup = "Windows.IsoFile" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r13 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r61 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r83 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z67\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.dmg\shell\open\command C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.gz C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z80\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lzma86\ = "好压 LZMA86 压缩文件" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z82 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tar\shellex\ContextMenuHandlers C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lzma\ = "好压 LZMA 压缩文件" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z56\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z31 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z94 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.iso\shell\open C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.swm\DefaultIcon C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.cab\shell\open C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.cpio\shell\open C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z55 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z88\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.taz\shellex\PropertySheetHandlers C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lha\ = "好压 LHA 压缩文件" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r65\ = "HaoZip.rar.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.zip\shell\open\command C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lzma86 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.cab\shellex\PropertySheetHandlers C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.ace\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r99 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.zip.split\shell\open C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.zip.split\shell\open\command\ = "\"C:\\Program Files (x86)\\HaoZip\\HaoZip.exe\" \"%1\"" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.iso\shellex\ContextMenuHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.iso\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z57 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.jar\shell\open C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lzma86\shell\open C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tpz\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z99 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.swm\shellex\ContextMenuHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z74\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\DragDropHandlers\HaoZip C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.zip\DefaultIcon\ = "C:\\Program Files (x86)\\HaoZip\\HaoZip.exe,24" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.deb\shellex\ContextMenuHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tgz\shellex\PropertySheetHandlers C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.isz\shellex\ContextMenuHandlers C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r04\ = "HaoZip.rar.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r31 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z65 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.xpi\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.hfs\DefaultIcon C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.cab\DefaultIcon\ = "C:\\Program Files (x86)\\HaoZip\\HaoZip.exe,0" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z48\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp
PID 2380 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 2380 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 2380 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 2380 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 2380 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 2380 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 2380 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 2284 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2284 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2284 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2284 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2284 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2284 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2284 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
PID 2284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
PID 2284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
PID 2284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
PID 2284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
PID 2284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
PID 2284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe" /VERYSILENT /SP- /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp" /SL5="$6021C,737659,54272,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe" /VERYSILENT /SP- /NORESTART

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe"

C:\Program Files (x86)\HaoZip\HaoZipLoader.exe

"C:\Program Files (x86)\HaoZip\HaoZipLoader.exe" -install01

C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe

"C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe" -install

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.haozip.com udp
CN 218.91.199.54:80 update.haozip.com tcp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe

MD5 d88681c275fd71f42ccaee06e5901fc9
SHA1 3f051192a4ea9722d139cea2e7d7aef860880253
SHA256 980e63c8f1c312d3dda44b1fc79cc937357a36c585fcda7c51a433e36f1600a5
SHA512 f096de74e29554d8960803f272d5c8cd37304d5fcc55d54287d0bd24901c6bf6cf9ca0b33f4d3ee96cdce5fab50248abe9332e5eb47066eb32ee5102737d2d86

memory/2016-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2016-14-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp

MD5 29bb632f057f068130e8a7877781a05d
SHA1 10060581eb95e61d6ac8176f692a2ae251149b32
SHA256 13065ec81bfdf70d1074f8fb90f6eaecae531b76e71ba1542f3cefc41a9e29c1
SHA512 0b66548ea8690d755566054f42a3886ac983f8402afd8ff27923f092a71c8404e16add8393d314ea056698f51ab0f3260c882c1447b35f73b1830458e70fd405

\Users\Admin\AppData\Local\Temp\is-QA4IO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2016-32-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2300-31-0x0000000000400000-0x00000000004BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe

MD5 616285502f035c80681455288c513731
SHA1 4fd937ff5add37e10254c11a8f0809d6b7f23521
SHA256 49631d72bdd2902f98b080e4326b82380be234e1d01a8291dcc7431764e90281
SHA512 6d46800f925917af4d510604e544b9491c83a23ce98fb4a1d2bc6d2deefb7d7d052b75b1dd57cb232d4f4a036b013fdfe53d280926342053831b26fc549c34bb

\Users\Admin\AppData\Local\Temp\nst8307.tmp\System.dll

MD5 a82b0479708b96c7bf4dd6b798aedee0
SHA1 7e47b402848a86bdddd5f0de8bb4620471caaab0
SHA256 72410442a894b8316da6ad469f03997ec17c0b0d117745bb6ac5cac3232c7d20
SHA512 02e07def3897d87d546c0cf1492191591be587f64ae5c165b9a91fb977585c65a860135eb8c102b67dede913ea935459ce70c4ca973b292122c8d097ab130d58

C:\Users\Admin\AppData\Local\Temp\nst8307.tmp\FileInfo.dll

MD5 25aa25fcec2065cdf81f77d2153a63a7
SHA1 e09b96d596323201ce5586daa16c9b8ecfaa7654
SHA256 ba62fc93cdd027de00af9cbaf31bf102d47fe9f1d74493ebf6faa2f2c9982435
SHA512 5de8b9ca1b38fba4f63756066d10a0312acafe9c051645fd192e500d1cff23a21845cec2d1fb1002ddf7002f9f6ae3962fd6087f3ab793d9630c33e35d6aba64

memory/2284-77-0x0000000000300000-0x0000000000311000-memory.dmp

\Program Files (x86)\HaoZip\HaoZipLoader.exe

MD5 a43c95953e8ae0cc14cdce57dfb0096b
SHA1 d721d9f34aefbcdf6e8cc59889d5ccc8e1997d0e
SHA256 9aceeeef173e48bdf2167756227e41b71a9dc04c7276105b36fd3607d32f342c
SHA512 87bd9181503fcdaef5191f3836f00b8f103d3280e81594cfaa224dc2824c54ec79241adf4750e6f8fbab0ff5c5048ac2cea6da6e3da6a6e2b68ab71e2f511658

C:\Program Files (x86)\HaoZip\config\HaoZipLang.ini

MD5 0e5d62bbebb35ca5bcac5a8563a799b2
SHA1 271ccec941e18321739d1794578586a149e6ccd2
SHA256 deac5c066a7d8d7a8af6c05dee5217e44fcbe34f6fafd9ea30390af5d6bb1537
SHA512 e1d4e982f6b8b2d0c089b58b2f25d644582bfd58b66892421f095db87884b9efedce7f5dfcfd9825e832f57228a6fc3d8e9dd797ae4414c3daf43dcdf97bfcf9

C:\Program Files (x86)\HaoZip\lang\HaoZipLang_chs.dll

MD5 04919aa4ecfa8aacbf1d6383ee4d92f0
SHA1 1b3e08b6dbd72bb11afe6475b0a9caa5b173f218
SHA256 6a8af8509fa93a42d5fe3eeb871f916e20f28f96a3c2aabcf9d8938366edf94d
SHA512 268a01f622f5105878da331fa93f64f1f43e7e1b099d49f10b7d631bf6d56f28c8d05e960b2551fb09f4f2a7edfc0ca5fa3facc2b432c863e72b5067d601cb73

C:\Program Files (x86)\HaoZip\HaoZipShell.dll

MD5 e58565d563b57d23cabf53ab07dd1a48
SHA1 47875e0b3399eb6bbac4d6d8d7ee7dd449aa0b09
SHA256 ac0b28a399cec5081349cb1ab36b76cb7e0705a51ed14e4029b63ce7e63181b0
SHA512 69aa599a6e9830a2264abb34566181789eb6b3980f938c58d94f3da460765c854ce5e4c99b49aa4a2fa372e6360154839a391a9adc5ac31635315e16c4131c22

memory/2700-93-0x00000000003D0000-0x00000000003F0000-memory.dmp

C:\Program Files (x86)\HaoZip\HaoZipExt.dll

MD5 52f02e82c21a85e7476ee6db6d76d786
SHA1 e7fbdbec5e735cfcbaa89e98d7bcab6ce73b0b0c
SHA256 8dcd8cba677436bd0dc3d44e8ba6ae7b75b15d602881d596b17690f7c4c0e2b6
SHA512 4d1c7d95610f21f36b9ffb1db3004f5e0fef48e89f3b22e50283da85510343d54e7efdfce8f218555d28efc429a734b0f064ac17d5b8c73d4734e1ca6ba42f70

memory/2700-96-0x0000000000420000-0x000000000044F000-memory.dmp

C:\Program Files (x86)\HaoZip\HaoZip.exe

MD5 97efade40e113454d7f51634e67a4c24
SHA1 b26372620aafea7208d462a2afe52f6ed1b5c55a
SHA256 c33464aa06906ad2f17f97f39b30d27552a62d1b93b7a84eef6b4d2d23bc8669
SHA512 6c15bf5d634183cc5fafa7e80ab3d3ab69b87be9c0ccc0dd40b1367695478264c5f57eacd8aaf87cdca88d204c7cce8a4546febdfcd27c264b581af9b82b98a7

C:\Program Files (x86)\HaoZip\HaoZip.chm

MD5 c111d2770455449f129128b88f2f5206
SHA1 8b51f7261ef355270b4a6e76eeb616af1e0447ea
SHA256 a283661a8652195db9c371579189c9359092e900b925393d265a4f5b232e118c
SHA512 e6acd7df4646d4e44d7bae560493b4132272907b6b12600807dfb8f1defc37ab9a177b7887f29d580eee841850987e8f681f24714f91b82ac6851531828e688c

C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe

MD5 fc274b9bbccb119040b4c98d06dd2f94
SHA1 38ada3cdece1a3aa33167b51c4e5383fd34bc513
SHA256 dc37c5698510265763c654a89d06c0e37d0a603054a9d7a0281b3c819acd1d77
SHA512 20d455cf419ec5e89d9a51e20a65c28c19bc3641f821c76ab6a1e4a494195b24f462014852906a11f4719f4c64f0de717a1198ecc4c26ae740d243e56580114d

C:\Program Files (x86)\HaoZip\Uninstall.exe

MD5 1baa91ee2d5ffbc0cd490413eabc2f11
SHA1 4f78183dd73428c805a82975c63072d29ba1f62e
SHA256 0c5ef5708d08d889e3fed130522c7476373357d627400fdb7082a4f16275abd8
SHA512 84eed54ce82aaa879b2a86b5a7c5648dfe834377c19017ba6b34829aa284641634af625a3bf75eaec41f7942136776ec1ddf55961e16920531339c53120b29ad

memory/2380-163-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Program Files (x86)\HaoZip\HaoZipVersion.dll

MD5 d2fa876bdc048d986c6568c84a685f25
SHA1 cf04df82ac26d87b65b420c6b33e8e56c312d791
SHA256 68cf8ab20ea5ffe0f550c0b9dd3630ee450287c528345b213f25a2a1174deb97
SHA512 eac6e35218def092248cb7b2f3b1308e16497d66a20f0e158abc0ba45c01b882a100fc09ac629777bb7a2500a76c83a2e4eaa79a9c163c586a50913bee00a8f7

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 01:02

Reported

2024-10-17 01:05

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\lang\HaoZipLang_chs.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\7zNew.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipExt.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\好压免责声明.txt C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\msvcr80.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\HZ~634E.tmp C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\temp\pending.hzt C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZip.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipLoader.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\TarNew.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\Microsoft.VC80.CRT.manifest C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipFormats.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\UNACEV2.DLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\HZ~636E.tmp C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
File created C:\Program Files (x86)\HaoZip\config\temp\pending.hzt C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipImage.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\sfx\HaoZip7zSetup.sfx C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipShell.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZip.chm C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\ZipNew.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipCompress.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\config\HaoZip.hzs C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipC.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\HaoZipLang.ini C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\RarNew.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\Rar.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File created C:\Program Files (x86)\HaoZip\Benchmark.data C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
File opened for modification C:\Program Files (x86)\HaoZip\config\HZ~7956.tmp C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
File created C:\Program Files (x86)\HaoZip\HaoZipVersion.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-50ODE.tmp\Youbak_MSN_PARTNER2036.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z47\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\HaoZip C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.cab\shellex\ContextMenuHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.jar\shell\open\command\ = "\"C:\\Program Files (x86)\\HaoZip\\HaoZip.exe\" \"%1\"" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.zip.split C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lzma86 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "HaoZip.7z" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tgz\ = "好压 TGZ 压缩文件" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tgz\DefaultIcon C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.ace\shell\open C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.bzip2\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lzma\shell C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r86\ = "HaoZip.rar.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z32 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hfs\ = "HaoZip.hfs" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.uue\shellex\PropertySheetHandlers C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "HaoZip.rar.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.hfs\shellex\ContextMenuHandlers C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.rpm\shell C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z41 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z61 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lha\shell\open\command\ = "\"C:\\Program Files (x86)\\HaoZip\\HaoZip.exe\" \"%1\"" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r76\ = "HaoZip.rar.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z37\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r73 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\HaoZip C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.arj\ = "好压 ARJ 压缩文件" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tbz2\DefaultIcon C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.isz\DefaultIcon\ = "C:\\Program Files (x86)\\HaoZip\\HaoZip.exe,0" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.bz2\DefaultIcon\ = "C:\\Program Files (x86)\\HaoZip\\HaoZip.exe,0" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xpi\ = "HaoZip.xpi" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "HaoZip.tar" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.wim\shell\open\command\ = "\"C:\\Program Files (x86)\\HaoZip\\HaoZip.exe\" \"%1\"" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z55\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.ace C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.isz\shell\open\command C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z48\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\HaoZipBackup = "7-Zip\\.tar" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tpz C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tpz\DefaultIcon C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r29 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z12\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z85 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FED836A-C96C-4d88-A91E-F63F07726585}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.jar\shellex\ContextMenuHandlers C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.001\shell\open C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r94\ = "HaoZip.rar.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.isz\shell\open\command\ = "\"C:\\Program Files (x86)\\HaoZip\\HaoZip.exe\" \"%1\"" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r32\ = "HaoZip.rar.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.zip.split\shell\open\command C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.gzip\DefaultIcon C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.xar\shellex C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lzma86\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z32\ = "HaoZip.zip.split" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.swm\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.xz\shell C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z63 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z89 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.z\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585} C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.001\ = "好压 分卷 压缩文件" C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r75 C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz C:\Program Files (x86)\HaoZip\HaoZipLoader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A
N/A N/A C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4276 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 4276 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 4276 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
PID 1940 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-50ODE.tmp\Youbak_MSN_PARTNER2036.tmp
PID 1940 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-50ODE.tmp\Youbak_MSN_PARTNER2036.tmp
PID 1940 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe C:\Users\Admin\AppData\Local\Temp\is-50ODE.tmp\Youbak_MSN_PARTNER2036.tmp
PID 4276 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 4276 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 4276 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
PID 2148 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
PID 2148 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
PID 2148 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe" /VERYSILENT /SP- /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-50ODE.tmp\Youbak_MSN_PARTNER2036.tmp

"C:\Users\Admin\AppData\Local\Temp\is-50ODE.tmp\Youbak_MSN_PARTNER2036.tmp" /SL5="$8021E,737659,54272,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe" /VERYSILENT /SP- /NORESTART

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe"

C:\Program Files (x86)\HaoZip\HaoZipLoader.exe

"C:\Program Files (x86)\HaoZip\HaoZipLoader.exe" -install01

C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe

"C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe" -install

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 update.haozip.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 218.91.199.54:80 update.haozip.com tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe

MD5 d88681c275fd71f42ccaee06e5901fc9
SHA1 3f051192a4ea9722d139cea2e7d7aef860880253
SHA256 980e63c8f1c312d3dda44b1fc79cc937357a36c585fcda7c51a433e36f1600a5
SHA512 f096de74e29554d8960803f272d5c8cd37304d5fcc55d54287d0bd24901c6bf6cf9ca0b33f4d3ee96cdce5fab50248abe9332e5eb47066eb32ee5102737d2d86

memory/1940-14-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1940-16-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-50ODE.tmp\Youbak_MSN_PARTNER2036.tmp

MD5 29bb632f057f068130e8a7877781a05d
SHA1 10060581eb95e61d6ac8176f692a2ae251149b32
SHA256 13065ec81bfdf70d1074f8fb90f6eaecae531b76e71ba1542f3cefc41a9e29c1
SHA512 0b66548ea8690d755566054f42a3886ac983f8402afd8ff27923f092a71c8404e16add8393d314ea056698f51ab0f3260c882c1447b35f73b1830458e70fd405

memory/1188-24-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1188-30-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1940-31-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe

MD5 616285502f035c80681455288c513731
SHA1 4fd937ff5add37e10254c11a8f0809d6b7f23521
SHA256 49631d72bdd2902f98b080e4326b82380be234e1d01a8291dcc7431764e90281
SHA512 6d46800f925917af4d510604e544b9491c83a23ce98fb4a1d2bc6d2deefb7d7d052b75b1dd57cb232d4f4a036b013fdfe53d280926342053831b26fc549c34bb

C:\Users\Admin\AppData\Local\Temp\nsq61AA.tmp\System.dll

MD5 a82b0479708b96c7bf4dd6b798aedee0
SHA1 7e47b402848a86bdddd5f0de8bb4620471caaab0
SHA256 72410442a894b8316da6ad469f03997ec17c0b0d117745bb6ac5cac3232c7d20
SHA512 02e07def3897d87d546c0cf1492191591be587f64ae5c165b9a91fb977585c65a860135eb8c102b67dede913ea935459ce70c4ca973b292122c8d097ab130d58

C:\Users\Admin\AppData\Local\Temp\nsq61AA.tmp\FileInfo.dll

MD5 25aa25fcec2065cdf81f77d2153a63a7
SHA1 e09b96d596323201ce5586daa16c9b8ecfaa7654
SHA256 ba62fc93cdd027de00af9cbaf31bf102d47fe9f1d74493ebf6faa2f2c9982435
SHA512 5de8b9ca1b38fba4f63756066d10a0312acafe9c051645fd192e500d1cff23a21845cec2d1fb1002ddf7002f9f6ae3962fd6087f3ab793d9630c33e35d6aba64

memory/2148-78-0x0000000002510000-0x0000000002521000-memory.dmp

C:\Program Files (x86)\HaoZip\HaoZipLoader.exe

MD5 a43c95953e8ae0cc14cdce57dfb0096b
SHA1 d721d9f34aefbcdf6e8cc59889d5ccc8e1997d0e
SHA256 9aceeeef173e48bdf2167756227e41b71a9dc04c7276105b36fd3607d32f342c
SHA512 87bd9181503fcdaef5191f3836f00b8f103d3280e81594cfaa224dc2824c54ec79241adf4750e6f8fbab0ff5c5048ac2cea6da6e3da6a6e2b68ab71e2f511658

C:\Program Files (x86)\HaoZip\config\HaoZipLang.ini

MD5 0e5d62bbebb35ca5bcac5a8563a799b2
SHA1 271ccec941e18321739d1794578586a149e6ccd2
SHA256 deac5c066a7d8d7a8af6c05dee5217e44fcbe34f6fafd9ea30390af5d6bb1537
SHA512 e1d4e982f6b8b2d0c089b58b2f25d644582bfd58b66892421f095db87884b9efedce7f5dfcfd9825e832f57228a6fc3d8e9dd797ae4414c3daf43dcdf97bfcf9

C:\Program Files (x86)\HaoZip\lang\HaoZipLang_chs.dll

MD5 04919aa4ecfa8aacbf1d6383ee4d92f0
SHA1 1b3e08b6dbd72bb11afe6475b0a9caa5b173f218
SHA256 6a8af8509fa93a42d5fe3eeb871f916e20f28f96a3c2aabcf9d8938366edf94d
SHA512 268a01f622f5105878da331fa93f64f1f43e7e1b099d49f10b7d631bf6d56f28c8d05e960b2551fb09f4f2a7edfc0ca5fa3facc2b432c863e72b5067d601cb73

C:\Program Files (x86)\HaoZip\HaoZipShell.dll

MD5 e58565d563b57d23cabf53ab07dd1a48
SHA1 47875e0b3399eb6bbac4d6d8d7ee7dd449aa0b09
SHA256 ac0b28a399cec5081349cb1ab36b76cb7e0705a51ed14e4029b63ce7e63181b0
SHA512 69aa599a6e9830a2264abb34566181789eb6b3980f938c58d94f3da460765c854ce5e4c99b49aa4a2fa372e6360154839a391a9adc5ac31635315e16c4131c22

memory/848-91-0x00000000020E0000-0x0000000002100000-memory.dmp

C:\Program Files (x86)\HaoZip\HaoZipExt.dll

MD5 52f02e82c21a85e7476ee6db6d76d786
SHA1 e7fbdbec5e735cfcbaa89e98d7bcab6ce73b0b0c
SHA256 8dcd8cba677436bd0dc3d44e8ba6ae7b75b15d602881d596b17690f7c4c0e2b6
SHA512 4d1c7d95610f21f36b9ffb1db3004f5e0fef48e89f3b22e50283da85510343d54e7efdfce8f218555d28efc429a734b0f064ac17d5b8c73d4734e1ca6ba42f70

memory/848-96-0x0000000002A40000-0x0000000002A6F000-memory.dmp

C:\Program Files (x86)\HaoZip\HaoZip.exe

MD5 97efade40e113454d7f51634e67a4c24
SHA1 b26372620aafea7208d462a2afe52f6ed1b5c55a
SHA256 c33464aa06906ad2f17f97f39b30d27552a62d1b93b7a84eef6b4d2d23bc8669
SHA512 6c15bf5d634183cc5fafa7e80ab3d3ab69b87be9c0ccc0dd40b1367695478264c5f57eacd8aaf87cdca88d204c7cce8a4546febdfcd27c264b581af9b82b98a7

C:\Program Files (x86)\HaoZip\HaoZip.chm

MD5 c111d2770455449f129128b88f2f5206
SHA1 8b51f7261ef355270b4a6e76eeb616af1e0447ea
SHA256 a283661a8652195db9c371579189c9359092e900b925393d265a4f5b232e118c
SHA512 e6acd7df4646d4e44d7bae560493b4132272907b6b12600807dfb8f1defc37ab9a177b7887f29d580eee841850987e8f681f24714f91b82ac6851531828e688c

C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe

MD5 fc274b9bbccb119040b4c98d06dd2f94
SHA1 38ada3cdece1a3aa33167b51c4e5383fd34bc513
SHA256 dc37c5698510265763c654a89d06c0e37d0a603054a9d7a0281b3c819acd1d77
SHA512 20d455cf419ec5e89d9a51e20a65c28c19bc3641f821c76ab6a1e4a494195b24f462014852906a11f4719f4c64f0de717a1198ecc4c26ae740d243e56580114d

C:\Program Files (x86)\HaoZip\Uninstall.exe

MD5 1baa91ee2d5ffbc0cd490413eabc2f11
SHA1 4f78183dd73428c805a82975c63072d29ba1f62e
SHA256 0c5ef5708d08d889e3fed130522c7476373357d627400fdb7082a4f16275abd8
SHA512 84eed54ce82aaa879b2a86b5a7c5648dfe834377c19017ba6b34829aa284641634af625a3bf75eaec41f7942136776ec1ddf55961e16920531339c53120b29ad

C:\Program Files (x86)\HaoZip\HaoZipVersion.dll

MD5 d2fa876bdc048d986c6568c84a685f25
SHA1 cf04df82ac26d87b65b420c6b33e8e56c312d791
SHA256 68cf8ab20ea5ffe0f550c0b9dd3630ee450287c528345b213f25a2a1174deb97
SHA512 eac6e35218def092248cb7b2f3b1308e16497d66a20f0e158abc0ba45c01b882a100fc09ac629777bb7a2500a76c83a2e4eaa79a9c163c586a50913bee00a8f7

memory/4276-132-0x0000000000400000-0x0000000000420000-memory.dmp