4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f

Analysis

max time kernel
188s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f.exe
Size

3.2MB
MD5

44aa089be6cc11035c596d73a0e2429a
SHA1

eae2d930158682f775de100d637043bda10c7f89
SHA256

4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f
SHA512

5d158501d36ca6f560ab20ca490e840d69ee4f799fac2f793cc16acc9468f2b9a3d75d7c4d56ac5414bb79ac6f4f4ddc2893c9875ef466f2178223e6e1c79b31
SSDEEP

98304:QbUDli9g525pBCU4AGtb2QSpBS/G53XhlP:mUDlb2ct6kc3X/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

InstallEx.exeinstall.exedismanager.exewaterframe.exe

pid process

1724 InstallEx.exe
5012 install.exe
808 dismanager.exe
3700 waterframe.exe

pid	process
1724	InstallEx.exe
5012	install.exe
808	dismanager.exe
3700	waterframe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f.exe

Loads dropped DLL 11 IoCs

Processes:

dismanager.exewaterframe.exe

pid	process
808	dismanager.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe

Drops file in System32 directory 50 IoCs

Processes:

install.exewaterframe.exedismanager.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\waterwall.dll	install.exe
File created	C:\Windows\SysWOW64\libeay32.dll	install.exe
File opened for modification	C:\Windows\SysWOW64\RecqAdapter.dll	install.exe
File opened for modification	C:\Windows\SysWOW64\LocalLdr.dat	install.exe
File created	C:\Windows\SysWOW64\acsk.sys	waterframe.exe
File created	C:\Windows\SysWOW64\copyapp.exe	install.exe
File opened for modification	C:\Windows\SysWOW64\SVR.INI	install.exe
File opened for modification	C:\Windows\SysWOW64\wzx_setup.ini	install.exe
File opened for modification	C:\Windows\SysWOW64\ChatLog.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	waterframe.exe
File opened for modification	C:\Windows\SysWOW64\agentmanage.sys	dismanager.exe
File opened for modification	C:\Windows\SysWOW64\copyapp.exe	install.exe
File created	C:\Windows\SysWOW64\rzxsvrseach.dll	install.exe
File created	C:\Windows\SysWOW64\Access.dll	install.exe
File opened for modification	C:\Windows\SysWOW64\QQRecordVer.ini	install.exe
File created	C:\Windows\SysWOW64\QQRecordVer.ini	install.exe
File created	C:\Windows\SysWOW64\plugin\acsk.sys	install.exe
File created	C:\Windows\SysWOW64\plugin\acst.plx	install.exe
File opened for modification	C:\Windows\SysWOW64\dismanager.exe	install.exe
File created	C:\Windows\SysWOW64\waterframe.exe	install.exe
File created	C:\Windows\SysWOW64\waterwall.dll	install.exe
File created	C:\Windows\SysWOW64\SnapPicDll.dll	install.exe
File created	C:\Windows\SysWOW64\Recq.dll	install.exe
File opened for modification	C:\Windows\SysWOW64\plugin\acsy.plx	install.exe
File created	C:\Windows\SysWOW64\plugin\acsw.plx	install.exe
File opened for modification	C:\Windows\SysWOW64\acsk.sys	waterframe.exe
File created	C:\Windows\SysWOW64\dismanager.exe	install.exe
File opened for modification	C:\Windows\SysWOW64\smartX.dll	install.exe
File created	C:\Windows\SysWOW64\SmartList.ini	install.exe
File created	C:\Windows\SysWOW64\wzx_listenport	waterframe.exe
File created	C:\Windows\SysWOW64\option\svraddr.temp	waterframe.exe
File opened for modification	C:\Windows\SysWOW64\rzxsvrseach.dll	install.exe
File created	C:\Windows\SysWOW64\smartX.dll	install.exe
File opened for modification	C:\Windows\SysWOW64\libeay32.dll	install.exe
File opened for modification	C:\Windows\SysWOW64\plugin\acsw.plx	install.exe
File created	C:\Windows\SysWOW64\LocalLdr.dat	install.exe
File opened for modification	C:\Windows\SysWOW64\option\{4143EA51-12BC-49fe-8986-6D7E947F346D}.tmp	dismanager.exe
File created	C:\Windows\SysWOW64\Plugin\activeds0.dll	waterframe.exe
File opened for modification	C:\Windows\SysWOW64\waterframe.exe	install.exe
File opened for modification	C:\Windows\SysWOW64\SnapPicDll.dll	install.exe
File opened for modification	C:\Windows\SysWOW64\Recq.dll	install.exe
File created	C:\Windows\SysWOW64\wzx_setup.ini	install.exe
File opened for modification	C:\Windows\SysWOW64\SmartList.ini	install.exe
File opened for modification	C:\Windows\SysWOW64\plugin\acsk.sys	install.exe
File opened for modification	C:\Windows\SysWOW64\plugin\acst.plx	install.exe
File opened for modification	C:\Windows\SysWOW64\Access.dll	install.exe
File opened for modification	C:\Windows\SysWOW64\agentmanage.sys	install.exe
File created	C:\Windows\SysWOW64\agentmanage.sys	install.exe
File created	C:\Windows\SysWOW64\SVR.INI	install.exe
File created	C:\Windows\SysWOW64\RecqAdapter.dll	install.exe
File created	C:\Windows\SysWOW64\plugin\acsy.plx	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

waterframe.exe

pid	process
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe
3700	waterframe.exe

Suspicious behavior: LoadsDriver 11 IoCs

Processes:

pid process

656
656
656
656
656
656
656
656
656
656
656
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

waterframe.exe

pid process

3700 waterframe.exe
3700 waterframe.exe

pid	process
656
656
656
656
656
656
656
656
656
656
656

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f.exeInstallEx.exeinstall.exedismanager.exe

description	pid	process	target process
PID 4648 wrote to memory of 1724	4648	4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f.exe	InstallEx.exe
PID 4648 wrote to memory of 1724	4648	4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f.exe	InstallEx.exe
PID 4648 wrote to memory of 1724	4648	4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f.exe	InstallEx.exe
PID 1724 wrote to memory of 5012	1724	InstallEx.exe	install.exe
PID 1724 wrote to memory of 5012	1724	InstallEx.exe	install.exe
PID 1724 wrote to memory of 5012	1724	InstallEx.exe	install.exe
PID 5012 wrote to memory of 808	5012	install.exe	dismanager.exe
PID 5012 wrote to memory of 808	5012	install.exe	dismanager.exe
PID 5012 wrote to memory of 808	5012	install.exe	dismanager.exe
PID 808 wrote to memory of 3700	808	dismanager.exe	waterframe.exe
PID 808 wrote to memory of 3700	808	dismanager.exe	waterframe.exe
PID 808 wrote to memory of 3700	808	dismanager.exe	waterframe.exe

C:\Users\Admin\AppData\Local\Temp\4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f.exe
"C:\Users\Admin\AppData\Local\Temp\4afca4468f397028cc236e1f3470fd500f8d64371b1b9e4640fad75f7a49298f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstallEx.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstallEx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\\install.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\dismanager.exe
"C:\Windows\system32\dismanager.exe" for install
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\waterframe.exe
"C:\Windows\SysWOW64\waterframe.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Access.dll
Filesize
120KB

MD5
a6c6e9ce6207da1b42df0eaedb70fea2

SHA1
117269ec4255ee06e7d469bde1e532cae456d74d

SHA256
2d7e9b7cac6e5f873123d594666304fa5d5b889893cd646975d728f7f3c98430

SHA512
c940e7555763abd64b1c8a8559b9cd7850123f64a2f9556de8d44de1e55383af28ec6830c9d171a1c2aa4bdfa7d6a3b240399db3585a0ebb818b0951fe262e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstallEx.exe
Filesize
100KB

MD5
a8b9b861a905a08366170f49a779988a

SHA1
11ed0d1163aef823682b4fa9fd745b1a4311c84d

SHA256
656aad31ec0484edc20154ee16710e9fd11af2d4780a4d581a15f6eb34092a81

SHA512
473876b698701bbee83ef1d72ae6e04bc438200880462382849be9c24123b42ad83712ce350b99d43aa4eea37337fde36e45d7466d98242b123d3341f0a90f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstallEx.exe
Filesize
100KB

MD5
a8b9b861a905a08366170f49a779988a

SHA1
11ed0d1163aef823682b4fa9fd745b1a4311c84d

SHA256
656aad31ec0484edc20154ee16710e9fd11af2d4780a4d581a15f6eb34092a81

SHA512
473876b698701bbee83ef1d72ae6e04bc438200880462382849be9c24123b42ad83712ce350b99d43aa4eea37337fde36e45d7466d98242b123d3341f0a90f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\LocalLdr.dat
Filesize
1024B

MD5
d0cd5e9b1c7b9f432d1921389de2f47e

SHA1
e1ca3feee8832134420ce299012ab174bd1fbc8f

SHA256
f64d50f892065d335330ff2441d45d6125e51c5a7b64669d4f2fce50544035dd

SHA512
1e7b29e046b469d9212990b9cb8b74f342b39b5b530107f05afc176e2b0ebb9299ebcb53964dbc7b495886a649307536f3af711647429ccbc2dd9b764ebcb2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQRecordVer.ini
Filesize
302B

MD5
4869ea3b308c496fcc84f30b0b2e841c

SHA1
80628c695640a41fc9dcdbd315863981ab476c71

SHA256
a7448f4f02db593cd3730bcc5ded615ba9f2b9e5991f454680a879d5ec64c404

SHA512
acb451294b10875df90d8cbc49936b8117c339bd289bd020f8377c6bd727db2e28ae1cbcf0034ee31beac50725499e43f88e650b3864505ada6945bc70becd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Recq.dll
Filesize
204KB

MD5
fe12a52cd48a4758066ac8a8c99e902a

SHA1
683773f24aa8efead1d8c3dc7845be2ed319d21b

SHA256
8bb0c33dfaefc6356b0a984172908baa320ff32cf3f7bd37a379762b187643ac

SHA512
209aa8812f6114617f2c072b54f7573c9867524ded2bf4ec797354d7ff31854bb49329f8307f0efe486e2c30bb62a6758b5e306c6fb81e0cb64e3e4650322287

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RecqAdapter.dll
Filesize
1.0MB

MD5
c4bc4112fcbf5fa23cc6cc71de045a99

SHA1
9f0ca0a5e411882df9923486ed5db0ebb6d5829c

SHA256
f2ad13ee62fa23d00333ad073a3f5f7a52b025f247499030d2a8bbd58f2ce983

SHA512
42436922a6997fce742e1f720044de6d2e1ceb8f608c880257ac521786cfe92f38806b29cbfb34f53c7d16991dbb6c35dc2a4b1e9b428558164eb55fb080263a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SVR.INI
Filesize
43B

MD5
90a5f67370883addfc0aae707424d77f

SHA1
1dd2814c5445b8f5fa5cbd811993915aef6794ef

SHA256
785969cb0b7e8ca55b38a19ec2693b2bec6facb2adbc031b2616c93b24842e32

SHA512
3ee1a53c87340550ea3df522de4efb2b3e973fc0fdecc39979c314477367a79990f7716830312bab2dac870ece3c2bc71dfecf33dbe0e6b2fa11c2ed18d38d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SmartList.ini
Filesize
61B

MD5
cc38bedab5227e84093df98d1bb76f8a

SHA1
0b033e1fc62df1e72ddff1663110a1c8f38533c9

SHA256
3a3c82d9628b95039f4c8d02a30ed6c841db4067977fc857b7b9856b6abf38e2

SHA512
245cccb026d42228636bf516ae6c557864e325a8a61fb8b0fd86883cf4d7b2bd1d3a497782c5eb92cdcc2e0dc8f281bf7d470fad2f6087e52434d2856dc57e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SnapPicDll.dll
Filesize
88KB

MD5
0639773abafe26ae0590c3267d109357

SHA1
048ada980ab1822de6b3ffa9c6d21128753ce5ca

SHA256
1c2a0f005aa1b40621977882276692d01560b678486e12b4df25952c3dfbae25

SHA512
46879dfef1a367e4c83255e4f43c5a0b46da6a52fdab55f53d576ce394be1df484fc760ac61ba73d44269c8ef0a094c8ef6e4af8519bbb4d03d1bae170468800

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agentmanage.sys
Filesize
2KB

MD5
55595fb10a5bf47d3f0290ba2f204aef

SHA1
b0fa6b44c1d7496a7d57f01c760108d01dbf5c74

SHA256
9035f1d8085ed6b3cb7d0c24d1c6734e34d56154423ce126c62a2ae8b4db74f2

SHA512
21169c4e913fc9bafb9242ee3b40807c98f75a968e7b8d7e92dda0e5a9f5e3e19573e4f9571a713f90911e7cf1b2d109e99a2e151666f9b6b2dba3c13655a9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copyapp.exe
Filesize
40KB

MD5
e2e6c6a5227f4f2ad85dc6ad3023255c

SHA1
ad3e4dc6509921d4ec8d8bd9f089d9de92b826f3

SHA256
f10387e591fedd754f999c8cde92c6daa76b6308da520b45bef07eaa0b86f101

SHA512
c0c41f8d61a10b7e3c26c71eea3b42514a676589270e9cfa90b0ffaa499cba3a8463944ded4f86cfd9a87f3aba5aa1f62bbc56f3bfe6313be8af989691e734b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dismanager.exe
Filesize
82KB

MD5
082e8f6eb0177f6a32f73c50c851e95b

SHA1
44e5e403d7450c5a94255628f811c2f7dc21648c

SHA256
4fbd49c81330dbe33b1464b2379a228da32af5c918931b5ca7973f36117fbd9c

SHA512
a8f37475e1d9205d9fc62ae779405d0fdb94c7fb0713671069aba46105664664e413b48847f186dfc6bf1af2fd366c68737f7432dc332530ebee7b13119107e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
Filesize
68KB

MD5
203defe932f3435b50ca793b9c1aae80

SHA1
6238f176337ce9792af205545d9affef5b8377b0

SHA256
65efea1a6e9fd37e3451ceb12cafa76f21bd1ab381adbb5223e5f74ac4e6808b

SHA512
4402d1545797c6532ddda470b1eea1f90abe5abe85301b42b682f53bb74d7d696774dc20bc05e3b9e5d38b3653f0f8f1e1c69a74498f5ff0843a41d23dabdc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
Filesize
68KB

MD5
203defe932f3435b50ca793b9c1aae80

SHA1
6238f176337ce9792af205545d9affef5b8377b0

SHA256
65efea1a6e9fd37e3451ceb12cafa76f21bd1ab381adbb5223e5f74ac4e6808b

SHA512
4402d1545797c6532ddda470b1eea1f90abe5abe85301b42b682f53bb74d7d696774dc20bc05e3b9e5d38b3653f0f8f1e1c69a74498f5ff0843a41d23dabdc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libeay32.dll
Filesize
1004KB

MD5
1966c992dc4a5b50be3e58fc26b8b0d7

SHA1
3f46b7b162456098091e73d90b5fc1a999f80d3d

SHA256
c420d866cdec4892bc3cff736f27e711b7d4894435fecbb08034cb406eb4d2c4

SHA512
3acc3d8deeb23d7f941c0143866327ce2232012566298aff7d236b79b8a279b50675b6bac646bac51d153baadacc22d0f1668310b2657dd4aeac1f37773fd0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\plugin\acsk.sys
Filesize
5KB

MD5
7c0d616446cd673f4aa2c311e8f5092d

SHA1
40d9ac8c60cfd37ae860d88a3e65a404119b1943

SHA256
1f55b15e31b636e9f99a760662895643e99ea7bbc275682161c5240d41c706b3

SHA512
de7f2157c8c456f98102402ee93ba2baa5c90086b88cff4902662614961259b5766a88a46e5b5b12f7f40b15569d858f2071367ae812607e2685f5a9dbc64f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\plugin\acst.plx
Filesize
1.1MB

MD5
cc132b92304c6f54ab8bfbd3e1bfec5d

SHA1
9fa5a39cf0111527d06019c326e0cab99f8b87a9

SHA256
3d6dfc66337af8af748831e05b26be06e854c1177476d0c9d20ab30fe1cdaa92

SHA512
d95d07b742cf6efaab9d30e536f5db90c15bd1ad6ee44783fa90cfeefbee3728c5ad112f754b6a8658fe7c4a4c1c3062b9a6af460768c49b1345dc1bf33a6b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\plugin\acsw.plx
Filesize
1.1MB

MD5
2b6738cda124117e94e6bc8ceb3ad5c2

SHA1
cf04fce84d79789e242e65a46e5d2a91f0f499cf

SHA256
b2b69b425d7cde8993db9e23e4d2dda792d1e4014ad3fcc8094c8aa88db626e7

SHA512
bdf98a3d6728bb1c44d85a61631ffd6f505e88f7b0355040ac7fb3eee00f3ecd8fd0fd4d13db793e9345f93411fa8c2b7e3c80d4961ab1d821523c50ed60eb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\plugin\acsy.plx
Filesize
88KB

MD5
045982919883076812673f91003dac39

SHA1
1cf92f1e2a4921f6db4b4041ac6e2886150ab866

SHA256
a623a5a06ec3b10b87d43feae284bb61c556f5b3f36be3a627a4fe26a1d4d2dc

SHA512
7ae4293d8a3c41bb45fdd30448ef1ed249bd4d5af85ef24a1759bcc0eb4cff45370ca7434370b10532719873de88271367206485ed6e31d4041c57ac39efbe4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rzxsvrseach.dll
Filesize
163KB

MD5
9aca7447ea908cfdcc1fbd1d949e06f7

SHA1
f7a49f8287c450a76e333d1ecd64983080393d4c

SHA256
56f3bb9781abc936d7d3beb22ec07df53eba57d57008f4a591d82b58eac38f5f

SHA512
fa0d1f389ebbb11efbdac8a85e8d2d0aa9b61f43b47523c9b453875a8f7b0705f2cee52a8a6f8d450feda4daf2e9b2f6068be16adadb5a38f1a49b68d982766d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\smartX.dll
Filesize
136KB

MD5
a229c3049abdfbff6bece326f95aafb2

SHA1
00be78eb98f022e78936cf485656d2124a0f96ec

SHA256
d092c97a38063432cc1cba149488811694e55cb5e82b9c084ee3650f6dcb3859

SHA512
9a425ac8cb17ac320b9024f5d4ce2eb842f72f83c91edf0ece4a64bea790c7ad3100d9c1c73eaa67250be552b02e9bb14a4533804bfc57e2beba40917453e623

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\waterframe.exe
Filesize
84KB

MD5
e52837ee1e5e08fe5b40ecdc361e4e45

SHA1
520af2c85de6ed0491f9a6c6a6240739cd4765af

SHA256
9bf9daa8298de97166a5569321e8cc6211489e613de1036878fa6fcc6f64a825

SHA512
aeefff6e6954a6322c053b16b82615b37acc7a5836c20c24dd134caa7c8b0416a7ffaca3fbb5a9296a59cfeb4ee26f8bb49a0e8066390743828fc27436e4cb83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\waterwall.dll
Filesize
188KB

MD5
ec34f8e5154d819963998e4b838b879c

SHA1
46b62fd8aaaf1cbce71d1b71c97dff4acbbfbb14

SHA256
9c54e3ba7f82de9253fb8929df2af6a08c39323838ceb0efa8aed63132787757

SHA512
576d998a4060752264c59cc6839324e5e716e74515b503b42683d61ac443cc8a7d3b9d2e2725e5d5288e53bea8106d15916d2ba3ec35c6f8cedd33ca29a3d5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wzx_setup.ini
Filesize
159B

MD5
ef79de5a8e418fa02f6466570f848f1d

SHA1
dcbc092d715473e235bed1d65c68648ba651dd81

SHA256
9f31da868c27341ee21630c302ac6ad951e8d0b70152ddd2a1d76970884669a5

SHA512
b539ef63897ec9106a52bb02869724bbcca1f0bd898d53a6360ede466593f1b0de01866920d624706bb8de719e38b6e8dd196793497775b8c849c2a0f9b1c969

Download Submit
C:\Windows\SysWOW64\Access.dll
Filesize
120KB

MD5
a6c6e9ce6207da1b42df0eaedb70fea2

SHA1
117269ec4255ee06e7d469bde1e532cae456d74d

SHA256
2d7e9b7cac6e5f873123d594666304fa5d5b889893cd646975d728f7f3c98430

SHA512
c940e7555763abd64b1c8a8559b9cd7850123f64a2f9556de8d44de1e55383af28ec6830c9d171a1c2aa4bdfa7d6a3b240399db3585a0ebb818b0951fe262e1e

Download Submit
C:\Windows\SysWOW64\Access.dll
Filesize
120KB

MD5
a6c6e9ce6207da1b42df0eaedb70fea2

SHA1
117269ec4255ee06e7d469bde1e532cae456d74d

SHA256
2d7e9b7cac6e5f873123d594666304fa5d5b889893cd646975d728f7f3c98430

SHA512
c940e7555763abd64b1c8a8559b9cd7850123f64a2f9556de8d44de1e55383af28ec6830c9d171a1c2aa4bdfa7d6a3b240399db3585a0ebb818b0951fe262e1e

Download Submit
C:\Windows\SysWOW64\Plugin\acsk.sys
Filesize
5KB

MD5
7c0d616446cd673f4aa2c311e8f5092d

SHA1
40d9ac8c60cfd37ae860d88a3e65a404119b1943

SHA256
1f55b15e31b636e9f99a760662895643e99ea7bbc275682161c5240d41c706b3

SHA512
de7f2157c8c456f98102402ee93ba2baa5c90086b88cff4902662614961259b5766a88a46e5b5b12f7f40b15569d858f2071367ae812607e2685f5a9dbc64f68

Download Submit
C:\Windows\SysWOW64\Plugin\acst.plx
Filesize
1.1MB

MD5
cc132b92304c6f54ab8bfbd3e1bfec5d

SHA1
9fa5a39cf0111527d06019c326e0cab99f8b87a9

SHA256
3d6dfc66337af8af748831e05b26be06e854c1177476d0c9d20ab30fe1cdaa92

SHA512
d95d07b742cf6efaab9d30e536f5db90c15bd1ad6ee44783fa90cfeefbee3728c5ad112f754b6a8658fe7c4a4c1c3062b9a6af460768c49b1345dc1bf33a6b7a

Download Submit
C:\Windows\SysWOW64\Plugin\acsw.plx
Filesize
1.1MB

MD5
2b6738cda124117e94e6bc8ceb3ad5c2

SHA1
cf04fce84d79789e242e65a46e5d2a91f0f499cf

SHA256
b2b69b425d7cde8993db9e23e4d2dda792d1e4014ad3fcc8094c8aa88db626e7

SHA512
bdf98a3d6728bb1c44d85a61631ffd6f505e88f7b0355040ac7fb3eee00f3ecd8fd0fd4d13db793e9345f93411fa8c2b7e3c80d4961ab1d821523c50ed60eb41

Download Submit
C:\Windows\SysWOW64\Plugin\acsy.plx
Filesize
88KB

MD5
045982919883076812673f91003dac39

SHA1
1cf92f1e2a4921f6db4b4041ac6e2886150ab866

SHA256
a623a5a06ec3b10b87d43feae284bb61c556f5b3f36be3a627a4fe26a1d4d2dc

SHA512
7ae4293d8a3c41bb45fdd30448ef1ed249bd4d5af85ef24a1759bcc0eb4cff45370ca7434370b10532719873de88271367206485ed6e31d4041c57ac39efbe4d

Download Submit
C:\Windows\SysWOW64\Recq.dll
Filesize
204KB

MD5
fe12a52cd48a4758066ac8a8c99e902a

SHA1
683773f24aa8efead1d8c3dc7845be2ed319d21b

SHA256
8bb0c33dfaefc6356b0a984172908baa320ff32cf3f7bd37a379762b187643ac

SHA512
209aa8812f6114617f2c072b54f7573c9867524ded2bf4ec797354d7ff31854bb49329f8307f0efe486e2c30bb62a6758b5e306c6fb81e0cb64e3e4650322287

Download Submit
C:\Windows\SysWOW64\Recq.dll
Filesize
204KB

MD5
fe12a52cd48a4758066ac8a8c99e902a

SHA1
683773f24aa8efead1d8c3dc7845be2ed319d21b

SHA256
8bb0c33dfaefc6356b0a984172908baa320ff32cf3f7bd37a379762b187643ac

SHA512
209aa8812f6114617f2c072b54f7573c9867524ded2bf4ec797354d7ff31854bb49329f8307f0efe486e2c30bb62a6758b5e306c6fb81e0cb64e3e4650322287

Download Submit
C:\Windows\SysWOW64\RecqAdapter.dll
Filesize
1.0MB

MD5
c4bc4112fcbf5fa23cc6cc71de045a99

SHA1
9f0ca0a5e411882df9923486ed5db0ebb6d5829c

SHA256
f2ad13ee62fa23d00333ad073a3f5f7a52b025f247499030d2a8bbd58f2ce983

SHA512
42436922a6997fce742e1f720044de6d2e1ceb8f608c880257ac521786cfe92f38806b29cbfb34f53c7d16991dbb6c35dc2a4b1e9b428558164eb55fb080263a

Download Submit
C:\Windows\SysWOW64\RecqAdapter.dll
Filesize
1.0MB

MD5
c4bc4112fcbf5fa23cc6cc71de045a99

SHA1
9f0ca0a5e411882df9923486ed5db0ebb6d5829c

SHA256
f2ad13ee62fa23d00333ad073a3f5f7a52b025f247499030d2a8bbd58f2ce983

SHA512
42436922a6997fce742e1f720044de6d2e1ceb8f608c880257ac521786cfe92f38806b29cbfb34f53c7d16991dbb6c35dc2a4b1e9b428558164eb55fb080263a

Download Submit
C:\Windows\SysWOW64\SVR.INI
Filesize
43B

MD5
90a5f67370883addfc0aae707424d77f

SHA1
1dd2814c5445b8f5fa5cbd811993915aef6794ef

SHA256
785969cb0b7e8ca55b38a19ec2693b2bec6facb2adbc031b2616c93b24842e32

SHA512
3ee1a53c87340550ea3df522de4efb2b3e973fc0fdecc39979c314477367a79990f7716830312bab2dac870ece3c2bc71dfecf33dbe0e6b2fa11c2ed18d38d87

Download Submit
C:\Windows\SysWOW64\SmartList.ini
Filesize
61B

MD5
cc38bedab5227e84093df98d1bb76f8a

SHA1
0b033e1fc62df1e72ddff1663110a1c8f38533c9

SHA256
3a3c82d9628b95039f4c8d02a30ed6c841db4067977fc857b7b9856b6abf38e2

SHA512
245cccb026d42228636bf516ae6c557864e325a8a61fb8b0fd86883cf4d7b2bd1d3a497782c5eb92cdcc2e0dc8f281bf7d470fad2f6087e52434d2856dc57e81

Download Submit
C:\Windows\SysWOW64\SnapPicDll.dll
Filesize
88KB

MD5
0639773abafe26ae0590c3267d109357

SHA1
048ada980ab1822de6b3ffa9c6d21128753ce5ca

SHA256
1c2a0f005aa1b40621977882276692d01560b678486e12b4df25952c3dfbae25

SHA512
46879dfef1a367e4c83255e4f43c5a0b46da6a52fdab55f53d576ce394be1df484fc760ac61ba73d44269c8ef0a094c8ef6e4af8519bbb4d03d1bae170468800

Download Submit
C:\Windows\SysWOW64\SnapPicDll.dll
Filesize
88KB

MD5
0639773abafe26ae0590c3267d109357

SHA1
048ada980ab1822de6b3ffa9c6d21128753ce5ca

SHA256
1c2a0f005aa1b40621977882276692d01560b678486e12b4df25952c3dfbae25

SHA512
46879dfef1a367e4c83255e4f43c5a0b46da6a52fdab55f53d576ce394be1df484fc760ac61ba73d44269c8ef0a094c8ef6e4af8519bbb4d03d1bae170468800

Download Submit
C:\Windows\SysWOW64\SnapPicDll.dll
Filesize
88KB

MD5
0639773abafe26ae0590c3267d109357

SHA1
048ada980ab1822de6b3ffa9c6d21128753ce5ca

SHA256
1c2a0f005aa1b40621977882276692d01560b678486e12b4df25952c3dfbae25

SHA512
46879dfef1a367e4c83255e4f43c5a0b46da6a52fdab55f53d576ce394be1df484fc760ac61ba73d44269c8ef0a094c8ef6e4af8519bbb4d03d1bae170468800

Download Submit
C:\Windows\SysWOW64\agentmanage.sys
Filesize
2KB

MD5
55595fb10a5bf47d3f0290ba2f204aef

SHA1
b0fa6b44c1d7496a7d57f01c760108d01dbf5c74

SHA256
9035f1d8085ed6b3cb7d0c24d1c6734e34d56154423ce126c62a2ae8b4db74f2

SHA512
21169c4e913fc9bafb9242ee3b40807c98f75a968e7b8d7e92dda0e5a9f5e3e19573e4f9571a713f90911e7cf1b2d109e99a2e151666f9b6b2dba3c13655a9fd

Download Submit
C:\Windows\SysWOW64\dismanager.exe
Filesize
82KB

MD5
082e8f6eb0177f6a32f73c50c851e95b

SHA1
44e5e403d7450c5a94255628f811c2f7dc21648c

SHA256
4fbd49c81330dbe33b1464b2379a228da32af5c918931b5ca7973f36117fbd9c

SHA512
a8f37475e1d9205d9fc62ae779405d0fdb94c7fb0713671069aba46105664664e413b48847f186dfc6bf1af2fd366c68737f7432dc332530ebee7b13119107e5

Download Submit
C:\Windows\SysWOW64\dismanager.exe
Filesize
82KB

MD5
082e8f6eb0177f6a32f73c50c851e95b

SHA1
44e5e403d7450c5a94255628f811c2f7dc21648c

SHA256
4fbd49c81330dbe33b1464b2379a228da32af5c918931b5ca7973f36117fbd9c

SHA512
a8f37475e1d9205d9fc62ae779405d0fdb94c7fb0713671069aba46105664664e413b48847f186dfc6bf1af2fd366c68737f7432dc332530ebee7b13119107e5

Download Submit
C:\Windows\SysWOW64\plugin\acsw.plx
Filesize
1.1MB

MD5
2b6738cda124117e94e6bc8ceb3ad5c2

SHA1
cf04fce84d79789e242e65a46e5d2a91f0f499cf

SHA256
b2b69b425d7cde8993db9e23e4d2dda792d1e4014ad3fcc8094c8aa88db626e7

SHA512
bdf98a3d6728bb1c44d85a61631ffd6f505e88f7b0355040ac7fb3eee00f3ecd8fd0fd4d13db793e9345f93411fa8c2b7e3c80d4961ab1d821523c50ed60eb41

Download Submit
C:\Windows\SysWOW64\plugin\acsy.plx
Filesize
88KB

MD5
045982919883076812673f91003dac39

SHA1
1cf92f1e2a4921f6db4b4041ac6e2886150ab866

SHA256
a623a5a06ec3b10b87d43feae284bb61c556f5b3f36be3a627a4fe26a1d4d2dc

SHA512
7ae4293d8a3c41bb45fdd30448ef1ed249bd4d5af85ef24a1759bcc0eb4cff45370ca7434370b10532719873de88271367206485ed6e31d4041c57ac39efbe4d

Download Submit
C:\Windows\SysWOW64\plugin\activeds0.dll
Filesize
1.1MB

MD5
cc132b92304c6f54ab8bfbd3e1bfec5d

SHA1
9fa5a39cf0111527d06019c326e0cab99f8b87a9

SHA256
3d6dfc66337af8af748831e05b26be06e854c1177476d0c9d20ab30fe1cdaa92

SHA512
d95d07b742cf6efaab9d30e536f5db90c15bd1ad6ee44783fa90cfeefbee3728c5ad112f754b6a8658fe7c4a4c1c3062b9a6af460768c49b1345dc1bf33a6b7a

Download Submit
C:\Windows\SysWOW64\rzxsvrseach.dll
Filesize
163KB

MD5
9aca7447ea908cfdcc1fbd1d949e06f7

SHA1
f7a49f8287c450a76e333d1ecd64983080393d4c

SHA256
56f3bb9781abc936d7d3beb22ec07df53eba57d57008f4a591d82b58eac38f5f

SHA512
fa0d1f389ebbb11efbdac8a85e8d2d0aa9b61f43b47523c9b453875a8f7b0705f2cee52a8a6f8d450feda4daf2e9b2f6068be16adadb5a38f1a49b68d982766d

Download Submit
C:\Windows\SysWOW64\rzxsvrseach.dll
Filesize
163KB

MD5
9aca7447ea908cfdcc1fbd1d949e06f7

SHA1
f7a49f8287c450a76e333d1ecd64983080393d4c

SHA256
56f3bb9781abc936d7d3beb22ec07df53eba57d57008f4a591d82b58eac38f5f

SHA512
fa0d1f389ebbb11efbdac8a85e8d2d0aa9b61f43b47523c9b453875a8f7b0705f2cee52a8a6f8d450feda4daf2e9b2f6068be16adadb5a38f1a49b68d982766d

Download Submit
C:\Windows\SysWOW64\rzxsvrseach.dll
Filesize
163KB

MD5
9aca7447ea908cfdcc1fbd1d949e06f7

SHA1
f7a49f8287c450a76e333d1ecd64983080393d4c

SHA256
56f3bb9781abc936d7d3beb22ec07df53eba57d57008f4a591d82b58eac38f5f

SHA512
fa0d1f389ebbb11efbdac8a85e8d2d0aa9b61f43b47523c9b453875a8f7b0705f2cee52a8a6f8d450feda4daf2e9b2f6068be16adadb5a38f1a49b68d982766d

Download Submit
C:\Windows\SysWOW64\waterframe.exe
Filesize
84KB

MD5
e52837ee1e5e08fe5b40ecdc361e4e45

SHA1
520af2c85de6ed0491f9a6c6a6240739cd4765af

SHA256
9bf9daa8298de97166a5569321e8cc6211489e613de1036878fa6fcc6f64a825

SHA512
aeefff6e6954a6322c053b16b82615b37acc7a5836c20c24dd134caa7c8b0416a7ffaca3fbb5a9296a59cfeb4ee26f8bb49a0e8066390743828fc27436e4cb83

Download Submit
C:\Windows\SysWOW64\waterframe.exe
Filesize
84KB

MD5
e52837ee1e5e08fe5b40ecdc361e4e45

SHA1
520af2c85de6ed0491f9a6c6a6240739cd4765af

SHA256
9bf9daa8298de97166a5569321e8cc6211489e613de1036878fa6fcc6f64a825

SHA512
aeefff6e6954a6322c053b16b82615b37acc7a5836c20c24dd134caa7c8b0416a7ffaca3fbb5a9296a59cfeb4ee26f8bb49a0e8066390743828fc27436e4cb83

Download Submit
C:\Windows\SysWOW64\waterwall.dll
Filesize
188KB

MD5
ec34f8e5154d819963998e4b838b879c

SHA1
46b62fd8aaaf1cbce71d1b71c97dff4acbbfbb14

SHA256
9c54e3ba7f82de9253fb8929df2af6a08c39323838ceb0efa8aed63132787757

SHA512
576d998a4060752264c59cc6839324e5e716e74515b503b42683d61ac443cc8a7d3b9d2e2725e5d5288e53bea8106d15916d2ba3ec35c6f8cedd33ca29a3d5b8

Download Submit
C:\Windows\SysWOW64\waterwall.dll
Filesize
188KB

MD5
ec34f8e5154d819963998e4b838b879c

SHA1
46b62fd8aaaf1cbce71d1b71c97dff4acbbfbb14

SHA256
9c54e3ba7f82de9253fb8929df2af6a08c39323838ceb0efa8aed63132787757

SHA512
576d998a4060752264c59cc6839324e5e716e74515b503b42683d61ac443cc8a7d3b9d2e2725e5d5288e53bea8106d15916d2ba3ec35c6f8cedd33ca29a3d5b8

Download Submit
C:\Windows\SysWOW64\wzx_setup.ini
Filesize
159B

MD5
ef79de5a8e418fa02f6466570f848f1d

SHA1
dcbc092d715473e235bed1d65c68648ba651dd81

SHA256
9f31da868c27341ee21630c302ac6ad951e8d0b70152ddd2a1d76970884669a5

SHA512
b539ef63897ec9106a52bb02869724bbcca1f0bd898d53a6360ede466593f1b0de01866920d624706bb8de719e38b6e8dd196793497775b8c849c2a0f9b1c969

Download Submit
memory/808-162-0x0000000000000000-mapping.dmp

Download
memory/1724-135-0x0000000000000000-mapping.dmp

Download
memory/3700-186-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/3700-169-0x0000000000000000-mapping.dmp

Download
memory/5012-138-0x0000000000000000-mapping.dmp

Download