dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9

Analysis

max time kernel
40s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe
Size

5.5MB
MD5

9c3901f10998c40021f36d407a87c31a
SHA1

b4f433c15c722bd9485d609bf5d93790369ad853
SHA256

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9
SHA512

cd6fa94fef2dbcfa7e4a70b680c7321139c4814f5244d4a70ddbb4dced020f3787e409dfae9017e3cf37e760c7ff0ca0de5060d39b5712546580a3c8f8a6ee7c
SSDEEP

98304:+1wWJq72sVxUybf5zSbJM+fmbFOb/2r3CgPTv4WWA7d7TuMSMGzbftvJJvw+kNGq:soVxNF82rHTv4E2zbftXwvGq

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exeZT2Box.exe

pid process

1256 Õ÷Í¾2ºÏÒ»84.exe
480 ZT2Box.exe
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1772 icacls.exe
1708 takeown.exe
1684 icacls.exe
1632 takeown.exe
304 icacls.exe
1308 takeown.exe

pid	process
1772	icacls.exe
1708	takeown.exe
1684	icacls.exe
1632	takeown.exe
304	icacls.exe
1308	takeown.exe

Loads dropped DLL 3 IoCs

Processes:

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe

pid	process
1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe
1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe
1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1708 takeown.exe
1684 icacls.exe
1632 takeown.exe
304 icacls.exe
1308 takeown.exe
1772 icacls.exe

pid	process
1708	takeown.exe
1684	icacls.exe
1632	takeown.exe
304	icacls.exe
1308	takeown.exe
1772	icacls.exe

Drops file in System32 directory 10 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	Õ÷Í¾2ºÏÒ»84.exe
File opened for modification	C:\Windows\SysWOW64\123467.tmp	Õ÷Í¾2ºÏÒ»84.exe
File opened for modification	C:\Windows\syswow64\123467.tmp	Õ÷Í¾2ºÏÒ»84.exe
File opened for modification	C:\Windows\SysWOW64\123F50B.tmp	Õ÷Í¾2ºÏÒ»84.exe
File opened for modification	C:\Windows\syswow64\123F50B.tmp	Õ÷Í¾2ºÏÒ»84.exe
File opened for modification	C:\Windows\syswow64\123125C.tmp	Õ÷Í¾2ºÏÒ»84.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	Õ÷Í¾2ºÏÒ»84.exe
File created	C:\Windows\SysWOW64\sxload.tmp	Õ÷Í¾2ºÏÒ»84.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	Õ÷Í¾2ºÏÒ»84.exe
File opened for modification	C:\Windows\SysWOW64\123125C.tmp	Õ÷Í¾2ºÏÒ»84.exe

Drops file in Program Files directory 3 IoCs

Processes:

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exeÕ÷Í¾2ºÏÒ»84.exe

description	ioc	process
File created	C:\program files\common files\microsoft shared\msinfo\ZT2Box.jpg	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe
File created	C:\Program Files (x86)\Common Files\sxzt2.tmp	Õ÷Í¾2ºÏÒ»84.exe
File created	C:\program files\common files\microsoft shared\msinfo\Õ÷Í¾2ºÏÒ»84.jpg	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

992 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exe

pid process

1256 Õ÷Í¾2ºÏÒ»84.exe

pid	process
992	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1256	Õ÷Í¾2ºÏÒ»84.exe
Token: SeTakeOwnershipPrivilege	1308	takeown.exe
Token: SeDebugPrivilege	992	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exe

pid	process
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe
1256	Õ÷Í¾2ºÏÒ»84.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exeÕ÷Í¾2ºÏÒ»84.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1356 wrote to memory of 1256	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	Õ÷Í¾2ºÏÒ»84.exe
PID 1356 wrote to memory of 1256	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	Õ÷Í¾2ºÏÒ»84.exe
PID 1356 wrote to memory of 1256	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	Õ÷Í¾2ºÏÒ»84.exe
PID 1356 wrote to memory of 1256	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	Õ÷Í¾2ºÏÒ»84.exe
PID 1356 wrote to memory of 480	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 1356 wrote to memory of 480	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 1356 wrote to memory of 480	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 1356 wrote to memory of 480	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 1356 wrote to memory of 480	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 1356 wrote to memory of 480	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 1356 wrote to memory of 480	1356	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 1256 wrote to memory of 1292	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1256 wrote to memory of 1292	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1256 wrote to memory of 1292	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1256 wrote to memory of 1292	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1292 wrote to memory of 1316	1292	cmd.exe	cmd.exe
PID 1292 wrote to memory of 1316	1292	cmd.exe	cmd.exe
PID 1292 wrote to memory of 1316	1292	cmd.exe	cmd.exe
PID 1292 wrote to memory of 1316	1292	cmd.exe	cmd.exe
PID 1316 wrote to memory of 1308	1316	cmd.exe	takeown.exe
PID 1316 wrote to memory of 1308	1316	cmd.exe	takeown.exe
PID 1316 wrote to memory of 1308	1316	cmd.exe	takeown.exe
PID 1316 wrote to memory of 1308	1316	cmd.exe	takeown.exe
PID 1292 wrote to memory of 1772	1292	cmd.exe	icacls.exe
PID 1292 wrote to memory of 1772	1292	cmd.exe	icacls.exe
PID 1292 wrote to memory of 1772	1292	cmd.exe	icacls.exe
PID 1292 wrote to memory of 1772	1292	cmd.exe	icacls.exe
PID 1256 wrote to memory of 688	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1256 wrote to memory of 688	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1256 wrote to memory of 688	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1256 wrote to memory of 688	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 688 wrote to memory of 872	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 872	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 872	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 872	688	cmd.exe	cmd.exe
PID 872 wrote to memory of 1708	872	cmd.exe	takeown.exe
PID 872 wrote to memory of 1708	872	cmd.exe	takeown.exe
PID 872 wrote to memory of 1708	872	cmd.exe	takeown.exe
PID 872 wrote to memory of 1708	872	cmd.exe	takeown.exe
PID 688 wrote to memory of 1684	688	cmd.exe	icacls.exe
PID 688 wrote to memory of 1684	688	cmd.exe	icacls.exe
PID 688 wrote to memory of 1684	688	cmd.exe	icacls.exe
PID 688 wrote to memory of 1684	688	cmd.exe	icacls.exe
PID 1256 wrote to memory of 1108	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1256 wrote to memory of 1108	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1256 wrote to memory of 1108	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1256 wrote to memory of 1108	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 1108 wrote to memory of 1736	1108	cmd.exe	cmd.exe
PID 1108 wrote to memory of 1736	1108	cmd.exe	cmd.exe
PID 1108 wrote to memory of 1736	1108	cmd.exe	cmd.exe
PID 1108 wrote to memory of 1736	1108	cmd.exe	cmd.exe
PID 1736 wrote to memory of 1632	1736	cmd.exe	takeown.exe
PID 1736 wrote to memory of 1632	1736	cmd.exe	takeown.exe
PID 1736 wrote to memory of 1632	1736	cmd.exe	takeown.exe
PID 1736 wrote to memory of 1632	1736	cmd.exe	takeown.exe
PID 1108 wrote to memory of 304	1108	cmd.exe	icacls.exe
PID 1108 wrote to memory of 304	1108	cmd.exe	icacls.exe
PID 1108 wrote to memory of 304	1108	cmd.exe	icacls.exe
PID 1108 wrote to memory of 304	1108	cmd.exe	icacls.exe
PID 1256 wrote to memory of 992	1256	Õ÷Í¾2ºÏÒ»84.exe	taskkill.exe
PID 1256 wrote to memory of 992	1256	Õ÷Í¾2ºÏÒ»84.exe	taskkill.exe
PID 1256 wrote to memory of 992	1256	Õ÷Í¾2ºÏÒ»84.exe	taskkill.exe
PID 1256 wrote to memory of 992	1256	Õ÷Í¾2ºÏÒ»84.exe	taskkill.exe
PID 1256 wrote to memory of 944	1256	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe
"C:\Users\Admin\AppData\Local\Temp\dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1356

C:\program files\common files\microsoft shared\msinfo\Õ÷Í¾2ºÏÒ»84.exe
"C:\program files\common files\microsoft shared\msinfo\Õ÷Í¾2ºÏÒ»84.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
4⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
4⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1708

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
4⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1632

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:304

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "zhengtu2.dat"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
3⤵
PID:944

C:\program files\common files\microsoft shared\msinfo\ZT2Box.exe
"C:\program files\common files\microsoft shared\msinfo\ZT2Box.exe"
2⤵
- Executes dropped EXE
PID:480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ZT2Box.exe

Filesize
5.4MB

MD5
a30266f462d684a8896c42602b54e568

SHA1
330a7aee6343f23c026e7014d80f05c8f315fba7

SHA256
9b1f9eee8684917dabf27dac97269ec4da067cf73d0d9ef3332d892675bc8d41

SHA512
8cf01825901ea3400205205073fef228b3f326d908910a1e7a58f5a9b10d9e09846f68cd5963306af8d268ac6508e508c313f8846590b64708cc951bf727f224

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\Õ÷Í¾2ºÏÒ»84.exe

Filesize
28KB

MD5
8acf7d3fd0ad17a4cece8332badec44c

SHA1
764afe3712ad0c2f48f6d3d189fe093a9a07fa6f

SHA256
44654a6c0cf11261810c66cb5e6d5719258abab4334bea37505738d658f967f0

SHA512
ca374b99fb3dad4a2b501bdc4af25412888363e1e3a9b14beba45c4f9edd1075541c42fb445fdee84e79f9c7a62b242cf7cea8ea7e8682237afb066dd1495023

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
187B

MD5
0bc7bbe32288f8922cb7964c2be9615d

SHA1
70eb3dffd023503f5da01c60f03fad4a51423767

SHA256
af7dc74cb781752a1da9f28f626609c2697064c8437d56a903649fde0acf4223

SHA512
d7ccc4cbba7a9ff2e3f824ef692296d706566766745dc921421de50693bf73114c96329e12ef1d1be62adfbed3c17392a680774a8a6e37a70e5b622cb478c45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll

Filesize
101KB

MD5
f088aa0e173faa91bf4c9d7f03e19173

SHA1
4a41aa76adda7c1b9807e371d1b823322747bd3d

SHA256
1f1ca4f9eb93766253ddea4f6e010948b8a3048c63a580a6d2765ed959a3d98b

SHA512
8d97a0220116a422197da0528e0c542d133dd9e56d56c5e78b96ac8c9a59d188fcb945f2138d1530610b7887e91da4080c7c483cd1dcde4861d5d01224fecc12

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll

Filesize
11KB

MD5
f96c585709ec7596c14afa3a60fa9d7a

SHA1
681c1cc117abefb3c84ce78df002a43420fd8b6c

SHA256
2d7dec9af8ef7e6458417c0d66d5277c0c9642ffe126195a2db43cb81f192f03

SHA512
eb377b2e57dca47619849b67579c5716d9fc4959d0bf8471f49b3bd54afb6ab89bb928c8868191ea59be4c8541a9bd91490c6c60d15470d57c1b8a0df8d892a4

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll

Filesize
101KB

MD5
f088aa0e173faa91bf4c9d7f03e19173

SHA1
4a41aa76adda7c1b9807e371d1b823322747bd3d

SHA256
1f1ca4f9eb93766253ddea4f6e010948b8a3048c63a580a6d2765ed959a3d98b

SHA512
8d97a0220116a422197da0528e0c542d133dd9e56d56c5e78b96ac8c9a59d188fcb945f2138d1530610b7887e91da4080c7c483cd1dcde4861d5d01224fecc12

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll

Filesize
11KB

MD5
f96c585709ec7596c14afa3a60fa9d7a

SHA1
681c1cc117abefb3c84ce78df002a43420fd8b6c

SHA256
2d7dec9af8ef7e6458417c0d66d5277c0c9642ffe126195a2db43cb81f192f03

SHA512
eb377b2e57dca47619849b67579c5716d9fc4959d0bf8471f49b3bd54afb6ab89bb928c8868191ea59be4c8541a9bd91490c6c60d15470d57c1b8a0df8d892a4

Download Submit
C:\program files\common files\microsoft shared\msinfo\ZT2Box.exe

Filesize
5.4MB

MD5
a30266f462d684a8896c42602b54e568

SHA1
330a7aee6343f23c026e7014d80f05c8f315fba7

SHA256
9b1f9eee8684917dabf27dac97269ec4da067cf73d0d9ef3332d892675bc8d41

SHA512
8cf01825901ea3400205205073fef228b3f326d908910a1e7a58f5a9b10d9e09846f68cd5963306af8d268ac6508e508c313f8846590b64708cc951bf727f224

Download Submit
C:\program files\common files\microsoft shared\msinfo\Õ÷Í¾2ºÏÒ»84.exe

Filesize
28KB

MD5
8acf7d3fd0ad17a4cece8332badec44c

SHA1
764afe3712ad0c2f48f6d3d189fe093a9a07fa6f

SHA256
44654a6c0cf11261810c66cb5e6d5719258abab4334bea37505738d658f967f0

SHA512
ca374b99fb3dad4a2b501bdc4af25412888363e1e3a9b14beba45c4f9edd1075541c42fb445fdee84e79f9c7a62b242cf7cea8ea7e8682237afb066dd1495023

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\ZT2Box.exe

Filesize
5.4MB

MD5
a30266f462d684a8896c42602b54e568

SHA1
330a7aee6343f23c026e7014d80f05c8f315fba7

SHA256
9b1f9eee8684917dabf27dac97269ec4da067cf73d0d9ef3332d892675bc8d41

SHA512
8cf01825901ea3400205205073fef228b3f326d908910a1e7a58f5a9b10d9e09846f68cd5963306af8d268ac6508e508c313f8846590b64708cc951bf727f224

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Õ÷Í¾2ºÏÒ»84.exe

Filesize
28KB

MD5
8acf7d3fd0ad17a4cece8332badec44c

SHA1
764afe3712ad0c2f48f6d3d189fe093a9a07fa6f

SHA256
44654a6c0cf11261810c66cb5e6d5719258abab4334bea37505738d658f967f0

SHA512
ca374b99fb3dad4a2b501bdc4af25412888363e1e3a9b14beba45c4f9edd1075541c42fb445fdee84e79f9c7a62b242cf7cea8ea7e8682237afb066dd1495023

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Õ÷Í¾2ºÏÒ»84.exe

Filesize
28KB

MD5
8acf7d3fd0ad17a4cece8332badec44c

SHA1
764afe3712ad0c2f48f6d3d189fe093a9a07fa6f

SHA256
44654a6c0cf11261810c66cb5e6d5719258abab4334bea37505738d658f967f0

SHA512
ca374b99fb3dad4a2b501bdc4af25412888363e1e3a9b14beba45c4f9edd1075541c42fb445fdee84e79f9c7a62b242cf7cea8ea7e8682237afb066dd1495023

Download Submit
memory/304-87-0x0000000000000000-mapping.dmp

Download
memory/480-61-0x0000000000000000-mapping.dmp

Download
memory/688-73-0x0000000000000000-mapping.dmp

Download
memory/872-75-0x0000000000000000-mapping.dmp

Download
memory/944-95-0x0000000000000000-mapping.dmp

Download
memory/992-94-0x0000000000000000-mapping.dmp

Download
memory/1108-83-0x0000000000000000-mapping.dmp

Download
memory/1256-57-0x0000000000000000-mapping.dmp

Download
memory/1256-71-0x00000000747C1000-0x00000000747C3000-memory.dmp

Filesize
8KB

Download
memory/1256-70-0x0000000074971000-0x0000000074973000-memory.dmp

Filesize
8KB

Download
memory/1292-65-0x0000000000000000-mapping.dmp

Download
memory/1308-68-0x0000000000000000-mapping.dmp

Download
memory/1316-67-0x0000000000000000-mapping.dmp

Download
memory/1356-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1632-86-0x0000000000000000-mapping.dmp

Download
memory/1684-77-0x0000000000000000-mapping.dmp

Download
memory/1708-76-0x0000000000000000-mapping.dmp

Download
memory/1736-85-0x0000000000000000-mapping.dmp

Download
memory/1772-69-0x0000000000000000-mapping.dmp

Download