c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
Size

2.2MB
MD5

885090d2bc9024a7b4b43adb3e988e61
SHA1

4cbcf18a343a60f53bd59e081a6cd0fbf809b1e0
SHA256

c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d
SHA512

a89990c7f35221e3a749c70521e2abd03dcfb9238c65f83f96774026c3aef5eb0342e1cc8f7aaa078112fdb139cd858a0a372342a414ccd11e8a43fe92defe8a
SSDEEP

49152:21dHhwSGDIaP7oP4GcakEPoSFZymFHgD0OhRo5jT:6HhPEIapmxPoSFZle0BT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3960	rxjhsf.exe
5076	ztsf.exe
3460	rxjhplaysf.exe
372	fhwg.exe
2352	zxwg.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe

Loads dropped DLL 11 IoCs

pid	Process
3960	rxjhsf.exe
3960	rxjhsf.exe
5076	ztsf.exe
5076	ztsf.exe
2352	zxwg.exe
2352	zxwg.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zgfdet.dll.LoG	ztsf.exe
File created	C:\Windows\SysWOW64\YingInstall\409.ini	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File created	C:\Windows\SysWOW64\jfrwdh.dll	rxjhsf.exe
File created	C:\Windows\SysWOW64\tf0	rxjhsf.exe
File created	C:\Windows\SysWOW64\zgfdet.dll	ztsf.exe
File created	C:\Windows\SysWOW64\tf0	ztsf.exe
File opened for modification	C:\Windows\SysWOW64\jfrwdh.dll.LoG	rxjhsf.exe
File created	C:\Windows\SysWOW64\zgxfdx.dll	zxwg.exe
File created	C:\Windows\SysWOW64\tf0	zxwg.exe
File opened for modification	C:\Windows\SysWOW64\zgxfdx.dll.LoG	zxwg.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhsf.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File created	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\zxwg.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File opened for modification	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\zxwg.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File created	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\¾«Æ·ÈÈÑª½ºþ.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File created	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\fhwg.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File created	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhplaysf.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File opened for modification	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhplaysf.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File created	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhsf.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File opened for modification	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\fhwg.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File created	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\ztsf.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File opened for modification	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\ztsf.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File opened for modification	C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\¾«Æ·ÈÈÑª½ºþ.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Ying-UnInstall.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
File opened for modification	C:\Windows\Ying-UnInstall.exe	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	rxjhsf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	rxjhsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	ztsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}	zxwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}\InProcServer32\ThreadingModel = "Apartment"	zxwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{841529CB-7F77-4B99-A895-B5441E0D302F}\InProcServer32\ = "C:\\Windows\\SysWow64\\jfrwdh.dll"	rxjhsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS	rxjhsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER	rxjhsf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	ztsf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}\ = "MICROSOFT"	zxwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	zxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28EB3777-3E23-4E72-8449-A992D09D24C3}\InProcServer32	ztsf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{841529CB-7F77-4B99-A895-B5441E0D302F}\InProcServer32\ThreadingModel = "Apartment"	rxjhsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	rxjhsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	zxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{841529CB-7F77-4B99-A895-B5441E0D302F}	rxjhsf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{841529CB-7F77-4B99-A895-B5441E0D302F}\ = "MICROSOFT"	rxjhsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{841529CB-7F77-4B99-A895-B5441E0D302F}\InProcServer32	rxjhsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}\InProcServer32	zxwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}\InProcServer32\ = "C:\\Windows\\SysWow64\\zgxfdx.dll"	zxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	rxjhsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28EB3777-3E23-4E72-8449-A992D09D24C3}	ztsf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28EB3777-3E23-4E72-8449-A992D09D24C3}\InProcServer32\ = "C:\\Windows\\SysWow64\\zgfdet.dll"	ztsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION	rxjhsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	rxjhsf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28EB3777-3E23-4E72-8449-A992D09D24C3}\ = "MICROSOFT"	ztsf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28EB3777-3E23-4E72-8449-A992D09D24C3}\InProcServer32\ThreadingModel = "Apartment"	ztsf.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3960	rxjhsf.exe
3960	rxjhsf.exe
5076	ztsf.exe
5076	ztsf.exe
2352	zxwg.exe
2352	zxwg.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	3960	rxjhsf.exe
Token: SeRestorePrivilege	3960	rxjhsf.exe
Token: SeBackupPrivilege	3960	rxjhsf.exe
Token: SeRestorePrivilege	3960	rxjhsf.exe
Token: SeBackupPrivilege	5076	ztsf.exe
Token: SeRestorePrivilege	5076	ztsf.exe
Token: SeBackupPrivilege	5076	ztsf.exe
Token: SeRestorePrivilege	5076	ztsf.exe
Token: SeBackupPrivilege	2352	zxwg.exe
Token: SeRestorePrivilege	2352	zxwg.exe
Token: SeBackupPrivilege	2352	zxwg.exe
Token: SeRestorePrivilege	2352	zxwg.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
3960	rxjhsf.exe
3960	rxjhsf.exe
3960	rxjhsf.exe
5076	ztsf.exe
5076	ztsf.exe
5076	ztsf.exe
2352	zxwg.exe
2352	zxwg.exe
2352	zxwg.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe
1380	¾«Æ·ÈÈÑª½ºþ.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3960	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	81
PID 5040 wrote to memory of 3960	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	81
PID 5040 wrote to memory of 3960	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	81
PID 5040 wrote to memory of 5076	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	82
PID 5040 wrote to memory of 5076	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	82
PID 5040 wrote to memory of 5076	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	82
PID 5040 wrote to memory of 3460	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	83
PID 5040 wrote to memory of 3460	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	83
PID 5040 wrote to memory of 3460	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	83
PID 5040 wrote to memory of 372	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	84
PID 5040 wrote to memory of 372	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	84
PID 5040 wrote to memory of 372	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	84
PID 5040 wrote to memory of 2352	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	85
PID 5040 wrote to memory of 2352	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	85
PID 5040 wrote to memory of 2352	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	85
PID 5040 wrote to memory of 1380	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	86
PID 5040 wrote to memory of 1380	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	86
PID 5040 wrote to memory of 1380	5040	c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe	86

C:\Users\Admin\AppData\Local\Temp\c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe
"C:\Users\Admin\AppData\Local\Temp\c44cab677372525ad23d447b5511976f98c0859531a5b75b3555c0665ffef38d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhsf.exe
  "C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhsf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3960
- C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\ztsf.exe
  "C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\ztsf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5076
- C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhplaysf.exe
  "C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhplaysf.exe"
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\fhwg.exe
  "C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\fhwg.exe"
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\zxwg.exe
  "C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\zxwg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2352
- C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\¾«Æ·ÈÈÑª½ºþ.exe
  "C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\¾«Æ·ÈÈÑª½ºþ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\fhwg.exe

Filesize
15KB

MD5
d1cf44d0b1e1f4c35a962ce84c576de5

SHA1
3e4f1ea73dc961acc7c1293bc1870914f3c886d5

SHA256
e7770d771949b32a2b355659acf486d2a8480f694ef3995235e29f25131af2cf

SHA512
2a747d86b2594b227749dd92b72cdf947c3e0eba311e01e668bae384597c908dd692557c379a368e913a08b6cd0ebaf646f1aa2d8b98d74950c1bbbfe04dd64a

Download Submit
C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhplaysf.exe

Filesize
7KB

MD5
3b1b28357290f63a55b8fbdb67e4c841

SHA1
a2a68a27eb4a2787fd41f25e76380ee1777412dc

SHA256
c98496916611983b7f74df61bd900ec1bb39382c275ac83a8f366b813e484df3

SHA512
cad12c6ca044e59cacab8716b60113306b582fdac98be5432bae4a5bf93b680df613abf2706f04ac5730c497052df750c4ff099390c6091f54b65a30d0c8a1bb

Download Submit
C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhsf.exe

Filesize
18KB

MD5
fe7bc3f8e64e5cb241e23649da518ebe

SHA1
49986a8671c0b8eade865fb60f809aab2f69941f

SHA256
a3bb280d7043f823631d142fc0b7cb87d9c8b9313842ed7289f7177c6ce32b3a

SHA512
2a673de516ef25b3861bc0068556a7b85ca57e600829042c94b2517f228b7f5b747b759ff5a5241988e61d58042204e6b597b4da03a26ff4be0e8c393e3610a2

Download Submit
C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\rxjhsf.exe

Filesize
18KB

MD5
fe7bc3f8e64e5cb241e23649da518ebe

SHA1
49986a8671c0b8eade865fb60f809aab2f69941f

SHA256
a3bb280d7043f823631d142fc0b7cb87d9c8b9313842ed7289f7177c6ce32b3a

SHA512
2a673de516ef25b3861bc0068556a7b85ca57e600829042c94b2517f228b7f5b747b759ff5a5241988e61d58042204e6b597b4da03a26ff4be0e8c393e3610a2

Download Submit
C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\ztsf.exe

Filesize
19KB

MD5
06dcc65609bb6babbdc5879d5afe6afa

SHA1
1c27daf6bef48066cf6ba60ad7f149e4b490cb6f

SHA256
4af8a59a31b53bc4efb260a76cb658c17ab09c2acf641ebd24600a4031f3c822

SHA512
1fa3a47f44b051816bd8315eda2d17b39027439f95f1487a5dacf4141d377a0d11a5833c394c144b2533439de717451bd473aef1c190e3aeca6783a713961d83

Download Submit
C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\ztsf.exe

Filesize
19KB

MD5
06dcc65609bb6babbdc5879d5afe6afa

SHA1
1c27daf6bef48066cf6ba60ad7f149e4b490cb6f

SHA256
4af8a59a31b53bc4efb260a76cb658c17ab09c2acf641ebd24600a4031f3c822

SHA512
1fa3a47f44b051816bd8315eda2d17b39027439f95f1487a5dacf4141d377a0d11a5833c394c144b2533439de717451bd473aef1c190e3aeca6783a713961d83

Download Submit
C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\zxwg.exe

Filesize
19KB

MD5
846c04dfd20856697f88a62dd7420b5a

SHA1
3a3cd9bf1162e608e347fb7526d971b5e0d660ee

SHA256
8c91a37a5652225ffae37d055dbc92652ee4f48407a684ba5c9f4b7c9d38829e

SHA512
f91a582b433e65ef61293428e55cb0fa592b855a586d2dfd446e08905dd522563d54715d9865729b379ccabebb5d4a89ede3e28af23e95db9c458b1b605515e8

Download Submit
C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\zxwg.exe

Filesize
19KB

MD5
846c04dfd20856697f88a62dd7420b5a

SHA1
3a3cd9bf1162e608e347fb7526d971b5e0d660ee

SHA256
8c91a37a5652225ffae37d055dbc92652ee4f48407a684ba5c9f4b7c9d38829e

SHA512
f91a582b433e65ef61293428e55cb0fa592b855a586d2dfd446e08905dd522563d54715d9865729b379ccabebb5d4a89ede3e28af23e95db9c458b1b605515e8

Download Submit
C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\¾«Æ·ÈÈÑª½ºþ.exe

Filesize
1.3MB

MD5
8424b9f2df4067a27c7d0fc2fd056858

SHA1
c724d98e77d20a0b4cb089261309350b24710c0d

SHA256
354fa1c76fe183bb24fc0b7c65a482a17496a4741f91286a94af3504f510c6d3

SHA512
442619bef60516b19349ea9bd9c2c03dd60bf28bf3e0f3301b056b462c983727208b4fa16ae084a4a65cf9a069b6a9ae9d2914282fb564ddb98528d79ef3a516

Download Submit
C:\Program Files\ÈÈÑª½ºþË½·þµÇÂ½Æ÷\¾«Æ·ÈÈÑª½ºþ.exe

Filesize
1.3MB

MD5
8424b9f2df4067a27c7d0fc2fd056858

SHA1
c724d98e77d20a0b4cb089261309350b24710c0d

SHA256
354fa1c76fe183bb24fc0b7c65a482a17496a4741f91286a94af3504f510c6d3

SHA512
442619bef60516b19349ea9bd9c2c03dd60bf28bf3e0f3301b056b462c983727208b4fa16ae084a4a65cf9a069b6a9ae9d2914282fb564ddb98528d79ef3a516

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\HtmlView.fne

Filesize
224KB

MD5
9ec9ca1721c38e986d14b8037fdb7200

SHA1
f8db76cc1e127a1d209888c54e6bfa30ab5deaeb

SHA256
9f7b88193fcb2b4cc6d1678eceaff8680a834285de461b7ad8b1ea523c0397b7

SHA512
d663e85fd9bddb379b0a5b249d427e1bef260acb064d74c0b97ad3634ab6fc8448c5c78e92cd7e24e633d7009abc4a170bb44b40f53436682e7a3f4d52edb7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\HtmlView.fne

Filesize
224KB

MD5
9ec9ca1721c38e986d14b8037fdb7200

SHA1
f8db76cc1e127a1d209888c54e6bfa30ab5deaeb

SHA256
9f7b88193fcb2b4cc6d1678eceaff8680a834285de461b7ad8b1ea523c0397b7

SHA512
d663e85fd9bddb379b0a5b249d427e1bef260acb064d74c0b97ad3634ab6fc8448c5c78e92cd7e24e633d7009abc4a170bb44b40f53436682e7a3f4d52edb7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\iext.fnr

Filesize
212KB

MD5
8fc38a56bab9cfe08b48eb6ee3fa997c

SHA1
88b2758f71aa83bca2bc3b1dc791a56372fd9d57

SHA256
10d85bdc14fa7c06f555858d920d0e0b9becf8fde7cc9df315bd130add2dad86

SHA512
319ab901c294577196f69f9890859280bcc744d69731fe2b909d9178eef798dc4d2bba74b6d2e5f397226dc7b7e691bdaf7e7e200a4ee4a9319b497b3166b320

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\iext.fnr

Filesize
212KB

MD5
8fc38a56bab9cfe08b48eb6ee3fa997c

SHA1
88b2758f71aa83bca2bc3b1dc791a56372fd9d57

SHA256
10d85bdc14fa7c06f555858d920d0e0b9becf8fde7cc9df315bd130add2dad86

SHA512
319ab901c294577196f69f9890859280bcc744d69731fe2b909d9178eef798dc4d2bba74b6d2e5f397226dc7b7e691bdaf7e7e200a4ee4a9319b497b3166b320

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
c041498e60183fe841392ec977c68c19

SHA1
ff6bc69d14c6cb121d12ee9656cd0c4d2d702a6e

SHA256
69449597575314e59e8dde419f582e93ee04ec45414b4558b02ada148072a982

SHA512
75066d211c5721a3176a8e52464171d036695993442ba817a0271c033f39bb4c480ac836042611d3c0f25554290f26c000027838f50ff71ce6fde8e7438968c5

Download Submit
C:\Windows\SysWOW64\jfrwdh.dll

Filesize
217KB

MD5
d62f1f32d3d868dcfecfb268c4a0790d

SHA1
3cf598ed6a7005633fb9386684b8f66aa4a19998

SHA256
3c268897b539df8844f3f5ad87edf62f9a8dcba695747f24a54f43642457fac5

SHA512
1448bc2721c3b1b504207ce617dd0afdbc9c84e8ffdb5bf3ae58e9d6465f1f028c0d6abac2e687af5894a3b6f5344b51e73f3ccbe8786f9a20d543e555ba57ec

Download Submit
C:\Windows\SysWOW64\jfrwdh.dll

Filesize
217KB

MD5
d62f1f32d3d868dcfecfb268c4a0790d

SHA1
3cf598ed6a7005633fb9386684b8f66aa4a19998

SHA256
3c268897b539df8844f3f5ad87edf62f9a8dcba695747f24a54f43642457fac5

SHA512
1448bc2721c3b1b504207ce617dd0afdbc9c84e8ffdb5bf3ae58e9d6465f1f028c0d6abac2e687af5894a3b6f5344b51e73f3ccbe8786f9a20d543e555ba57ec

Download Submit
C:\Windows\SysWOW64\zgfdet.dll

Filesize
227KB

MD5
db867826d3def57264a830d9192ff2d3

SHA1
d671720823db9c9b50110105f1d55e0fca5bfd9b

SHA256
df4987d151b8ac7aec74c5cefa9fd44c8b655913c50776a2c063958f5223e26b

SHA512
d53d2c940f6bd6f805e304fcf95196c9ce54d202dd944402c1440bd7f7e5207b3146153f35c96e3b0eed7a97be1ae74181855fb86c26fba5a398de0cd57739d3

Download Submit
C:\Windows\SysWOW64\zgfdet.dll

Filesize
227KB

MD5
db867826d3def57264a830d9192ff2d3

SHA1
d671720823db9c9b50110105f1d55e0fca5bfd9b

SHA256
df4987d151b8ac7aec74c5cefa9fd44c8b655913c50776a2c063958f5223e26b

SHA512
d53d2c940f6bd6f805e304fcf95196c9ce54d202dd944402c1440bd7f7e5207b3146153f35c96e3b0eed7a97be1ae74181855fb86c26fba5a398de0cd57739d3

Download Submit
C:\Windows\SysWOW64\zgxfdx.dll

Filesize
220KB

MD5
752d53bc9e32a2fe81054522db69dd19

SHA1
982e45fae0154518ab3510eb9c5b8f8c3ae2632d

SHA256
4ea52ab43f7bfd966df4af5bc3317302a48022953904053cf9f9aac6e7bd22d0

SHA512
211a3b133d76c701b8b9d183b217d2a820328ddab576cf01b3b0aaba45e2d1aa5dfbc033c3757011d0436ddd224835b10b4b4d0bcf36a4979cbda75fae17f21a

Download Submit
C:\Windows\SysWOW64\zgxfdx.dll

Filesize
220KB

MD5
752d53bc9e32a2fe81054522db69dd19

SHA1
982e45fae0154518ab3510eb9c5b8f8c3ae2632d

SHA256
4ea52ab43f7bfd966df4af5bc3317302a48022953904053cf9f9aac6e7bd22d0

SHA512
211a3b133d76c701b8b9d183b217d2a820328ddab576cf01b3b0aaba45e2d1aa5dfbc033c3757011d0436ddd224835b10b4b4d0bcf36a4979cbda75fae17f21a

Download Submit
memory/1380-162-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1380-165-0x0000000003450000-0x0000000003493000-memory.dmp

Filesize
268KB

Download
memory/2352-153-0x0000000000490000-0x000000000049D000-memory.dmp

Filesize
52KB

Download
memory/3960-137-0x0000000000570000-0x000000000057D000-memory.dmp

Filesize
52KB

Download
memory/5076-143-0x0000000000A00000-0x0000000000A0D000-memory.dmp

Filesize
52KB

Download