home

gryeemn.exe

登陆器

趣游时代(北京)科技有限公司

This is a setup program which is used to install the application. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘dzzs’. The file has been seen being downloaded from down.360zp.com.cn and multiple other hosts.
Publisher:
趣游游戏  (signed by 趣游时代(北京)科技有限公司)

Product:
登陆器

Version:
5.9.8.8

MD5:
cd613361726bea5818fabbd6888d7a73

SHA-1:
d073825b9dbd0c68fcccba379d838bd7fc02b7c7

SHA-256:
e730da7099ad6ed06a804f234d714d8791b4520b4efb6369118be7362eb13bb6

Scanner detections:
1 / 68

Status:
Inconclusive  (not enough data for an accurate detection)

Analysis date:
5/16/2024 1:13:15 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/RiskWare.YouXun.B application
8.0.319.0

File size:
2.5 MB (2,625,248 bytes)

Product version:
5.9.8.8

Copyright:
Copyright (C) 2015-2016

Original file name:
gryeemn.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\wangame\gryeemn\gryeemn.exe

Digital Signature
Signed by:
趣游时代(北京)科技有限公司

Authority:
WoSign CA Limited

Valid from:
5/12/2014 8:35:39 AM

Valid to:
6/13/2017 8:35:39 AM

Subject:
CN=趣游时代(北京)科技有限公司, E=domain@gamewave.net, O=趣游时代(北京)科技有限公司, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
0DB354C7350005C622921504B559A187

File PE Metadata
Compilation timestamp:
1/21/2016 8:49:09 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:fKM0CPovZ+UxW7LiD9QCLaJ9tGGTeTDb+dUhYqAv78A+24h6AS5ASGsb:c+Ux8I9QztGMeT/0Umnvx4h6AS5ASV

Entry address:
0x5AA08

Entry point:
E8, 9E, 6A, 00, 00, E9, 79, FE, FF, FF, 3B, 0D, F0, 76, 49, 00, 75, 02, F3, C3, E9, 20, 6B, 00, 00, 8B, FF, 55, 8B, EC, 8B, 45, 14, 56, 57, 33, FF, 3B, C7, 74, 47, 39, 7D, 08, 75, 1B, E8, BC, 2D, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, 3E, 0A, 00, 00, 83, C4, 14, 8B, C6, EB, 29, 39, 7D, 10, 74, E0, 39, 45, 0C, 73, 0E, E8, 97, 2D, 00, 00, 6A, 22, 59, 89, 08, 8B, F1, EB, D7, 50, FF, 75, 10, FF, 75, 08, E8, 1B, 10, 00, 00, 83, C4, 0C, 33, C0, 5F, 5E, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 20, 56, 33...
 
[+]

Code size:
477 KB (488,448 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
dzzs

Command:
C:\users\{user}\appdata\roaming\wangame\gryeemn\gryeemn.exe -hh


The file gryeemn.exe has been seen being distributed by the following 2 URLs.

http://down.360zp.com.cn/hezi/.../xxrl24_dzz.exe

http://down.zhubijiao.com/xd001_dzz.exe

Scan gryeemn.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.