5dc7fef5375620622c746afdf71bf7ee097630e1946bbcdb454954effaf48c2a

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
Size

105KB
MD5

f401c229cdc95e48b97914dcfacfb078
SHA1

b3a1028fd5ccddc81cd6c8d36830308eb3e472c7
SHA256

5dc7fef5375620622c746afdf71bf7ee097630e1946bbcdb454954effaf48c2a
SHA512

fb62123648957160744a1e36fe5141de590bb493d89be11600c40b8e498491e65e6a39b27ea4a0b7d110ae055d13c2486beda31857ec731bb26060a096667ca9
SSDEEP

3072:cWhb3pXMaTpOz006+RmDe60yCvcE+Ehd3VG:jVpXMMQw+kDe605vt+EP

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	zayjhxpRes081027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zuoyue = "C:\\Windows\\system32\\inf\\svch0st.exe C:\\Windows\\system32\\lwizyy16_081027.dll zyd1_6"	zayjhxpRes081027.exe

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2748	svch0st.exe
2508	zayjhxpRes081027.exe

Loads dropped DLL 7 IoCs

pid	Process
2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
2748	svch0st.exe
2748	svch0st.exe
2748	svch0st.exe
2748	svch0st.exe
2400	cmd.exe
2400	cmd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inf\svch0st.exe	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scrsyszy081027.scr	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mwiszcyys32_081027.dll	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scrszyys16_081027.dll	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lwizyy16_081027.dll	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mwiszcyys32_081027.dll	zayjhxpRes081027.exe
File created	C:\Windows\SysWOW64\inf\svch0st.exe	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system\zayjhxpRes081027.exe	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
File opened for modification	C:\Windows\zuoyu16.ini	zayjhxpRes081027.exe
File opened for modification	C:\Windows\zuoyu16.ini	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	zayjhxpRes081027.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419451741"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA83B491-FC19-11EE-AD12-DE87C8C490F0} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
2508	zayjhxpRes081027.exe
2508	zayjhxpRes081027.exe
2508	zayjhxpRes081027.exe
2508	zayjhxpRes081027.exe
2508	zayjhxpRes081027.exe
2508	zayjhxpRes081027.exe
2508	zayjhxpRes081027.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
Token: SeDebugPrivilege	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	zayjhxpRes081027.exe
Token: SeDebugPrivilege	2508	zayjhxpRes081027.exe
Token: SeDebugPrivilege	2508	zayjhxpRes081027.exe
Token: SeDebugPrivilege	2508	zayjhxpRes081027.exe
Token: SeDebugPrivilege	2508	zayjhxpRes081027.exe
Token: SeDebugPrivilege	2508	zayjhxpRes081027.exe
Token: SeDebugPrivilege	2508	zayjhxpRes081027.exe
Token: SeDebugPrivilege	2508	zayjhxpRes081027.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2488	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2748	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2748	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2748	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2748	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2744	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe	30
PID 2192 wrote to memory of 2744	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe	30
PID 2192 wrote to memory of 2744	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe	30
PID 2192 wrote to memory of 2744	2192	f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2400	2748	svch0st.exe	32
PID 2748 wrote to memory of 2400	2748	svch0st.exe	32
PID 2748 wrote to memory of 2400	2748	svch0st.exe	32
PID 2748 wrote to memory of 2400	2748	svch0st.exe	32
PID 2400 wrote to memory of 2508	2400	cmd.exe	34
PID 2400 wrote to memory of 2508	2400	cmd.exe	34
PID 2400 wrote to memory of 2508	2400	cmd.exe	34
PID 2400 wrote to memory of 2508	2400	cmd.exe	34
PID 2508 wrote to memory of 2488	2508	zayjhxpRes081027.exe	35
PID 2508 wrote to memory of 2488	2508	zayjhxpRes081027.exe	35
PID 2508 wrote to memory of 2488	2508	zayjhxpRes081027.exe	35
PID 2508 wrote to memory of 2488	2508	zayjhxpRes081027.exe	35
PID 2488 wrote to memory of 1736	2488	IEXPLORE.EXE	37
PID 2488 wrote to memory of 1736	2488	IEXPLORE.EXE	37
PID 2488 wrote to memory of 1736	2488	IEXPLORE.EXE	37
PID 2488 wrote to memory of 1736	2488	IEXPLORE.EXE	37
PID 2508 wrote to memory of 2488	2508	zayjhxpRes081027.exe	35

C:\Users\Admin\AppData\Local\Temp\f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\inf\svch0st.exe
  "C:\Windows\system32\inf\svch0st.exe" C:\Windows\system32\lwizyy16_081027.dll zyd1_6
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c c:\zycj.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\system\zayjhxpRes081027.exe
      "C:\Windows\system\zayjhxpRes081027.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\f401c229cdc95e48b97914dcfacfb078_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af5c22d879322a23868963a5dabe0e4f

SHA1
24dfc07942855de5d1ce9fa7229e2239abc9033e

SHA256
1a91e8d34e6fa9f80e4f8225b4e3041c8e03044450c638e3b49e121af1d4be21

SHA512
3eb56bb96fe58d64ed829c5a143c35f068981bc7b8f3c5ef557b8397dde6e063503a7bdacc89bc801b7155082e399cb5c7b433faf59e1dc2448ecd68b5a9531d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e35321f14b39fd538429feca093b398d

SHA1
c8dfae35a5d4e310344041159e2db0cff4c54383

SHA256
583a65424d299e6df7e5cb498e8e44192db7d4d778296263fdc5b210dca97481

SHA512
8347c79f95557330e71ad13e3e4188c2eccfc1480857114c00451c98411ba3ae12aa8450a21bc2ecd3cc8e3c25a49a95a11c0ae2a895df14da894d46559fae45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3e5ce8f14d017a665930912abeccf09

SHA1
e570b90f2f42029d6336b6e3cbe220f3b7ede7bc

SHA256
2e30bf99d770358469636c3ad3adc68b5103b779cb6b41d1e9803024fb4ae114

SHA512
01175f40213d0ca3a127e32247d4ba12c069dacfe8922dbaeab072504d4741343573462d85b419f271bb7c91faa4250f14358d8851edd5fdf9afd03f59004233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7cdd5bb328f804e35d008dd86d785ba6

SHA1
92a7989ef3c7be31c85675a9e186ca23f8098d44

SHA256
2e437bdbfaa82b60069a8475e3d4c56bf5293981c9c279c2e8b267aa8a699548

SHA512
01d239b725f7f9bd5fe6a63c2f89cad7e338b13e6f9770f844c541d0714a2454eb190eb63ccd8380b43cf295a22043f4ab3777e019f9c3a94f6fc972874acc01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cfc4912e03b9f098ccbdcc02f00224cb

SHA1
229e1f4319eed5a1c7ad81dd6bba7e6baaf71cf4

SHA256
3a07a7ebe9e60009f6d8b2916ba2c11b01e486332c05991d52a043c451c29cbf

SHA512
05211703b7baafc22894deb7eba9c3d8cb8d47e11464a3f6145c5e3b826537ac6244ac378dcc651a940e5738ec0ff73ee61c24c5fec4151bdb54acd3b58a6110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84027a619b47c691a03b2cfd20436f93

SHA1
911736ce03a70a92e8d54b2f63e3810c723145c6

SHA256
1e5cb0cb548f7d8b6d380834b35ce882b7a5e6924a3dd2b70dd0727e01bf841a

SHA512
6fe1bc62af42b10a2263f270a61ee96e82d295ecdbef58440174b9e34ca70d40ec2d92f0789f22eb3f829a7ba1ab571984e082ad5783065a997e1422bb5a5e94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e335b8c8607045555b241ff4b521fc2

SHA1
cf561aa3c3da58e3b908898febe3cab173b6988c

SHA256
ef99f9081802e01e0a8321a2e36cf008024b68ec01b0eb3e85eac6ab9c75c997

SHA512
b3f295d6ce68e2acbac0e722c970395573fd3644de79d16914c4e391d75e2b00697653594fdeb35cc2f87a84e744ad6747f3d3f743dd76cc80a84631c9ea4859

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed9dc5b9230dcc9df1c29c00f256c154

SHA1
ee1a88c9458be2ac1c0057bb49c21e7ae0c9b7be

SHA256
ce931e5b5e0f58e3abea2af654580a03add34d6b3e8e996c01e4a885ef3cc16d

SHA512
2fd035b97f4292874b65a17c4177f865de068c68794458810a158ef32f72ff9b1c1b27a3212b17a6ac9703026b2c189f2c211be3e39ce091616cf7af6015c215

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6f5c7452d13aaffb424cfb3c0738ce5

SHA1
01af59ddf91c628b801af882c9870b38fc4c50c9

SHA256
337216f8071fae337e48d67635dcb2249a624bda62d89874061346db72b6197e

SHA512
f565921e9d2721842cb5e7384315ba8bc7239d4eb6dcf0b43e0ef656395623961ec03263af04c1462773483bc8f922a08db7d5f55f8b9d53bdffc0ae5caf7216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45bf6ae89446703815645cc3d8dccff2

SHA1
8128e28920368f7a42d2c717679066e5f234c7f4

SHA256
f4241f3cbb28fc55c32b906f5db7b6ee2ad4c9ff96e357b05cc26e203e7d2078

SHA512
fe6f29a664da7c254a2829a5e5bcc00653d95bbada399a90a6cc3fd520ee002d6511c5bf6e8eb8c65c8f201c2618a377f30dc5d0ece111bac98c24999ccb980b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23f10b524e337a4dd2446c5d22ca7a90

SHA1
fd9f280dbcb584b66311e10da148aae9253ee6ea

SHA256
670916e511b9e370a92c322a667d04a88d6ec0aa1ee133343e4fa8e67b39b8c6

SHA512
79c4c21cd124ded37fcb1ba313c2fcfc584560d2c002a6199cc51b6019c09d509a3f60a2a5bca50b35ff9804c580d4a18ebfe8d95b294aef7213e8284d1b263d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65605d3f771e5045bb0a669640ffde5a

SHA1
dc6e7a1651be493d436347ebba986281f549dc79

SHA256
3da02f2584ea83b9f10f22bfdfff5a4936c007f628d80ec8d7a32772b93a3894

SHA512
078e55b3a8d73801611f35fd2e8ad198bf4cee7ff5992c290f9bab1fbe78c84047b39792aa1935fd8ca6fe352fdafd7d08ea892c561641bdc8c0e0451228175d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c41c9cea731599e036a80cafa069f65

SHA1
18616b26c1f262d6700c0ba44cca028d8555ca10

SHA256
08edad0151504e16260291d02c9fe4bed719fc00e66d106cd5214603007c213d

SHA512
900c46e187ff9335007b92348b920d357639eaa52de881969ec3ac6e70ddc660a02039f83ff9fa1e1868b501e8aaab051982359e005a15fb429eff6940103f1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85e978102e97268d216dfa6bee7b179e

SHA1
d7eabad942a938db1562e602bd6f699770e985ed

SHA256
ffd8b604a9d42f92e0f4839783b2f3069eed5acbb417c66a0729881030c652fe

SHA512
e6977a17667a38caa5a3858ed6fef5de7fc0b82660eb0d9f49056546ed1df3481477230adbb4df12048e34db64e10d04c27f9db959b8a363669cd2730ef69215

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8784ab916e2712aebaac2940fbfdb030

SHA1
4c1915f35fa076aad20763b4fe50ba18ab65f700

SHA256
613ac51571b951ff6910ec2db94ec58c08c7498a461bceb274cb102caf73ef8c

SHA512
599cfabe42dfb388fcc9426b3f99d80d8a67ab9f7802d273c975fde3b90fe51b620fd60db55b9e6385172a4ddc81d255e894792c22d77967600b407088d3bd8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff871aa1d685cb6b2ebd72e6921dc75c

SHA1
871745b7fe7ecc8501a43bae58755afc3d924b9f

SHA256
41bd7e2b908c229757cc64aec5e815157bdc5407846c15c6021db6aeb8f4e5bc

SHA512
83645ea473a332351b608977a17976cc97e840444ab940e541f6a32218f63dcaa87c3b1086484b2ccccaf9993bb8e372ae36ed6bc4e78468b0580db9ae794bff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9660cb374891aeac29c98f5127d7375a

SHA1
4dc89c5b84b75b3a7ed0a8d88b9f1c9424f53481

SHA256
5df4294e3ddb76f0db1a48e099cee530f53e0aefa2c3e8aa23fa3da2d4cfe62c

SHA512
6d1020a7102f6b72997f688cd8a212e03742ae30436e9ca58abc14d1d7845fa770f453cc5b9bc0d8d4727913a6aa7db3185c7234ef305a4dbd6b0536c8e05057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ddeb9e785a72be5716ca4333ffac2dec

SHA1
d52b6dc679b0dcc8c75b89f6b2c74d14fe73ee86

SHA256
d79f93008d2ca6cce826cafc8bf9216a0d0865a3f0cb32561f7ee8b6923208c3

SHA512
7ced2fd705ad641a9b6ca8af85d3ea525d213081ae83c60efcff77c5adb9b11dc451abc6a6648ed35f8d92a959fec91fbca0d4cd1564c5657609b28fc69ae602

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8623.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar86F5.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\SysWOW64\lwizyy16_081027.dll

Filesize
30KB

MD5
42615f8ea73b79741d278a24fc3a1144

SHA1
8d31af583dcb39dbffafb2a0be91ab5a0dd858e4

SHA256
57eb9943134c8bf91440d014fb1dfce7f23dfe76c0efbed8b15e31bc569af6c7

SHA512
a668aedbb62afda8eb87f7b3a29b14b2e5b952ea889f6779600a3be7973edc671667dac8f78bf66c11c266a8e1beb3ae34782af1ead1a1a4ed2ba58739c3a610

Download Submit
C:\Windows\SysWOW64\mwiszcyys32_081027.dll

Filesize
203KB

MD5
3c3571ac8633ba876c525a99b4d3d3f0

SHA1
06dbdea7d6f40aee4352851a2c3235a295712938

SHA256
26b3fb5f4448d87f15cee21b1ea8d57ecdbe42e1c92ea261f3097dde4f94344f

SHA512
fd33aca203f18ba1f7a1f1091b33840e8217982fb038a86e61da993a897d27c80c9ed004e56b5dcfc90090d4639fb15918bd8551c34287ddb8bfa0cf18150170

Download Submit
C:\Windows\system\zayjhxpRes081027.exe

Filesize
105KB

MD5
f401c229cdc95e48b97914dcfacfb078

SHA1
b3a1028fd5ccddc81cd6c8d36830308eb3e472c7

SHA256
5dc7fef5375620622c746afdf71bf7ee097630e1946bbcdb454954effaf48c2a

SHA512
fb62123648957160744a1e36fe5141de590bb493d89be11600c40b8e498491e65e6a39b27ea4a0b7d110ae055d13c2486beda31857ec731bb26060a096667ca9

Download Submit
C:\Windows\zuoyu16.ini

Filesize
417B

MD5
634cdb12a88a35ca6fda1fd6379040bf

SHA1
694a5f2ecdd69b46781cb48503a4acbb71ccedb1

SHA256
fedfbb51366a30990e0e744c9457847f8251cc6b34e0bc9f2538de7b1f5cebd1

SHA512
bb79279ef6e0af787cde70f15f1e2a960d7f651277dcbc5e4846007d4e7be61c9b806468336c843c288de279a8c5a676abee2d19ec37f7e552c7502acea5815e

Download Submit
C:\Windows\zuoyu16.ini

Filesize
46B

MD5
a6772028eed7dfd17d66b40f842057d2

SHA1
196eddbc39ee2dcdf931bb4c7aa3b42cad894259

SHA256
4095f412c32f6feb9135ae8a133798e0a3be63a742eeef7680cd9506d0312b73

SHA512
55c0f61b50b368c8aae438d3e11c06ddbe185be748bac867bff61145c910eeca74a4e176863ceafccec67c0f88bae45258bea4d55c2b83add84c84aff9bc103c

Download Submit
C:\Windows\zuoyu16.ini

Filesize
365B

MD5
8d357f93cd01d8fed10e39a4d823485c

SHA1
9417627d258a0d417b14991720888d53711d2fa3

SHA256
8301730e9ff5c89cb46f3feec4c8c9e52b103359bcd2fb5f36720da81912f6fe

SHA512
7999260ff0464fe761e814d271cbb54b5eceeba47db01e9adde3129961a5442c017afd5abc0b4e43e2ee73d6d8fe02aa7456725a01846f349302b06fb88c3a74

Download Submit
C:\Windows\zuoyu16.ini

Filesize
371B

MD5
4388415159f2755816057a6852eed7be

SHA1
804658d36a37ce80575ade00e8c0f57447290e39

SHA256
186983da30d5b5f904153011860871b32cc786bc39ec61045dd10576f3c88cde

SHA512
2836cfd528e2be04757408a4933f0bdaf0b8eb0a1c7660ea9162f05e3bebf84a038ab6fd6b3577ad3908a0245ca7b741621c077405ce5e9fb06657886a098646

Download Submit
C:\Windows\zuoyu16.ini

Filesize
404B

MD5
47ccb306802fecdc02cd18f7e93284c7

SHA1
4a4193781627e18b611c2609abbcf580a7336dd5

SHA256
c9ca701c6cfe21084604aa48abec7da40b56fbd28eb962712f85adc9f87294d7

SHA512
cc753676a109c9ce03caabe3f376573a9693106d306d93be6d430316efdde748d0237b2296670db85de07bf8e8efddec5347fedd244de10710c846d9bf7b5c94

Download Submit
\??\c:\zycj.bat

Filesize
52B

MD5
abcdd372a0edf4ac5f3d481297f37415

SHA1
7f68eadc389919903f6791bfa57c803996bb924c

SHA256
f9bf6f043c1151a0af2fa5f7f3bcc9dd3603b5793b57f438b7942898af9874ba

SHA512
8d2552d1ccd879bd0e56601e7a5b7a1252cd5d89851de54d426738e68148d4f1c9a9d7ea5c39a2996ace6c8412fbc5aafaed29c91c554cb07f518348b953af64

Download Submit
\Windows\SysWOW64\inf\svch0st.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2192-52-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2192-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2400-59-0x00000000001F0000-0x0000000000258000-memory.dmp

Filesize
416KB

Download
memory/2508-60-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2508-553-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2748-66-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2748-1045-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download