60734d20d096c3b58850c307c69ced5c448cd02c53afde332d2d1de72b24e781

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
Size

105KB
MD5

077cee4e24241174fc64d7280369a547
SHA1

3c7955955aca7c9885ccbebfc0a4ae4952bcac1f
SHA256

60734d20d096c3b58850c307c69ced5c448cd02c53afde332d2d1de72b24e781
SHA512

5dce7b05e6084591be3be00a3329b9034e518023fbf0260a9f571ff3607cc8a590ab98371beef2d529947604c4b2827a6827c2bd81e8b4ec9fe7dd7cfeeaaaa8
SSDEEP

1536:IdlhmlweOjbuXrd84ypJPMicLgvgqTq898UDgQShwjooPdbJoIxpteHZ4o694U:+WDOPsJ8NJskIyfaogQSh81bJ3tUt6m

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	zayjhxpRes081013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zuoyue = "C:\\Windows\\system32\\inf\\svch0st.exe C:\\Windows\\system32\\lwizyy16_081013.dll zyd16"	zayjhxpRes081013.exe

Deletes itself 1 IoCs

pid	Process
2576	svch0st.exe

Executes dropped EXE 2 IoCs

pid	Process
2576	svch0st.exe
2460	zayjhxpRes081013.exe

Loads dropped DLL 7 IoCs

pid	Process
1976	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
2576	svch0st.exe
2576	svch0st.exe
2576	svch0st.exe
2576	svch0st.exe
2020	cmd.exe
2020	cmd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\scrszyys16_081013.dll	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lwizyy16_081013.dll	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mwiszcyys32_081013.dll	zayjhxpRes081013.exe
File created	C:\Windows\SysWOW64\inf\svch0st.exe	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svch0st.exe	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scrsyszy081013.scr	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mwiszcyys32_081013.dll	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zuoyu16.ini	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
File created	C:\Windows\system\zayjhxpRes081013.exe	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
File opened for modification	C:\Windows\zuoyu16.ini	svch0st.exe
File opened for modification	C:\Windows\zuoyu16.ini	zayjhxpRes081013.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	zayjhxpRes081013.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85922031-2F1D-11EF-92D3-66DD11CD6629} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425060799"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1976	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
1976	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
2460	zayjhxpRes081013.exe
2460	zayjhxpRes081013.exe
2460	zayjhxpRes081013.exe
2460	zayjhxpRes081013.exe
2460	zayjhxpRes081013.exe
2460	zayjhxpRes081013.exe
2460	zayjhxpRes081013.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
Token: SeDebugPrivilege	1976	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
Token: SeDebugPrivilege	2460	zayjhxpRes081013.exe
Token: SeDebugPrivilege	2460	zayjhxpRes081013.exe
Token: SeDebugPrivilege	2460	zayjhxpRes081013.exe
Token: SeDebugPrivilege	2460	zayjhxpRes081013.exe
Token: SeDebugPrivilege	2460	zayjhxpRes081013.exe
Token: SeDebugPrivilege	2460	zayjhxpRes081013.exe
Token: SeDebugPrivilege	2460	zayjhxpRes081013.exe
Token: SeDebugPrivilege	2460	zayjhxpRes081013.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2532	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
1648	IEXPLORE.EXE
1648	IEXPLORE.EXE
1648	IEXPLORE.EXE
1648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2576	1976	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe	28
PID 1976 wrote to memory of 2576	1976	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe	28
PID 1976 wrote to memory of 2576	1976	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe	28
PID 1976 wrote to memory of 2576	1976	077cee4e24241174fc64d7280369a547_JaffaCakes118.exe	28
PID 2576 wrote to memory of 2020	2576	svch0st.exe	29
PID 2576 wrote to memory of 2020	2576	svch0st.exe	29
PID 2576 wrote to memory of 2020	2576	svch0st.exe	29
PID 2576 wrote to memory of 2020	2576	svch0st.exe	29
PID 2020 wrote to memory of 2460	2020	cmd.exe	31
PID 2020 wrote to memory of 2460	2020	cmd.exe	31
PID 2020 wrote to memory of 2460	2020	cmd.exe	31
PID 2020 wrote to memory of 2460	2020	cmd.exe	31
PID 2460 wrote to memory of 2532	2460	zayjhxpRes081013.exe	32
PID 2460 wrote to memory of 2532	2460	zayjhxpRes081013.exe	32
PID 2460 wrote to memory of 2532	2460	zayjhxpRes081013.exe	32
PID 2460 wrote to memory of 2532	2460	zayjhxpRes081013.exe	32
PID 2532 wrote to memory of 1648	2532	IEXPLORE.EXE	34
PID 2532 wrote to memory of 1648	2532	IEXPLORE.EXE	34
PID 2532 wrote to memory of 1648	2532	IEXPLORE.EXE	34
PID 2532 wrote to memory of 1648	2532	IEXPLORE.EXE	34
PID 2460 wrote to memory of 2532	2460	zayjhxpRes081013.exe	32

C:\Users\Admin\AppData\Local\Temp\077cee4e24241174fc64d7280369a547_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\077cee4e24241174fc64d7280369a547_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\inf\svch0st.exe
  "C:\Windows\system32\inf\svch0st.exe" C:\Windows\system32\lwizyy16_081013.dll zyd16
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c c:\zycj.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\system\zayjhxpRes081013.exe
      "C:\Windows\system\zayjhxpRes081013.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29b5cf50295613a6c55fa3c87f91c2cf

SHA1
50803f68a0c2d88dd7a41fce9e16cb9e9b1dfa66

SHA256
7e79ce5ef2a0dafade6627d8235a83024b00f0030b0e08f96fe953c7e81c536d

SHA512
504c044989bf4dd4ce0c834bf566e162ca3dac3fe2b54c292314d121acb32a48b33a6b090725d38421bb9ee484ed6f675dd813608f28591a7d788bdf460e30c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e830b06a89e66bb2e3c2fecff897e0f9

SHA1
adacf3002f590bd2b391a7beddda37debc2817e0

SHA256
cb6b285ec1059ba1214207e3daf5db8612c69077d0e8d75023952ea7dca1ad21

SHA512
a77ebbc60578902c01bc7a11d2f6ee0c0199302613948b0b7986f6236f026606360796be49ca660ac57417625e682d0e68bdfbe64dd24e88db8e161e85533f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1548baf25236463035280910e1f17272

SHA1
51130dd18bdbc8ffbbac7bde01c0e5a9a5927e8f

SHA256
d63e76cd5994b1ddde4b9759010ff324798766f77be1914f471d9277fe9c264a

SHA512
6e2ca8919565e2b1b485db5d2d833c166b2e6c6670d4a1a00629b305fe81919dc07f81fb4067b7f7aa50ae323d688440f3a921946d51ad436c7233c58134db5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa5bf92244a67c97ea556d5c21e04653

SHA1
c51a5b8dd03b999229fec7ab66dba7f93c8aba5c

SHA256
1b5b92d35325d30530309aa8f24e7308ab4203e2a34a45e0fd6c699e440ba204

SHA512
1de6bd616fbf57748b8874232a1ad9941e8b16f148c6de8abee43b46d936a9b09221c12646c9b510ae258ad7babe6ef8d114afbdccb64af8313b9019766bb0f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfc734c6f4337fd3c1613fd6255fab02

SHA1
b5c55765882cb71261adb0367387b755ddf08cd7

SHA256
e18c0d305202d1b278001d715642db5566d8233290555b5abf6a68831afbed2d

SHA512
c4780362d1501910706274d04057ad056bda00afc5edb3414acd33ac7d275d9804b5b6116f72fbeeab5366cc3313981f26b1c326dfc72cf83f6b69ba145d80c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29afbab08f17374e2654a7efa3be4719

SHA1
74541b4ba1ccfa836f66e7031909e61eccca8518

SHA256
9d33d08ef33dbb817d405e8d6bfb42781dda5d0a7a6ccb0937dc495076cd695b

SHA512
f27765bf94eb6174434cf16d8f9a0b34392d3f2739808a32ff9e8c4cdc26291ee92868b665b3215e3a72f140347b2ccdc62d7f9134405e92af4b47cdb68199a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b387da4c5c6b61da54217514663504f

SHA1
810dcfb4c6c1df3e909a043681bca846e02e55dc

SHA256
cf1a49105b86b5d2f49e05c2ad98e140696b2699d741af51c2fc627ef4c7053b

SHA512
0f8f7533d1fff878c051a87b44b112c682274f5f2fbd2497bc18d3759f15ccda1fd4e453ee57fe2326fb5290634f2eef34ea17f258ce510c47ac43d1b9793571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19500560a077a97c40e9be4d7e0f0267

SHA1
797a8a462f3e7f0e544d91c9daf6b3b8908679da

SHA256
9e588da8e8a8685a1ffd6f5417bedd294a12c139d13c8fcb2fb236a0bddd89d1

SHA512
dfb7621b37fc1bcc1333ffbd090b5ff2215c1cd340c10caf5ae3b4371cd222f44134bd345015b9f18b68e7a92c96e1573b089cf51038d6318f7aeff093ed3ba0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f58b7e439021739ad5a8842e0930a87

SHA1
7ace68fe5fe129648d779e7381fc29bf33687f74

SHA256
857bb2942d3465f22ecad241218fdef0ce82fa6724b38fd24250a2e8b6e6449e

SHA512
342bdba5cc8dda1577ed61b6d5ad09c44d363ad40d5cea3b38fda5407e16931c49406090b608d81dc741ee83f245ca1939d9e5cda7a5693e6f4212fe41fd4cb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bab4577caedde6db1f6c764a3175e51

SHA1
9050cefb355e0837c52a817dbfb0c76d010b9391

SHA256
76583b5e6741c5051ce7fb5e4561d3af07f340cf6e3ce102e2637208229f6722

SHA512
8c82f8606b86d4f991a86200b43f4f8deaef7f83c26658a9c8a7402e7e5f8640e9fd029a810f8524ef436da57581c3dc38a7fdf5658cbad05e3dba083340efb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f33b49b3180674647af80e479092f43

SHA1
8b2fd0401a55b6f656972d08dc6f9718f79f5805

SHA256
6c5c0a2eba6a32f4b7762f21fe7b38e067e3479549d3f764a9f0f7b2e782e355

SHA512
4d188d1cca0beef2b431500851971123845b556fdebb95b5a5a6b4f1f85c300d5e40f9309751980fa0a4083d8faf4f2e095543e4920516d59798e1ca2fada13c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
369743645842a97a39f1ca63c54e24eb

SHA1
f03e97aa3917b621b84f0c5539ac149bc54bb6a6

SHA256
797f640549a42bd5140d6ec1e05ef9d59b2b03fcb31aded39fff8937fb062461

SHA512
643022c50dfd75e856bd4e47e0e1b60042f9ac1b459ba9f19b7093a36df4a6f1ee9f4ecbe11c3211b733419ab2d4619ac2a7d26e42f94ddb6042c4703d2ea07b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37025b1e985ee8514a7dd046e38ea092

SHA1
eda3b4889534352894dfb2cac9f92394d943e5c3

SHA256
ddc037339e555cecd23aa9e37f1644e0b06a1789fe633af592b7fd41ce6eccfc

SHA512
6b477dbfdc00e4cefe29fa83de54d48f790c69e6d70fab8ca864084488b0941f798f8215837b6ca2a016df60b7ca894d636393bd45e5594bd4913c2d81c6fd42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9561f5efd6ece7abef4b6883c1807ceb

SHA1
125a22830d6200eb2d1d1373935fafc2a50c2190

SHA256
65909337f6d81fcfb25c10f35e1b69cf3c76b7190ac3e7a9b0e67eb63993e252

SHA512
f8e4a98c411a5b31ad11abb2825e83e9e4b39e867bf0613dae654fd78164065ddd8947593f3df3c655557423e9e1855d26e85f3777f0f8009656ff90efc48f1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
439b8f71fc23ed5a516665a4ab5e0281

SHA1
523a4c94580c1b3a5a02f3b7d274892538af6eb4

SHA256
a4bfa2a7720d42d4fb0b2ec46ecee29646092beda2c6b0e39bfff4860fd408f1

SHA512
296aed1b64a7785145c11a558b6ef8842ae0caf0dc2bbac68468f24301111926bfba15fb048c32c8e40aa777da277d95613a9d2cca3a77a0ed02c0c2e3931162

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deadb51faaacc666275d0f7550e20406

SHA1
6ae363723e8bd7f9351cf63ca065d11778a6e364

SHA256
f6fd1d7fc51702fe22456e387fb961bd677ec747abf4a1872aea46c694ed5e55

SHA512
a94aefb23d65b6ad456fc024973122e01b6e39a7ea73be27b9702dc9d3571170ed71f2efc423a637bddc9797f7597bd21ccd7981dd0b1797b481350bd5f62682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8af6355683c2607f6f489abd67de1ac1

SHA1
99f0290cdc28aa6b5bae191bc532eb64b4630c96

SHA256
b9901c2afb73be455633d75cb69c598471b418354aa0dc8432022a651a9dcd76

SHA512
f9e24927cf458d11206141f1db4679bc647d771acc3339e5148c1c4ee496e1ebfa08d0853f340a19fe7d06b89a1b4bcd211f903d7657a376fd07f6c0c30d7186

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20ed74bc6affa944b849a35429ba0fd7

SHA1
45b36c3568120d7856e1a6b3fdb42d0f0a817533

SHA256
8511556832602e55657c44dc0a4129390ce199f22bd6ddf6ba328b6cfdc94264

SHA512
4769d679cf2878470521a40a2c7de1d88cabaab30a1e5e679bfc57ec6461bdf4cfa024565dbb8180be026d86ef21108975cbff03e243367da462ac3da82afa05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17b3b667cd404aedbdd8feaffef43c30

SHA1
ddd70c9bba23b14a3da3482192c569f465a22e68

SHA256
160c55ae3af1e13383b6a91417807f35a2bf048d26ac7f1e33011d9f02e31c5c

SHA512
56f14bf5703da0ac0b093c43c3257cfb0f8b4a312c862c32df88597d40f3555f1516285b29e6788bd2cc83e0edbfe81356eb7168dba122f44122f60b3128b9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab930D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar940F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\lwizyy16_081013.dll

Filesize
29KB

MD5
d2688f5ec7af00c5a9a753d8b8ce3011

SHA1
e3449494d06ee38f81d656ff8cc5b6a862769c1d

SHA256
05c0a64845a0fda5f0243d7b77c63199cdff73a0bb9e9f95476e841fa62f3d47

SHA512
3e8d34e3338c9a03e0e51c3c06cae622fc9f68f8e2aca3a37001c2a05d443fc606f90bef710c0cb486142c600ffd9f220a9c03e5af79b43ae21a13475752731a

Download Submit
C:\Windows\SysWOW64\mwiszcyys32_081013.dll

Filesize
203KB

MD5
36c015fa74555c01732eb8757cf3acc0

SHA1
eb1da1e37ea7595e4703018baa3b555a8f38fbb4

SHA256
56f13d8680c138599ff832aa9fcc6fb3a8153a63c62f7852e2642dbf05dc103c

SHA512
5bb5bceb926e9a1391f89fbcdb6e9db3397fc6ed2ac9f1513c8748a601a2bf1b048af86611ec28d9e06d7b9d8b9bb076fbfc076da6b3d3731da00388e1631dcd

Download Submit
C:\Windows\system\zayjhxpRes081013.exe

Filesize
105KB

MD5
077cee4e24241174fc64d7280369a547

SHA1
3c7955955aca7c9885ccbebfc0a4ae4952bcac1f

SHA256
60734d20d096c3b58850c307c69ced5c448cd02c53afde332d2d1de72b24e781

SHA512
5dce7b05e6084591be3be00a3329b9034e518023fbf0260a9f571ff3607cc8a590ab98371beef2d529947604c4b2827a6827c2bd81e8b4ec9fe7dd7cfeeaaaa8

Download Submit
C:\Windows\zuoyu16.ini

Filesize
96B

MD5
5d50ce9dc9f9264b8d2d2a48dda63972

SHA1
06726f23c01354e685a34e663b470cffc0657d7d

SHA256
65b3889f2815ff20919aaf9f903330e781a51bdee6ccf0445eb7643a51a37e65

SHA512
863aca77dfc79d9be23b8a2546fbfa82d02300ae660896423a1694cd8f9f27f99b0ad1b2f1107ed9d32d995f95a17ecb88fa08f205bdf267f8f6884475fa5bc0

Download Submit
C:\Windows\zuoyu16.ini

Filesize
432B

MD5
7ed5bf7d3c6d76958e01e44577c45d93

SHA1
65af2ebda56b05920607b9d29554f40eec2e782b

SHA256
c7897daf0eb105301649010c6d1d63730415a0419b87ab133760d35895c05d2b

SHA512
5d5cf0afc3038775e1a6431f9a3430680d01bd587671eb15e70d92c9e3a217055e0cc91dbd7394b357e3a8bee9b71fe1895079876b5a43b94d3df6dd51966f39

Download Submit
C:\Windows\zuoyu16.ini

Filesize
464B

MD5
b03a599d3ed57a617e460eaf595c1799

SHA1
3ba866a5ec047cb35d35eb3e94b628f77c3a655a

SHA256
ce68625419c0e375e539474adb20caf362adb0ec848d8e35e28ee1e09500699c

SHA512
832646e8d59d02d357af8db6d32fea5baf2aa238adf8dbabb5a7a2d70a4cf2789fa4cb2c646efcc6eef84cc9313ecf6024c841f7ddbfead4ca9c6e5f74d302f2

Download Submit
C:\Windows\zuoyu16.ini

Filesize
380B

MD5
da12719ad4e8e0c905ca63ac3c1fcb26

SHA1
94fd5575cda434a4bae9c646205a5ebea302381d

SHA256
12081749323463a594c5e8fe454bedb7f614d18bee610e367e9dc613ead760ad

SHA512
2aab2f0ece67b305d237b160405a3f7184a29f383af357aee96003ea63f79186d07025ab49052041faeb74b4070122fc16c46633edf37443fb3ff68274a3ad5e

Download Submit
C:\Windows\zuoyu16.ini

Filesize
386B

MD5
f4413d1cdec69584f57db23cf8d7640f

SHA1
188adef3af39906d37bb8527dd19c6d51fe49bf0

SHA256
dc994473f86bfa10a3188c04f1be28dbf7f02414318c05e9033ac5da3086615f

SHA512
3a53c7856efafdbb2f0923e96196df39d2907a5bfc825b85850c9ab82aafaf835f1805b640d472163e2692465d74ed095d0ffee31ac1c1665e7792575ac4a134

Download Submit
C:\Windows\zuoyu16.ini

Filesize
419B

MD5
b7751b23f8a9aeaba561909f14355a46

SHA1
9d617bf7f22b70ee8bfdbc17e6d66577018207be

SHA256
247bc9ccdfc8b030b3cb5e7b4c4fcec3e30aeceb17ac804939e0dae458b81f70

SHA512
840d8e2d74a6ac5fc82315a8c5a77e4905e20d7ec6cc14360838ac402076c7149ad0346cd154ec7b337cc7dba5c2b548c0a0977752a320d0a86e162f71f649ea

Download Submit
\??\c:\zycj.bat

Filesize
52B

MD5
d38f80fa99de4314068df4dfc474d458

SHA1
20628ced80e1583eb2ad141875b8bc6f6ff1b37d

SHA256
eff77f9678421417c4ff19e080cad296bd9abe88e8ef6441a529cafeda9bb728

SHA512
f29151d1185305443da6548a694a1a1a20fb76045debb15540b49cf929a7f0c724c94e7a2b6e6e1d166068f65bd8effce471992c0baa05a759856a0ed183927f

Download Submit
\Windows\SysWOW64\inf\svch0st.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1976-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1976-47-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2020-465-0x0000000000170000-0x00000000001D8000-memory.dmp

Filesize
416KB

Download
memory/2020-79-0x0000000000170000-0x00000000001D8000-memory.dmp

Filesize
416KB

Download
memory/2460-556-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2460-61-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2576-558-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2576-70-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2576-1047-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download