a5f919cf717083412fa3c2a5fe10d52bc634baec2bc1107f3df93f7e724aebdf

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 21:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
Size

102KB
MD5

2df5ef2557b6011cb35471519c686e50
SHA1

5f27dfd089c3a39c6d171927b6d5d9c7d241b99f
SHA256

a5f919cf717083412fa3c2a5fe10d52bc634baec2bc1107f3df93f7e724aebdf
SHA512

b2e81ca1224bf30a39d495655bde31d5886d4efc580b4f0a3ca19cca3c72c9e05cb1f140a6301f811c8fba0f6c90550b8d1456f73d51b320aba3cf4795e2546f
SSDEEP

1536:3y5PkMCARUpd9sst2bEtkNVGFyngj78DjcdtLBr+CUcH8WIoxgYmxCq36pZj4hK:C5PZCfasxkrGFyngpxrtRc9Ym362Q

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	zykjnzayjhxpRes080530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zykjn = "C:\\Windows\\system32\\inf\\svczynt.exe C:\\Windows\\system32\\zykjnlwsy16_080530.dll zyd16"	zykjnzayjhxpRes080530.exe

Deletes itself 1 IoCs

pid	Process
2484	svczynt.exe

Executes dropped EXE 2 IoCs

pid	Process
2484	svczynt.exe
2920	zykjnzayjhxpRes080530.exe

Loads dropped DLL 7 IoCs

pid	Process
2568	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
2484	svczynt.exe
2484	svczynt.exe
2484	svczynt.exe
2484	svczynt.exe
2636	cmd.exe
2636	cmd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\zykjnscrszyys16_080530.dll	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zykjnlwsy16_080530.dll	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zykjnmwiszcyys32_080530.dll	zykjnzayjhxpRes080530.exe
File created	C:\Windows\SysWOW64\inf\svczynt.exe	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svczynt.exe	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\zykjnscrsyszy080530.scr	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zykjnmwiszcyys32_080530.dll	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zykjn16.ini	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\system\zykjnzayjhxpRes080530.exe	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File opened for modification	C:\Windows\zykjn16.ini	svczynt.exe
File opened for modification	C:\Windows\zykjn16.ini	zykjnzayjhxpRes080530.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{65229D61-3DAB-11EF-B467-D2C9064578DD} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426661049"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	zykjnzayjhxpRes080530.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2568	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
2568	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
2920	zykjnzayjhxpRes080530.exe
2920	zykjnzayjhxpRes080530.exe
2920	zykjnzayjhxpRes080530.exe
2920	zykjnzayjhxpRes080530.exe
2920	zykjnzayjhxpRes080530.exe
2920	zykjnzayjhxpRes080530.exe
2920	zykjnzayjhxpRes080530.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
Token: SeDebugPrivilege	2568	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
Token: SeDebugPrivilege	2920	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2920	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2920	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2920	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2920	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2920	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2920	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2920	zykjnzayjhxpRes080530.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2176	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2484	2568	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2484	2568	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2484	2568	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2484	2568	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2636	2484	svczynt.exe	32
PID 2484 wrote to memory of 2636	2484	svczynt.exe	32
PID 2484 wrote to memory of 2636	2484	svczynt.exe	32
PID 2484 wrote to memory of 2636	2484	svczynt.exe	32
PID 2636 wrote to memory of 2920	2636	cmd.exe	34
PID 2636 wrote to memory of 2920	2636	cmd.exe	34
PID 2636 wrote to memory of 2920	2636	cmd.exe	34
PID 2636 wrote to memory of 2920	2636	cmd.exe	34
PID 2920 wrote to memory of 2176	2920	zykjnzayjhxpRes080530.exe	35
PID 2920 wrote to memory of 2176	2920	zykjnzayjhxpRes080530.exe	35
PID 2920 wrote to memory of 2176	2920	zykjnzayjhxpRes080530.exe	35
PID 2920 wrote to memory of 2176	2920	zykjnzayjhxpRes080530.exe	35
PID 2176 wrote to memory of 1352	2176	IEXPLORE.EXE	36
PID 2176 wrote to memory of 1352	2176	IEXPLORE.EXE	36
PID 2176 wrote to memory of 1352	2176	IEXPLORE.EXE	36
PID 2176 wrote to memory of 1352	2176	IEXPLORE.EXE	36
PID 2920 wrote to memory of 2176	2920	zykjnzayjhxpRes080530.exe	35

C:\Users\Admin\AppData\Local\Temp\2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\inf\svczynt.exe
  "C:\Windows\system32\inf\svczynt.exe" C:\Windows\system32\zykjnlwsy16_080530.dll zyd16
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c c:\zycj.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system\zykjnzayjhxpRes080530.exe
      "C:\Windows\system\zykjnzayjhxpRes080530.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79df445f374d7c8ae6925ae2bcfc07a2

SHA1
c3a894fca4cd48fbaf45fce3f1882d8f0aa8f90e

SHA256
7e61d39f9498677a5a2c11286bd6748eff1830431fd2eb221f0818fdd32e3447

SHA512
b157ae07f6fbf175f756852e1a9cc9d4e82e7d93531a06c05bc379dcac6f8a93e36e367dfb4a089260b435c392c54e73879596632ef113826e4cfe20dae8b7aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
726110ded56944e4b787acfc84e12bce

SHA1
869417afaee44d6955a51ced62e884320ac015aa

SHA256
3d8dfc2d85e625e44cc398d592ec2d58112aa2ec0115e7494fb9c56231aef83a

SHA512
03bbcf31d11be9b20b4434b521e03dea2e1c842ff0f6b8acf92a85cd812568c9c7dc17814216d8932462d0b1d26b69469809be4ed80035f8e5b50ada114cf149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f7935c4c87d4c04e15cd05c5b3acd68

SHA1
c63066d40d3eb81a7ab7d06bb5c7ce75199c220a

SHA256
b0e42d6ccc5ad3553cc3866fc24e1965a7f7de333a10bc66c32f4f5c622997a6

SHA512
70c3fa6c7e19b6aff90feb7ca2da4a03a48ec0f123c1a958f1e09d9007d3c8032cd6003fe7c2b313e0f4ee3dff520683239982baaaf1a3bf021de78aa4e02305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
625fed30a23f3e5efcab5bd7c20a512e

SHA1
746ed8c8c8806e7a33949c7c7e5aa7e8dde35aa8

SHA256
141496c45af0d17b321d62f5970873f4d9d9924c0ef9d14cea5ae38ad3bbcb3f

SHA512
36a42c06fe0de5f9055a259fb75a74e4bcaa5dd6aa2531618104013c3994ca836cca2c6c954d898d74c1c98943505804fa7433c75f279f09b342ec6073b5e98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bc08d2e431d3d757bd91d75c26ba54e

SHA1
0874981e6c62f49749456d9ea05faf5f972053e3

SHA256
9b26e1ec2606b699018c7ea65b2313554227624b3cdb6bc4d9771561b9d2977c

SHA512
438b7a5c0be9d6272aa8ea8e49cc677dcab8ea390ee75cd02fc9bf35a173b0ff067dc8279605b3bd764823284b506f3448646bebdb7cd43abb629c59cc2842dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47f82eadd1a230dca17fcaaf00a7305e

SHA1
6d8d4116eee973af116371cc62a0bd626da667dc

SHA256
9086a058db288055210c1d493e8617fc7b0648cf4a16fc4d3e94db489429639d

SHA512
aac816b4a284cfdc2a61d85334e18f341a53fc9c04147b007fb57937c40419fb1586bcd2e0d516a37b2748ca5dd37056f183c0a6e3eb10975adccacf0e8a4319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ceb7465e72e9c02f8825f06beb6613a7

SHA1
222459858fc6255ee7975eff9483c460eebb735b

SHA256
20853463f17d1554298157e88a65882b41a391147779446b21cb4198a3fa3eff

SHA512
ed43e035441752262d63994c145006d30a373a96d3fe98cae214821b933324b3e90c59be2df0c19f7097e96ec770d6cb0f6f3d998800e9d9b724142dea423769

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e591774544f112dbf8c8fea21a6b6853

SHA1
2dc82bc510c0cf640a0743aa2e506661188fc8df

SHA256
fcca97a6277f8be863db76727a1dbcea763d4bbf09dba4270d1142875f21e042

SHA512
7dad8ab247edb44475db3251ec5b01d23b2536b732552abb04f67a8618332b23e88109f8c42e7a589e6d5f2bebfd84a25baa1896ad917f8aa53c23fb6bf2de60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb6014db0a8f35c4df51ced94060b626

SHA1
bb13988a20e68dec93fda5ff6d22990d3a3037b6

SHA256
60aab9c7c8166dcbe0a650a41fd3119c2f08053c01342dcde408eb27ef4b547d

SHA512
2e3465f8730a5874c45b40aceba98e7fd161c7962ec0bdc3baf0c4187fad5265086ecf75d3b38127acd4a8cfc31d569d85a95c9d10ad48db2b11cab0a0044a51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b589b50c2f6c67915555c463607eda3e

SHA1
3c53b3041ba1d94763e90042abd52e3eb17b2932

SHA256
79703879f39cc45806a77f6c71f6260532a0ae667f8dbad317996c59ce278268

SHA512
f4e1577bf420f8e7a169144ebbfbe5ed68f448ad514a81f159fbb6db6f12d5729ddce1b20854bfed01e6d0f1a0bd771e329fe48268f251b8b481bb1812f6aec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a3a2cff84c96a1844f12a892db6e25f

SHA1
55b52a8922ed8c877660d7adcc7c617bb39c0fb4

SHA256
0d2818230b45896216ac63ee167746f0b67461c004df7180324966f4435ace8f

SHA512
714dc57686354edde38e611cd904e7b9f85e5a61baa87c6adf1e38bbc46c48a7ade3cdaea56839a1faafff490c826b98b30330b32865a6cf9cae0a6e9da6615d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53158a1a20d5546db946cc0a37a414e5

SHA1
e80d8551ebc8c2517f3ed4f656c48a4b2220f7e8

SHA256
89d7c4ac215bacfd58eda5365bff1a2f506365bd925407f519e8ab6db039b453

SHA512
4264ec2b06d25176efc49ce762b83bdcc74081958abaca21f4b84863418a2047bd44f6d03ccfa55195877f72247dba135b415159d88a2a5830c865d1158dc4fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54925bd3ff150b93a9a08955018b7200

SHA1
4f06fb9719405bec45fedadc9176db71b954067a

SHA256
e1b7f5f035b72ce8d6a0fe6a0f83dbdbf0ec0161a8d6a580fe7945daf02de6a6

SHA512
b0ae79b8aafbc2af4ca62e4e33c6c4da0b140d773651b7603dabaaaab5553bcdb953a035f9688bee0d6e8fb2b9a1bcdeb28e13d4d466f1f8dc3a3f9b496e1452

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcd894f0c018a77f71de3242592dc989

SHA1
9912557095e37ec78fd9a9dd864874502b18e98c

SHA256
9ea6a306681f0679664f2d4e33b48e33c71d4195ce24f094ecef9c57c6e5f874

SHA512
78354c562ebd12d043ca82b37ef8c7a8d1c55b7b834edb6aeaf24e163a6eb53214a04ecc1a31a66f01e49addd004b66bc42c5019c1ac794514c578d1863837a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea2d9c22c828b1cac1b58f122d184ef1

SHA1
d942bbd0796cfe6d34498d1fecae4c9ea0145ddf

SHA256
6d50b4ef95dcdb35dc467bee2581e8405a8ee213d25d231b644b0daf9809087c

SHA512
935c336e1e5336716bcc12ee3c4662dc25403b0cb27f1d3390094e74d3ce3ecd38de2f0c148348bb4ce2d6daa3e53d4a2a9fa1efa23eece896729d324c232cfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd57c0176be460fa4959efce16396aef

SHA1
630fd0a38eb018ac7ed4c4b2ba1f59aeb388b41f

SHA256
6e8b78ab6e276815a59283f0f8c5360de30fd46160446ac10cfd8eefe2e7c974

SHA512
65a457dc22eceb7370dfde0f285b9518ba00aab72b25691aab6ed37a81512d3acf0fa84cfd20903674c3f772386c819da84543392eccf72da29328bcdb32e55d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f500fb861e4f26fb3710a56d62c5099

SHA1
c8a9bd2924672053de61c63f9981467bb084d546

SHA256
9ef0ca186ba54d61a9617fb61e63f262ebeb8d987fd30c270ea70b2c90da8a5d

SHA512
de6e395da466695d8cbc2b87a4793acb5b32f0830d162bed4240d684efe586cae1bc0fe3a7ade876c0d7f360a6acc77c8ef15a6d7a2bdd03485106fa6922507e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bc27631479946f13c01fb7719fb041c

SHA1
20d66ebaed5518ae24ed51b00973d15e43e530c5

SHA256
4704eae69e6a258519874e80bfdc67ca1f15e52ded9cf282993702a710d63d2a

SHA512
9810834c40cbc750fb6415028f08934c1dbf248d30a119576db5488e6eaad53bb28baf33d7980a4a0db17ed76c34b0063a4a9ff43dd62a2fe0588d3cc775b8f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08699068f3c313e4d36cd2d0717f0aad

SHA1
e67c59078e97e2417724a0656832e9b438e19ddd

SHA256
1c87e722fb0e97fb050c82a3e480cae39b2bd758dabc0e814e52aa9ade7e4228

SHA512
de1672f1f2734ba74a6256e46e911a0c406c92aba2817fada90c0ded4f9e2e568f1e19a1568a3de04c685592bd806fe38e41320f3a31ca3ea07ca1fd8ec2b807

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2C5F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2D00.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\zykjnlwsy16_080530.dll

Filesize
28KB

MD5
9c6fb02bb682fb6e67c6f67cb0bd019f

SHA1
3a09236c81a4c5ab219d47d8df9f8a9537e67659

SHA256
e1e6a91920fa7aee484ae874410ce7a7ad44adbbed6c072da3cc03c3a9c55142

SHA512
b3c75bbb1381f7159daca53b899b53e1ac75f9f1b769834749b5ce1db1bc1c7973bf5054fa52b98d0d962eb4b78c4d6a80f78f29e48d2dcb2333185408b0a4c3

Download Submit
C:\Windows\SysWOW64\zykjnmwiszcyys32_080530.dll

Filesize
199KB

MD5
a426e3b47699bae564a4a521848b298c

SHA1
1e5081ce51c3c56e49d522a053914ead6ee1c115

SHA256
00e3d23ec5fb50ee603c2076d5ef3905927e16bdebc3c403393edc5baa384d08

SHA512
f6e3b82c46b802504094185ec6b703864fef524d899520f584a932e08e0550cd62061cc9b5176555ac16a5e283c9a224b6f688a1feba0055214b675c01ba9b92

Download Submit
C:\Windows\zykjn16.ini

Filesize
101B

MD5
a801d46d5bb34f5940142628e0668df2

SHA1
2ae3ef4f459640697a149fa930cfb3ffa70ede8a

SHA256
9d98bdd9d370c74f28e56eee303cf53f4d1dcff44bfa22a34f75c440678e878f

SHA512
a2cedc084d3f9d2ece5df589e2cb6965196f48daac0892f5a350939d0329cb0c6ed02aef317ba19ad15edca2247660c82a85999721c44026c861a1b688d7217f

Download Submit
C:\Windows\zykjn16.ini

Filesize
362B

MD5
e41854d2925220cbe239fa53b3afeff3

SHA1
7fe4d3b67de23328ef2760cda15b8dcfc2117d5d

SHA256
7271b876500f8756730ecfa3eb9d2c154ebfc6aa94d24d3881ecf9add8994e47

SHA512
1db2f7fe0e7c49934ae2a93a86f8b5a2e8b0e28d48c3031b52135f285f52658d7675eea96e559ccb716819caf53411e2f5d0eb981a4739819c19da67fdc90ea7

Download Submit
C:\Windows\zykjn16.ini

Filesize
487B

MD5
f24f2f0bf3347be5a6bec63bb0bdf407

SHA1
7440c355ba545f8edd8898be11101b12cc39565e

SHA256
cdf49b34e21f4ea8d915c1668f17dcaeaa553efde7d6634ce7adebefd0596ac0

SHA512
ab99ba057b26cc79cb48cc7ad5f36d8989901545d23261eed08ddb261f6d7215425ca70f5cd2294f62aebb9b24a506d59943800c4a6ba9fa65ea4327024e5611

Download Submit
C:\Windows\zykjn16.ini

Filesize
403B

MD5
e965710f7d93a771ea6bc19d16c767b1

SHA1
e4de29ce0400e8568d92e538775c9ed3ddecb714

SHA256
37d6199c07fe7dfc074ebfa46ba557fdb7cabbea66172bd7c51aff1e0d393d7b

SHA512
9e31ffdcb68ae5fe37b33c3234933e29ba8b4931a405280bc3fbd3a337a40f6980f84b82af2bb9803f04032a034ada1ba0daeacf2d42212951486f88ddfd14f0

Download Submit
C:\Windows\zykjn16.ini

Filesize
409B

MD5
549f1b58d96ece8d061e23d87503bc43

SHA1
a4622ec468c150c486a0f49c22ca6677b0c5296c

SHA256
c2c6ea605a8f9731892d901a82d168ef1bb2dbf8c871ea64c9dfd0ecc6d323e4

SHA512
b0cc456235b9cc65f6fe5662dd8166510ab0a696e542855b89ccd9ba2db4713ed5eb4b4b58ef8911798f49d37f9cac2920ac3bdcb65a7b6dbad32c4702eb02a2

Download Submit
C:\Windows\zykjn16.ini

Filesize
442B

MD5
2268d35b1a5d7a349d21119d541c5c4a

SHA1
b44b1a7fae7abacc3cc6ab8593aefaca7bdee120

SHA256
7b4fa23b08c55ec311bcc7526ed378b4e3da600b7a4a084f683be12d59502a09

SHA512
991fe5321d663537799f400cbf2edb88fd2215b3ddc18169d73abccf5359eebbaa352db37bfcf97acc90de8f635a85225cec8839be2e9d6428e1e3e674d0b1f3

Download Submit
C:\Windows\zykjn16.ini

Filesize
455B

MD5
411498201da1e58b45fdd8796bf2d221

SHA1
f6185824317bab45e6250df704758bdf087cf614

SHA256
630c292d6232d48d2b6ab2104cf61acee920b17d9ccab6b165dcb0e0698af3b3

SHA512
df67116d980f53e5c0cbf101787739cc2538dd60c04b214e7b3309eb5e7a56d9638e4afd6e9484e25c438173fa1868c3eed27d20180015dfd39f882c78068319

Download Submit
\??\c:\zycj.bat

Filesize
57B

MD5
ed12a6175f3597cb294fc1d031d8eda0

SHA1
0da68801e96f87b7ee2b8f8198a33c37774639aa

SHA256
352708aa30f7ceb76abba3a3d30ac87df8abf224c14ffce41be111dc0c8d519f

SHA512
44a5ba5a2ccc9e0e70dc8635ccbcc926631697db4da30d36f51268558863f667499bb57fc7db8303210548d9b03c1e6e30994eb4b1ccbc55a3b8dc27d845c4aa

Download Submit
\Windows\SysWOW64\inf\svczynt.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\system\zykjnzayjhxpRes080530.exe

Filesize
102KB

MD5
2df5ef2557b6011cb35471519c686e50

SHA1
5f27dfd089c3a39c6d171927b6d5d9c7d241b99f

SHA256
a5f919cf717083412fa3c2a5fe10d52bc634baec2bc1107f3df93f7e724aebdf

SHA512
b2e81ca1224bf30a39d495655bde31d5886d4efc580b4f0a3ca19cca3c72c9e05cb1f140a6301f811c8fba0f6c90550b8d1456f73d51b320aba3cf4795e2546f

Download Submit
memory/2484-68-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download
memory/2484-52-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download
memory/2484-949-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download