a5f919cf717083412fa3c2a5fe10d52bc634baec2bc1107f3df93f7e724aebdf

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
Size

102KB
MD5

2df5ef2557b6011cb35471519c686e50
SHA1

5f27dfd089c3a39c6d171927b6d5d9c7d241b99f
SHA256

a5f919cf717083412fa3c2a5fe10d52bc634baec2bc1107f3df93f7e724aebdf
SHA512

b2e81ca1224bf30a39d495655bde31d5886d4efc580b4f0a3ca19cca3c72c9e05cb1f140a6301f811c8fba0f6c90550b8d1456f73d51b320aba3cf4795e2546f
SSDEEP

1536:3y5PkMCARUpd9sst2bEtkNVGFyngj78DjcdtLBr+CUcH8WIoxgYmxCq36pZj4hK:C5PZCfasxkrGFyngpxrtRc9Ym362Q

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zykjn = "C:\\Windows\\system32\\inf\\svczynt.exe C:\\Windows\\system32\\zykjnlwsy16_080530.dll zyd16"	zykjnzayjhxpRes080530.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	zykjnzayjhxpRes080530.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	svczynt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	zykjnzayjhxpRes080530.exe

Deletes itself 1 IoCs

pid	Process
1268	svczynt.exe

Executes dropped EXE 2 IoCs

pid	Process
1268	svczynt.exe
2636	zykjnzayjhxpRes080530.exe

Loads dropped DLL 1 IoCs

pid	Process
1268	svczynt.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\svczynt.exe	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svczynt.exe	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\zykjnscrsyszy080530.scr	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zykjnmwiszcyys32_080530.dll	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\zykjnscrszyys16_080530.dll	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zykjnlwsy16_080530.dll	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zykjnmwiszcyys32_080530.dll	zykjnzayjhxpRes080530.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zykjn16.ini	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File created	C:\Windows\system\zykjnzayjhxpRes080530.exe	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
File opened for modification	C:\Windows\zykjn16.ini	svczynt.exe
File opened for modification	C:\Windows\zykjn16.ini	zykjnzayjhxpRes080530.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "917935368"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117752"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117752"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	zykjnzayjhxpRes080530.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427264151"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{624D07FE-3DAB-11EF-9BD7-6E7C67FFD1A4} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117752"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "921060269"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "917935368"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
940	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
940	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
940	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
940	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe
2636	zykjnzayjhxpRes080530.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
Token: SeDebugPrivilege	940	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
Token: SeDebugPrivilege	2636	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2636	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2636	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2636	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2636	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2636	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2636	zykjnzayjhxpRes080530.exe
Token: SeDebugPrivilege	2636	zykjnzayjhxpRes080530.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4824	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4824	IEXPLORE.EXE
4824	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1268	940	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe	87
PID 940 wrote to memory of 1268	940	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe	87
PID 940 wrote to memory of 1268	940	2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe	87
PID 1268 wrote to memory of 2380	1268	svczynt.exe	88
PID 1268 wrote to memory of 2380	1268	svczynt.exe	88
PID 1268 wrote to memory of 2380	1268	svczynt.exe	88
PID 2380 wrote to memory of 2636	2380	cmd.exe	90
PID 2380 wrote to memory of 2636	2380	cmd.exe	90
PID 2380 wrote to memory of 2636	2380	cmd.exe	90
PID 2636 wrote to memory of 4824	2636	zykjnzayjhxpRes080530.exe	95
PID 2636 wrote to memory of 4824	2636	zykjnzayjhxpRes080530.exe	95
PID 4824 wrote to memory of 1492	4824	IEXPLORE.EXE	96
PID 4824 wrote to memory of 1492	4824	IEXPLORE.EXE	96
PID 4824 wrote to memory of 1492	4824	IEXPLORE.EXE	96
PID 2636 wrote to memory of 4824	2636	zykjnzayjhxpRes080530.exe	95

C:\Users\Admin\AppData\Local\Temp\2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2df5ef2557b6011cb35471519c686e50_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\inf\svczynt.exe
  "C:\Windows\system32\inf\svczynt.exe" C:\Windows\system32\zykjnlwsy16_080530.dll zyd16
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c c:\zycj.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\system\zykjnzayjhxpRes080530.exe
      "C:\Windows\system\zykjnzayjhxpRes080530.exe" i
      4⤵
      Adds policy Run key to start application
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4824 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMWT2DJF\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\inf\svczynt.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\zykjnlwsy16_080530.dll

Filesize
28KB

MD5
9c6fb02bb682fb6e67c6f67cb0bd019f

SHA1
3a09236c81a4c5ab219d47d8df9f8a9537e67659

SHA256
e1e6a91920fa7aee484ae874410ce7a7ad44adbbed6c072da3cc03c3a9c55142

SHA512
b3c75bbb1381f7159daca53b899b53e1ac75f9f1b769834749b5ce1db1bc1c7973bf5054fa52b98d0d962eb4b78c4d6a80f78f29e48d2dcb2333185408b0a4c3

Download Submit
C:\Windows\SysWOW64\zykjnmwiszcyys32_080530.dll

Filesize
199KB

MD5
a426e3b47699bae564a4a521848b298c

SHA1
1e5081ce51c3c56e49d522a053914ead6ee1c115

SHA256
00e3d23ec5fb50ee603c2076d5ef3905927e16bdebc3c403393edc5baa384d08

SHA512
f6e3b82c46b802504094185ec6b703864fef524d899520f584a932e08e0550cd62061cc9b5176555ac16a5e283c9a224b6f688a1feba0055214b675c01ba9b92

Download Submit
C:\Windows\System\zykjnzayjhxpRes080530.exe

Filesize
102KB

MD5
2df5ef2557b6011cb35471519c686e50

SHA1
5f27dfd089c3a39c6d171927b6d5d9c7d241b99f

SHA256
a5f919cf717083412fa3c2a5fe10d52bc634baec2bc1107f3df93f7e724aebdf

SHA512
b2e81ca1224bf30a39d495655bde31d5886d4efc580b4f0a3ca19cca3c72c9e05cb1f140a6301f811c8fba0f6c90550b8d1456f73d51b320aba3cf4795e2546f

Download Submit
C:\Windows\zykjn16.ini

Filesize
46B

MD5
fb62e34f88b7682002df41547e719b54

SHA1
c95268f038ac41011946dd126db540417835d37b

SHA256
e82f64a73f88f375dcfbb4f3034240e965a10ca76039d93882ea7bd6960e24bd

SHA512
ec2c0e012445f7379ef3f0f5d65e33070f542f93334e9dd5daceaf097b8af30f013a5fc39024af28868f4a0f67d735e3b022ec5f6520392bf2f766f2fc53a4b7

Download Submit
C:\Windows\zykjn16.ini

Filesize
230B

MD5
39d62e355c8592cd0276d35173094d83

SHA1
95add6bc5f90255cf53a3b87c9755546b8ab2115

SHA256
d3b3f9836a3d7db407e682d9a57854bf2289f8ebdfe73e99f48c1c3542c6f330

SHA512
91bfdb3f5d872e98c99d54a1501c3aee1f9aa153384699479eddbd6c52fa3767eab021c83b926868745167eaa4402981202586f8772b56558c8b7a27faa8fc2c

Download Submit
C:\Windows\zykjn16.ini

Filesize
487B

MD5
f24f2f0bf3347be5a6bec63bb0bdf407

SHA1
7440c355ba545f8edd8898be11101b12cc39565e

SHA256
cdf49b34e21f4ea8d915c1668f17dcaeaa553efde7d6634ce7adebefd0596ac0

SHA512
ab99ba057b26cc79cb48cc7ad5f36d8989901545d23261eed08ddb261f6d7215425ca70f5cd2294f62aebb9b24a506d59943800c4a6ba9fa65ea4327024e5611

Download Submit
C:\Windows\zykjn16.ini

Filesize
403B

MD5
e965710f7d93a771ea6bc19d16c767b1

SHA1
e4de29ce0400e8568d92e538775c9ed3ddecb714

SHA256
37d6199c07fe7dfc074ebfa46ba557fdb7cabbea66172bd7c51aff1e0d393d7b

SHA512
9e31ffdcb68ae5fe37b33c3234933e29ba8b4931a405280bc3fbd3a337a40f6980f84b82af2bb9803f04032a034ada1ba0daeacf2d42212951486f88ddfd14f0

Download Submit
C:\Windows\zykjn16.ini

Filesize
409B

MD5
549f1b58d96ece8d061e23d87503bc43

SHA1
a4622ec468c150c486a0f49c22ca6677b0c5296c

SHA256
c2c6ea605a8f9731892d901a82d168ef1bb2dbf8c871ea64c9dfd0ecc6d323e4

SHA512
b0cc456235b9cc65f6fe5662dd8166510ab0a696e542855b89ccd9ba2db4713ed5eb4b4b58ef8911798f49d37f9cac2920ac3bdcb65a7b6dbad32c4702eb02a2

Download Submit
C:\Windows\zykjn16.ini

Filesize
442B

MD5
2268d35b1a5d7a349d21119d541c5c4a

SHA1
b44b1a7fae7abacc3cc6ab8593aefaca7bdee120

SHA256
7b4fa23b08c55ec311bcc7526ed378b4e3da600b7a4a084f683be12d59502a09

SHA512
991fe5321d663537799f400cbf2edb88fd2215b3ddc18169d73abccf5359eebbaa352db37bfcf97acc90de8f635a85225cec8839be2e9d6428e1e3e674d0b1f3

Download Submit
C:\Windows\zykjn16.ini

Filesize
455B

MD5
c02341da48d748efd71deaae0b462e8b

SHA1
5e7d9f248cc74936bf40a73707908b8b41c1e306

SHA256
1777553912098db17148c3c71f094c4c0b5bfe1997806c3df9a8ac2ba3fdc9e8

SHA512
fb58bc51c703a5b85ca3f72741dbcdca61c6e7c2a3339f0c43ce84ffe0e8213d60c601b60acceda070fb06ff5b5aa2c681b52ffe454cc88e7e300f6f6b468feb

Download Submit
\??\c:\zycj.bat

Filesize
57B

MD5
ed12a6175f3597cb294fc1d031d8eda0

SHA1
0da68801e96f87b7ee2b8f8198a33c37774639aa

SHA256
352708aa30f7ceb76abba3a3d30ac87df8abf224c14ffce41be111dc0c8d519f

SHA512
44a5ba5a2ccc9e0e70dc8635ccbcc926631697db4da30d36f51268558863f667499bb57fc7db8303210548d9b03c1e6e30994eb4b1ccbc55a3b8dc27d845c4aa

Download Submit
memory/1268-70-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1268-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1268-101-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download