95e6e5215007536451ad0676a029f8449928112383a1605992dede9b3c8d39a4

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 12:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
Size

102KB
MD5

5bf3d7f43382f498b711737525d32734
SHA1

b923473ceb369b79db1497ca42747b3fc1f12860
SHA256

95e6e5215007536451ad0676a029f8449928112383a1605992dede9b3c8d39a4
SHA512

d06727f8ea63fcc11b32d70ae68cc4ca69d04cfc36f8bcf465eebbfa70b39d81eaa85dbf557092b8c5ee6e1ec73af8003f38da038a520173a46dbea47aec9e83
SSDEEP

1536:VI5Pl8qvMQjmDDp515sr1IOTxOA+SFjQRkBro6NHU2McGHqxpBwuUQ8V:65Pl8kK51EPTsmZDBJU2MRUyuQV

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	zykjnzayjhxpRes080517.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zykjn = "C:\\Windows\\system32\\inf\\svczynt.exe C:\\Windows\\system32\\zykjnlwsy16_080517.dll zyd16"	zykjnzayjhxpRes080517.exe

Deletes itself 1 IoCs

pid	Process
2084	svczynt.exe

Executes dropped EXE 2 IoCs

pid	Process
2084	svczynt.exe
2820	zykjnzayjhxpRes080517.exe

Loads dropped DLL 7 IoCs

pid	Process
1488	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
2084	svczynt.exe
2084	svczynt.exe
2084	svczynt.exe
2084	svczynt.exe
2712	cmd.exe
2712	cmd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zykjnmwiszcyys32_080517.dll	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\zykjnscrszyys16_080517.dll	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zykjnlwsy16_080517.dll	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zykjnmwiszcyys32_080517.dll	zykjnzayjhxpRes080517.exe
File created	C:\Windows\SysWOW64\inf\svczynt.exe	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svczynt.exe	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\zykjnscrsyszy080517.scr	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zykjn16.ini	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
File created	C:\Windows\system\zykjnzayjhxpRes080517.exe	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
File opened for modification	C:\Windows\zykjn16.ini	svczynt.exe
File opened for modification	C:\Windows\zykjn16.ini	zykjnzayjhxpRes080517.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427554082"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A621CCB1-45CA-11EF-9CD8-667598992E52} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	zykjnzayjhxpRes080517.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1488	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
1488	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
2820	zykjnzayjhxpRes080517.exe
2820	zykjnzayjhxpRes080517.exe
2820	zykjnzayjhxpRes080517.exe
2820	zykjnzayjhxpRes080517.exe
2820	zykjnzayjhxpRes080517.exe
2820	zykjnzayjhxpRes080517.exe
2820	zykjnzayjhxpRes080517.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
Token: SeDebugPrivilege	1488	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
Token: SeDebugPrivilege	2820	zykjnzayjhxpRes080517.exe
Token: SeDebugPrivilege	2820	zykjnzayjhxpRes080517.exe
Token: SeDebugPrivilege	2820	zykjnzayjhxpRes080517.exe
Token: SeDebugPrivilege	2820	zykjnzayjhxpRes080517.exe
Token: SeDebugPrivilege	2820	zykjnzayjhxpRes080517.exe
Token: SeDebugPrivilege	2820	zykjnzayjhxpRes080517.exe
Token: SeDebugPrivilege	2820	zykjnzayjhxpRes080517.exe
Token: SeDebugPrivilege	2820	zykjnzayjhxpRes080517.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2084	1488	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2084	1488	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2084	1488	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2084	1488	5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2712	2084	svczynt.exe	31
PID 2084 wrote to memory of 2712	2084	svczynt.exe	31
PID 2084 wrote to memory of 2712	2084	svczynt.exe	31
PID 2084 wrote to memory of 2712	2084	svczynt.exe	31
PID 2712 wrote to memory of 2820	2712	cmd.exe	33
PID 2712 wrote to memory of 2820	2712	cmd.exe	33
PID 2712 wrote to memory of 2820	2712	cmd.exe	33
PID 2712 wrote to memory of 2820	2712	cmd.exe	33
PID 2820 wrote to memory of 2952	2820	zykjnzayjhxpRes080517.exe	34
PID 2820 wrote to memory of 2952	2820	zykjnzayjhxpRes080517.exe	34
PID 2820 wrote to memory of 2952	2820	zykjnzayjhxpRes080517.exe	34
PID 2820 wrote to memory of 2952	2820	zykjnzayjhxpRes080517.exe	34
PID 2952 wrote to memory of 1588	2952	IEXPLORE.EXE	35
PID 2952 wrote to memory of 1588	2952	IEXPLORE.EXE	35
PID 2952 wrote to memory of 1588	2952	IEXPLORE.EXE	35
PID 2952 wrote to memory of 1588	2952	IEXPLORE.EXE	35
PID 2820 wrote to memory of 2952	2820	zykjnzayjhxpRes080517.exe	34

C:\Users\Admin\AppData\Local\Temp\5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bf3d7f43382f498b711737525d32734_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\inf\svczynt.exe
  "C:\Windows\system32\inf\svczynt.exe" C:\Windows\system32\zykjnlwsy16_080517.dll zyd16
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c c:\zycj.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system\zykjnzayjhxpRes080517.exe
      "C:\Windows\system\zykjnzayjhxpRes080517.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
66e9d67530305e7ad98de5d5bff7d525

SHA1
9450fa7c3114cb063136f8662bf044395c370b58

SHA256
22c797876e89e614b7c293120392a450889616981df2643190c1e83fc6e6453e

SHA512
8fd7607f8ad308c28bdef9cc619decb201fabdd8fe4780bb9dfb695072c101e32b9e9db17c5c437f471ed64e41aa334576ecad9f7ab65a4a9c2ef0a5414f8c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dba280f463c9c13ccbbb36e47c76d772

SHA1
b41c3da92c8b42e0aa90cf64c3e11ce8da6405fe

SHA256
fe1b4e3276f1e2883547d9bed1d31e889d49a28cc93db084bb1217b3dd0bf6ce

SHA512
b06d9ed864b5d85f61bd51279702d2441711ba657793c8fd92820a0c2510d6c3116ec96446db424162ab92896456f9727d844eb76d71b4708f8f2d30f5e1c191

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6f2bebc34a8db7f9d74c00e80660b5b5

SHA1
17bbe002b3f41780fe416d5164b3721dd77c6be0

SHA256
44180d8885f160f68f0b0040a2fe43c99cfb2a7ffd0a627bb5e3e6f999546797

SHA512
9178c7d1ee3b949fca18ca92099603b08307bf05a8949af5be832f55f069cc868acc58665e90107b9064adde512fff987bc3769f0ec560ec8d3534ec7ac343c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dc09935fd4b8406a92aed58c403afb5b

SHA1
bbbfd2e291a95d7f058d9ca9fd9e24e3b50ff856

SHA256
f5b50ca2b97dd065f7d49172ca3c5123c7d7f4f3dfda341b30a43c7df1ec427f

SHA512
76a2de0911f8e404e5e9eaa654013fe0c982f321cd0db99b8c99b60703e4ff16ee91a1fed522e0d94133d4345f6e231588e69b1760bb11a68681c88a6f971c9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ae1a49d29fe6b3d8bef55d70e6c98748

SHA1
9d99bc12690cb8e17cbf1bd2fb12d51eed183361

SHA256
72c89f97428f022f113114d2ad10433f351f5acab490c6ffcb68c7bf262068bf

SHA512
2a952c3e2cf3146e33fe535e4eb22ed166875fed9c95c7d70b4c533e4615a170dfb8590375f2a6f08e639700306a1828c17e8a1b2a0986301e108c7bf5f540d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c5d555583295a8b2cc1c8b54c7c4dea3

SHA1
9e11b5efc3993bc833386a9a52f6afeca9911fb5

SHA256
87c25ed213b531a531202e367f2a3015616584b306b680b63e599bdb62b63d73

SHA512
63f86096dc3a6cbca740a9bfb6e6b050985753fec3e27d1213b5f0a1c9ebe720c005cf8a8e50976444538c4a92040cf2997f326aeb816c43e7bd3f5d29bf8da2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9bfd8ee7bc96b13a4a423b1bd2a103b1

SHA1
36dd612164c5a0e965262b9549cd5826765dea1c

SHA256
e321a4ce7b37c17b70788c3d7f94715daf10c45771bf87562a127eac6c52512d

SHA512
ae1d7470d806e7b41973ce50d3ab915c86c9b5c4c93943b5c348cbd083bced32f344869600b385c69b86d3b24477b2bcef2e7b4a6349c7f049a7c782a6ff5a6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
de0e1ffc87a064894ee1d17b2e8d62b7

SHA1
fd6a9dff0d0043a09c32dd4e1655cfa5421c4516

SHA256
0ac9f6d913ba01e4012a2e80c28ec0bf7a52a8ac9ab7fe3629997e0190f111be

SHA512
e15b1d4d98058e832d4da0f8fb075a0bba825bd2e1f585de4826eca4027d322ac34adffcb21a49483b60304e7890ec92cc96916cb50fa01cdfdbfc95c0304703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
01eb2503368dd35d4596912f7ebba636

SHA1
54ff60e74f58f42be431c682c4cefb99a7ad51dc

SHA256
80562b90b96c4e37b239333344f4c39da7c41d533bab370c4b618d498eb65beb

SHA512
5ff96e5e3846db1b44eb0b6ae1b040f6b62eabe508b063d65f63d152e61fecb4bc7d761e3c78f30389361a05d9cc19daac9ab1ca960ff0a4599f3f12363788f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b4f6c9c585a4b6863049278c73d4e710

SHA1
27a7a11fbce22d0cf8cdf6ee297dc2d3c737607f

SHA256
577366f2d8b05f1ef46db74e647926c6e0c74d0a571e10ae90af7feff4536b5a

SHA512
b6df7aa00ea5c431c28d83339f702eb885e6d8f92b10b085fc110b6d7ca83c5d96198c0794ae5589bf389f6824965ba8abac41cbb67097013e339ca159e5ef5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e05271605eff7159b87ba76de91e7cbf

SHA1
cc2203624033be90bbeecfd8185496403fe03126

SHA256
c25745913f71fc37f64799ca4ad528ddc007d1f335bdbed4a96f323dd7883b97

SHA512
56ef9a990e0e1f727568f92488224b297bab2658b192bcb16989260e2e7ca843ad87d82cce364c8ceae3063d7177321a0e2b7f2671003910d330f923cff34d63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dfa3661869b54b8e8600f21951d6c96f

SHA1
a4e15ec2e0594fdefa42428f8f3f4a13cc2b8b66

SHA256
0ff396dae52daff91ffb04f59ab213cd17780f8de6cf05ecf9723fb00ec87902

SHA512
1c8586c682112736740ae35276d0ed45070c548f98b6ae595f4ac23a34c274b4f53e3379e6a16dc92d2102bce1ece7a97c974c1ca05e7126e0bf6dc86d74f066

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
12b3885724b2ca69bb256fa6eca315dc

SHA1
035ec76e5fc37bafb3cc0d4eb67f4b613766e081

SHA256
5b642c6c78f08ec62d4631977edeabfc88ac4598ded32a61884a10439004c70a

SHA512
19793799c5ad3dc092c99e73a2960f9860e15675fb3a62f099d4f45c3b5656872bec716b65785c5e0272de9b39035f1280328124149a65802d6cc53850ceca66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7063488c9be3f3bbc3ec2c38cb0ae46d

SHA1
bb396ab3ff083063c12ffcda69366d4c84201696

SHA256
fb9fc7c033a5de7951e0682d209e6062aaafbb2f5c42fb13846e17daa58fd52d

SHA512
a925132099df949ac808259da7e37a12a4cc32cdeb12badb8d037100de76a70971f7d3551c55e70051fc537295f32370a0149a92c1bf5bc346c4137a8a16737a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5bf2494c5345cc55de5fde9d27fb794e

SHA1
a810bc748a1027a29ea1059bc3ed2f44e41cad7d

SHA256
35b00e567e48a22e964be893d42e51941b4e79500a1b726d36bdaa2ccde90925

SHA512
cfb937aa30fd0ea8aefca21f97ee7c10c8b420e4385be63a4f2ff620b692d600fed6d4367e11564bcbd584e5e16d4a9491a866e98d482d8910687e13479beae5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
842ac279374bf82802c70a9fcb94dd49

SHA1
f76728ff3c770692d9cfd0949aaad54e4129aa84

SHA256
2029c103d35c3707197879a0662a0228f5dfcb1d3aca116203253031e7cb2e02

SHA512
183448e4058edd1864bb6d63109e7445e9e11d116427a055538856ee5f4c5025fc84a93c7c5a113d463dbc29418543903d02f988a59a43e1de811dde55c932f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e2700a38808e21ed52f62187d844730e

SHA1
2ecedbc4978dcd51150452316efc7b1fadacba56

SHA256
13b1d0563910d9accc592950330ec7b785303e60656ad79413be33389258cff6

SHA512
d03837de861b0c9d36bfc7983cdec1734acb558c3c68bb75fb2486ade1ab3abb23997cf23c69f989cd6bb139839b22e6ec3889778b313a4973a82141ff3f18be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4f1212edff41b6da0cd6d21dcb5767ea

SHA1
cb4f53675c303a340204b505b8662a922ac39100

SHA256
c50f4fc47edd782c357809feb3b14e1cf3604033d719a47a91d17942f7346834

SHA512
a1a1cb28e11b065e4e9678f2fc4b3cb5c048e8f12aee7ae3165719078798e8cef5b7b391312ea2cd23010c404a1cc6b628e7d01e28a4c623654bc225f41298c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5219.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar52C8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\zykjnlwsy16_080517.dll

Filesize
28KB

MD5
8cc2aec87c5edb08755a94a42fb3c21d

SHA1
f7322507adcb8ec4f20624ca61a07231b202ca1b

SHA256
762be8ea2246177333cf19af5ce190cb53830adba90be1537ef668b4ea992763

SHA512
c3bd068dedcf9b7ce84437c3647b0bad4c1ba16783447289e766350887d5d228c47f150bc313a1c04734da499a85c03ecd1cf318126a617a414b7d7df39c1ad2

Download Submit
C:\Windows\SysWOW64\zykjnmwiszcyys32_080517.dll

Filesize
199KB

MD5
168ddfad7d3317d7344e1d8ae1d5e8a8

SHA1
e3a50c5066558838f2da65ef7de35e65b3741bd4

SHA256
f218e68c01566c13a638971c55c4dbbb8a9cfb3c1100e565dd0bfd332eb9bec8

SHA512
8816495aacb7123fdee412fc6d5561ae788ac862c61bc8f0c1b705b1de937bc745746970e6a1e37301956df5882b6de77cec4c7eebc90ece9e044d5f7f6f27e4

Download Submit
C:\Windows\zykjn16.ini

Filesize
101B

MD5
0bd688eb7f5f092db2f77948218d316a

SHA1
2888bfd29fffafba033fefc300d370c7938f526b

SHA256
fe4b17fef62df8cf25880dc563be2588b7b5129a57c0a78bf22c69c86e25ed3e

SHA512
d0dc7b3dd33efd728546f50905df96592a13a5a17910906978a3e3eb10dc57e3807661a9adbc7d37cc0e68f13e3cdd4b53036da1f5ce46230e97e0972142d516

Download Submit
C:\Windows\zykjn16.ini

Filesize
362B

MD5
ed3157b26ad213b267de25be25d8d4b6

SHA1
375a25137650d8a75ba7c42a87da30e492662f8a

SHA256
ff31c2d77e0898672f5cd4782d95ba2fc83dd32d133763b8d74053d4de090fa9

SHA512
d10b15aa6c326bd8ea54a39265d624c67a1fc8012d9e2258d25231788d62a741cc94494b3742155b9e3fd277fcae201307bf91fa23b3ea4f2a4f3e3a8878cf56

Download Submit
C:\Windows\zykjn16.ini

Filesize
487B

MD5
f36074df96a7bcb3cd9915511715ed29

SHA1
2fa38995dc1e38ef5dedfccb47d48d605c7d34fd

SHA256
d7c5bdca9a93a990813b527599ed1265144a0301b8347398740a770e49823446

SHA512
8cfbd0afaefb8999a26332abba116b2c663df68dc9741eddf55427cec719f5a9a0eb63b7a1f40a5c1836866968eb3fab442bc2b2d315fe393167247b4d7b4b0a

Download Submit
C:\Windows\zykjn16.ini

Filesize
403B

MD5
457556acbfab9ad602bfd53072b40eb7

SHA1
f4634aa41546134161afd40b59319ff662f6e715

SHA256
ba75e64cae27e5705229904371144fbc28a22c904b7095b0142288e4e39c14e6

SHA512
5be904687f10c7466a3cd96543b5dfb9aefcf742d54f47a5a78fc515130247d696e23c41ef88addf5fb1294c685a2012257b916b7cc38dfb730ece9ce37fb116

Download Submit
C:\Windows\zykjn16.ini

Filesize
409B

MD5
195db8af378982c66d2c5790bb957763

SHA1
bfe30a6ee1fb419b0364141df253e2a27c549a4c

SHA256
d074e57105e238a19cf2bd4976f3f1b01011187379803f08dee28c6b2b2d14bb

SHA512
6e19c3402b6888b4e0238a4f58003b78bdbf344f7e4c0da97d1bbd5d0a89ae165dbaffd5c37752cb21767182a3b92515153d030b916babe3ceeb7ee0e3f89a01

Download Submit
C:\Windows\zykjn16.ini

Filesize
442B

MD5
c6a97980f124be92f35ad738192d8e7d

SHA1
d8a7f2f8de82343531847afd76bc049c47509738

SHA256
ab1b270dc957d7003ff117a0f5c7eff7b88cbbe6a5fd137ddd99ee3027aaeb99

SHA512
684e0fba08e2cbb2d4328f1daf2298f56516154da1bb51240a31a2651b6cd33a72ef814dd862feff547e235eeb0d49bced0be01d47f64f740a7d822e5c4e7873

Download Submit
C:\Windows\zykjn16.ini

Filesize
455B

MD5
27ca838691506f4bb4ae3c4cd4b7fe5f

SHA1
34dd9df93305dbdb546eb3eeffcca1d854654d09

SHA256
aed4f5e735e263c2dc5f8dabe5b4c7837a8d04c35dc6ecb18fbda4f17a9ca816

SHA512
a6f705463305b083e38123bda471acda22861129c4a2d7d6b1631105ab03db6a8e5cb92c45fa6382308af249f515b44e27d4c86ca784e130fc0e9a31d3c1336b

Download Submit
\??\c:\zycj.bat

Filesize
57B

MD5
d3a8d006dd1395e0797e113d4f3d5f55

SHA1
453192a63308f942a8155b929902b5ae3241b92d

SHA256
f2dbb8aef112c104833a3cf423a22b5f73696ad4c048450a06e7354602e3219d

SHA512
63fdd6356039d381044465b5e870f1c96be108ad8fdc113a3753b0d44a9ef84babdf0d4c053bed5d7150c0a361a9e8aac18eb70f83c42730dc39297389e1e72c

Download Submit
\Windows\SysWOW64\inf\svczynt.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\system\zykjnzayjhxpRes080517.exe

Filesize
102KB

MD5
5bf3d7f43382f498b711737525d32734

SHA1
b923473ceb369b79db1497ca42747b3fc1f12860

SHA256
95e6e5215007536451ad0676a029f8449928112383a1605992dede9b3c8d39a4

SHA512
d06727f8ea63fcc11b32d70ae68cc4ca69d04cfc36f8bcf465eebbfa70b39d81eaa85dbf557092b8c5ee6e1ec73af8003f38da038a520173a46dbea47aec9e83

Download Submit
memory/2084-52-0x0000000000120000-0x000000000012D000-memory.dmp

Filesize
52KB

Download
memory/2084-68-0x0000000000120000-0x000000000012D000-memory.dmp

Filesize
52KB

Download
memory/2084-949-0x0000000000120000-0x000000000012D000-memory.dmp

Filesize
52KB

Download