96b9d8d02343dae2b820a05e8c854aa21a5d2cb071e025d5c082eadc0a1b59ef

Analysis

max time kernel
145s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
Size

103KB
MD5

cfdb4036b1b6fc21581f6c0bdb0d9afe
SHA1

332c637df0a8ef70534eae87bc3524fa1031b357
SHA256

96b9d8d02343dae2b820a05e8c854aa21a5d2cb071e025d5c082eadc0a1b59ef
SHA512

0e54f594e7bbd8b3e84936815b65508627aec4babaf8901fb0006495da6526f3fed3fbcb96afa872f94bc8a1abdd18f06c34849cd503132f0e458021dd6baaa1
SSDEEP

1536:Qx9tIs/cW0lQ1aH5QjGM7rau7Y3LxKjHVSqQF7/4flSV56WdJfjxppEc1:0ItoaH5QjONG1SBF7AflS76WdJ3e8

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	zayjhxpRes080630.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zuoyue = "C:\\Windows\\system32\\inf\\svch0st.exe C:\\Windows\\system32\\lwizyy16_080630.dll zyd16"	zayjhxpRes080630.exe

Deletes itself 1 IoCs

pid	Process
2748	svch0st.exe

Executes dropped EXE 2 IoCs

pid	Process
2748	svch0st.exe
2364	zayjhxpRes080630.exe

Loads dropped DLL 7 IoCs

pid	Process
2728	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
2748	svch0st.exe
2748	svch0st.exe
2748	svch0st.exe
2748	svch0st.exe
2564	cmd.exe
2564	cmd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\scrszyys16_080630.dll	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lwizyy16_080630.dll	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mwiszcyys32_080630.dll	zayjhxpRes080630.exe
File created	C:\Windows\SysWOW64\inf\svch0st.exe	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svch0st.exe	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scrsyszy080630.scr	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mwiszcyys32_080630.dll	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zuoyu16.ini	svch0st.exe
File opened for modification	C:\Windows\zuoyu16.ini	zayjhxpRes080630.exe
File opened for modification	C:\Windows\zuoyu16.ini	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\system\zayjhxpRes080630.exe	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svch0st.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zayjhxpRes080630.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	zayjhxpRes080630.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED505911-6C64-11EF-943D-F245C6AC432F} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431798497"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2728	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
2728	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
2364	zayjhxpRes080630.exe
2364	zayjhxpRes080630.exe
2364	zayjhxpRes080630.exe
2364	zayjhxpRes080630.exe
2364	zayjhxpRes080630.exe
2364	zayjhxpRes080630.exe
2364	zayjhxpRes080630.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
Token: SeDebugPrivilege	2364	zayjhxpRes080630.exe
Token: SeDebugPrivilege	2364	zayjhxpRes080630.exe
Token: SeDebugPrivilege	2364	zayjhxpRes080630.exe
Token: SeDebugPrivilege	2364	zayjhxpRes080630.exe
Token: SeDebugPrivilege	2364	zayjhxpRes080630.exe
Token: SeDebugPrivilege	2364	zayjhxpRes080630.exe
Token: SeDebugPrivilege	2364	zayjhxpRes080630.exe
Token: SeDebugPrivilege	2364	zayjhxpRes080630.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2748	2728	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2748	2728	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2748	2728	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2748	2728	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2564	2748	svch0st.exe	31
PID 2748 wrote to memory of 2564	2748	svch0st.exe	31
PID 2748 wrote to memory of 2564	2748	svch0st.exe	31
PID 2748 wrote to memory of 2564	2748	svch0st.exe	31
PID 2564 wrote to memory of 2364	2564	cmd.exe	33
PID 2564 wrote to memory of 2364	2564	cmd.exe	33
PID 2564 wrote to memory of 2364	2564	cmd.exe	33
PID 2564 wrote to memory of 2364	2564	cmd.exe	33
PID 2364 wrote to memory of 2824	2364	zayjhxpRes080630.exe	34
PID 2364 wrote to memory of 2824	2364	zayjhxpRes080630.exe	34
PID 2364 wrote to memory of 2824	2364	zayjhxpRes080630.exe	34
PID 2364 wrote to memory of 2824	2364	zayjhxpRes080630.exe	34
PID 2824 wrote to memory of 2884	2824	IEXPLORE.EXE	35
PID 2824 wrote to memory of 2884	2824	IEXPLORE.EXE	35
PID 2824 wrote to memory of 2884	2824	IEXPLORE.EXE	35
PID 2824 wrote to memory of 2884	2824	IEXPLORE.EXE	35
PID 2364 wrote to memory of 2824	2364	zayjhxpRes080630.exe	34

C:\Users\Admin\AppData\Local\Temp\cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\inf\svch0st.exe
  "C:\Windows\system32\inf\svch0st.exe" C:\Windows\system32\lwizyy16_080630.dll zyd16
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c c:\zycj.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\system\zayjhxpRes080630.exe
      "C:\Windows\system\zayjhxpRes080630.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
282d42e2aaf5ad5f7228b278f3f2d49c

SHA1
865d40afc85bb26385102c2aa2a62a2e52ccfaa6

SHA256
55fd081d2bd068c4178a31d2416d3140154af1aab8a5895dad36daa340428940

SHA512
bcabca7e2b05bcc90ada4d4f52b82887b06cd12b5da4c0df0bafc9236f58510b2e1ab52e03d40a4b0c35d3a14e161525763c81d396ba1b165b8e2ed1752b854d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e601ef60c82aefe8cfba5be543cbd41

SHA1
a76706fe83cd542fa36b792d210e712f33b82f48

SHA256
e3909c49dc31a366b0ffd3b1cab335ccd7d0ee2b5914effc645f59c526025fe5

SHA512
078c57cb94034d60506c948e38094253fb216974319ca11be0a3bf47edb835a9c4532ee88a9a715e37ad6697020909566b236294523f289bc56837a7d6fe7c90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6828bfa645a7c505e5f3da383299e446

SHA1
bd71c8650a2ff817f1e8010d325cead9941582d0

SHA256
a0c99e670a120274c6975a25b8875c38e5cff9e722aaf353ee0e8c1208b09dca

SHA512
764d3b36d908d85ebcea1b5d8dcecd1cb45a4481177c13cf7aac3c615e84b2357b5497ed178a23606a42c1e1f11a8509d9beba9c8445686fbb98fe336f213f64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f887ae6548077db336fcf28d5ef9288f

SHA1
c0b0d952df6816a7f88b3f504889fcd332684efc

SHA256
4f442fb1ed9031f4f7361f7c6f2becbfe303f0e0c83a7d5525a67053ad0a6a04

SHA512
c80185d75dd6f60abfb22282d7f192aa9c77c8b20595875d0401891047ad7f754e739abf9aa545cff44d4facd043f18b5a6ab8fb326cdba35f265a82a660c555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca19460b3a5733088aa8cf4b20f291d6

SHA1
b3cb9534309b558c385f072d85a8c5dc4d1630d3

SHA256
9392c078965e9644ebd886b0fdca369d3bd53b80c51dfed6b27115b3676e5be2

SHA512
a95a1b04a0ef7f01c311c560942b211032fb786675c59b092f7547f710ab5cb95c66675bbdd9a27a043d7e75174378d7469162d4a881357ea5cd01bcfaa3e318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2025b198a83769f286e31794e83f38cc

SHA1
5b1c90ca4894fd96b63466804e10424002f19fd3

SHA256
3b33d6b0a4968090898e82e79c5b7ab219e520df4b41b75e836054e389cd7d8b

SHA512
64c1b1423187134aca8d07e8854e2d2dca538a84099fae20091e8a299677c5fde7cbde085d61c3c68ea2d7f719c2c3ac9be22646eceff4086c3f61da5d0694c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c09043eab31709013d8dc81044a3fb08

SHA1
d5415f5ce827e9f4dea84509da79e69390ffb304

SHA256
ec1f179df037eadca1d71e5b52eb37158eb1a53594479aea975e833998d0436c

SHA512
95b9d7d6d02330c05e6afebb8789d8a006006737d0829d052bb5925d0a013f00a84b1f37306522f07495cecf317d922a1d83e6d281a52ae7e0fe186cabc9b680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
344c5546094feab70c3c9ef727d877d6

SHA1
c53f337f3035695dfa28f3e561f1e0d0476e0e04

SHA256
461e6d7dfbff1f048bb4ee05fa080dc05697e606901420c2cdf9c2eb6a8b9c6a

SHA512
975a63a9911134e9c007ce66a443adf9ff40071399e099eb732266a3fa3cd4e8494edf98bf4085f2a01ab70b0b1ba8379669b27d77650d0fd2ef26a531f77131

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1931ea9cd9381e16db45b417e92d9e65

SHA1
c391e9b2c6e99c3355c89fe9f0128baeb839a4ed

SHA256
b51cdeb02917c37c846b6a0f069815c2ad72c8b1ee1877b1dc0b3069e0ebb26b

SHA512
ad637105cb2796cc1705e6c1a610273a136eaab805211292e30e2af5e65f6ae0f3a1bcd6c28850b5b8c161cf6d8795f3947e13b90d84c81d733d79d09d27ccad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ea21546bef2c52710eba2aa50a3d9ca

SHA1
ba2cd63a1f60e2b44fc5b8aa6bd4b7d39ff037d4

SHA256
98109bea8cb2fbcb8e9162abe2c4c67f53eab68cb54c7fcdcfdf07f201c3a625

SHA512
25a863362bac280c9003f89667e3d10f615ef09ea5ac30b2db7b14d6414155cd8d7508383ccef19f6f36fe286313326e2802b8383278dfb698bc86aec65db723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cc777bf5f51a9d0d2bab64bcf57a89a

SHA1
f8b2a24c0d40867f53d73ceba2060007105d93b5

SHA256
01145962f6a3919df6f71ba9a3cc6b6bf1905862c8498a49dd7c467adcf3e410

SHA512
3d731f5fefc82b3e901eeeeedef6ac4ca7d5f1ed781332909247b8e2bbe6b644845f91395984327dea503d90a03355a2d1318d3ca5db7738183a7a0c4434c69f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fac74dfc40b22d505558131b59992f3d

SHA1
7f2d68ea99725c0196322b8f1dbb33da0ac2e977

SHA256
e6389f2f88b571e60901806679bcc8c6a2ce65b57b160dfece37b09c048d1233

SHA512
ebfe8ecabf520cbd869a93fe573ecc61d96b5eef049793e8ba33a88e918fffa0830a1ddaf7005388b74c77cc1cb3cfe8b662a803c064b3409572f4e60a0b1c6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8d3c86004e6d06ae9ca8f255bfc99b0

SHA1
82fcbf453b5b34693af9838d645b33307d19ea97

SHA256
8fe531eecf24d93956f81e9daa11ebfaa5812469a377e7faeee68e4c3feb42d2

SHA512
dae48b54f3a165e11fb7613aa7b6f17306320d65188e3d15c0e3d363805e4d25d6851321c84db7db0acc87f09340df8401954ee8b59251fbdccb4ce98117b98f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8499f378e1aa844a0dbd5ec03f530f4

SHA1
68808220330367ca76d0d8264c19cc0af984bf4c

SHA256
2ea3352ca3e478c009d6e38cb71b7ba1d2bbf30c31835de1c50b752aedd7e4eb

SHA512
4b701ad784630b0853602d9c8d6773e1f11179b2db5f70424c01bb833207eb6790d6a50cbbc16f6b9e2bdc0a4d3e5123c16a5ff20e691ee7b3ad3734a5ffaf29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71243e985a5aafcad17a0b5a18c90900

SHA1
53863a8b8718fafa560e8890a46787f81bc9ef10

SHA256
4b5d6ff48d0dcfdabfd1d4b72e6b61d70a5fdfcba4fe4575d789e80392b0af15

SHA512
8d3bc2f31edee01728a044c09918f09f5abc7e4577ed806df966a3256d10e17277379b806ebb3c34b2acbb9a0df39a315763267cd610677a32926136be87270b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c51ed7d4253ead82b770d81b765db59f

SHA1
c4cb32f147fb4b04aaa06811434a2e29c0541327

SHA256
0fa20024b90e51b1c91b3a09762717752cfd5cb5447e9d47ddb415f74b287597

SHA512
ab1430a353fcb29766e3b58539da6c286c4766bec7dc9a4739e4a52a91655b6a6b5d9028b7b5e42ef663b8ed7e3263e33a771652357c17d8aae32e6e72c181a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43d51f90f8c6e5f309164c4d04746e54

SHA1
5ccf3a284b99f55fac376c540faceed8f06988b0

SHA256
bb591b7f3c524c65f2f42a8318eea8baba7f842f6544ca6326f1fbbd1ad3a8c7

SHA512
a75a8f76e1d3cb8e5b71bde65a373ec64011890eab2cd2035355763572e9585dd6e029e400758fbcb1cb5bc40e5c2e0666de3e125922ae0fa32f3d955e84a44e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7e01f974bbf7c5f8c1c80b9dc4185e7

SHA1
b7d16fe90e0d4bba61853ee281e2230cd54c0d85

SHA256
8e20124843d0a5def13c9c10ad9ac572afae553b9f4262f814fd67ceff59599c

SHA512
31872f684388fbbb68cc7691c624744c6c6fa8b4fbd42e1280a9abdeb897c092e995b55726114bd5d535547cefca014caf6ad2599f3841e1e91cfa172a6bbbca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7daa19e721159e2f4795228d9a1bc36

SHA1
14800f57b489190e4393a222e05d790922c02c65

SHA256
2719fbdf837b633ae143bf147a6edbf1875f1b23cae9fd43ac96932deac56f26

SHA512
924e113ed1dde34aa24accdad587f6ded3f01e8421591063d67b02d586abe38c4108a8f8547bb2b2728a3e2c1558b950fa5313ffc10ce34cda0fe8f184311a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB0CB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB419.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\mwiszcyys32_080630.dll

Filesize
201KB

MD5
3e0608938eac7b06d5bcc5170f951f3c

SHA1
8125073e410a9fdd0f095768104a2af894ce8839

SHA256
bfacaa7dfde8ecd919f8091ea91d4217f57614ca1a6a0cba3a7b1bce7fb2c6f0

SHA512
1b67125fa470491f231ba635848f1da0bb7280fa19de490e386e450bbca5e7c0e0a53c084c49c0bb0d7c2998e4d1e0bc413f137364df1c50ae9e548e6a69b463

Download Submit
C:\Windows\zuoyu16.ini

Filesize
46B

MD5
70a9cebac5afe6f0b45cb73ff1f4b23a

SHA1
a88b91476a3aca1d5830b75b1576cb2772ba9ce2

SHA256
4af0df4b6ead7950430e7dd66bc1785ca92a66cd77f51fddec7170a28aaa8e2b

SHA512
c298c177cb872bf70252bc91b1c0c8bda1bbfdf826c4953a8453758833cf6248f7193f0cb9c2c40b9d7bec0323edfbf90200c05585ce0f20f277759f70686062

Download Submit
C:\Windows\zuoyu16.ini

Filesize
339B

MD5
d42aa332e6669c28a6816d157cac8241

SHA1
4297c10716a9e3b6f6405bc81b0b9ec17a310aa1

SHA256
fa4bc8dc98775f6a38c92694f8bfee3432f37b1d3e0f69bc30fbf847736dc53c

SHA512
ed01d4e684e4ee40c2c73e91b64cbe2558f62046160d32beeabb8c9f460981bab213967524e42bee9f7a75d356bcb22228db520a17351045f77eeca80402224d

Download Submit
C:\Windows\zuoyu16.ini

Filesize
464B

MD5
bd5e7e1f4df18d9c59f29e512382bc4b

SHA1
37b06b57db1685f3276f58ea54cbfcb10e81a864

SHA256
109e1529d5e6567d123b41cdff863a62f9e2af40b8eb4182e8539d3931a514fb

SHA512
a11cc396e82a7aaa922dad4f5cc32d632582553eb6f3e95d554f9d0012e2ab9d8bc0483294025b314bf50249b9838a3208ddab03eb647a0341f1edd456bad420

Download Submit
C:\Windows\zuoyu16.ini

Filesize
380B

MD5
175a1b07bb910930eb8d50ffdcde4138

SHA1
859ac6fe6636bcc73bd040da80fbc9fe23f75f54

SHA256
520253bed6fdb88c25f98b1569ce56c4b079945104fbe310c3acc26654ef55e4

SHA512
43597c66854cf67bb8604efa1fbdcb6152ab47be1083ede97deb4c893bfd510ff97d37db9ed39c7df4fa56d05fd1a17c43f3a7dd50aed5a0dcfb4808129767c0

Download Submit
C:\Windows\zuoyu16.ini

Filesize
386B

MD5
64eb04d30b15aeb1f4946b1061b8cf79

SHA1
11108a9bca8ed90b99aa2d7f00c073645599f8a1

SHA256
ad4ad82e380b867b54f675a2e383fa62b43fe67864e0388daa3b191ed99b5776

SHA512
04386d395746446318e0317bc7b88ca15bcc9b8a6a8cc38fb630d07808f6d0766d637420f038885e031520c1fa4e17ec4f486ac9fec99bdf5fe8a46619be77c5

Download Submit
C:\Windows\zuoyu16.ini

Filesize
419B

MD5
835532e33795254906799809ec54c359

SHA1
9d223d33bc26a8e52b68398a6025158bf5c8f04f

SHA256
9c5e00bd3f26f50d2d8ee979a23dd125e2f6da842858a08bc3858f688c367f67

SHA512
383c6ec7c78f260e7d8fe7851763de1e0b5cfd3ba6179079c8baf508a556bdd10c92fdd7b808c778deb604bc39bbe3ae08752777a01a603936b79ebeb2e9a498

Download Submit
C:\Windows\zuoyu16.ini

Filesize
432B

MD5
9c605c0dbaa2b49f3ab7216fc3cac5b2

SHA1
da0e9d49e0dee79d825ddc644fe6a9fdd6fd64e5

SHA256
0adc234131217741a3fa2944ecade576d607e3562586522bfed954957cb55b42

SHA512
3f18ca7036095d96ef61db6ce18c5e801135cb03cba03731538a84cf193f2c59529d2794419e258f9ccb9bf4f93314c2bc176306b59581d4ef52265f26059e7a

Download Submit
\??\c:\zycj.bat

Filesize
52B

MD5
f083d32a39d9f6939ca87034eceed221

SHA1
d058c1c02fd1c46b357a92219913a22d1b984746

SHA256
82e2a76346020613292e1dae72775ea55e47c16fb037f2a3f3d477fbd7c674a6

SHA512
30252d5fe17eee25099b8b1c8c1dd7af66d3d81a8f28a8ab7be29a19991ca61ed74f3b0932bf07692d269f3f9c2c2adc202508b9b7e1462cdf943e8c776d1aee

Download Submit
\Windows\SysWOW64\inf\svch0st.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\lwizyy16_080630.dll

Filesize
29KB

MD5
2b68fcc47c8570039662d22945bf5491

SHA1
bf929fd27c521c2de27227fba19c3dc8c46cb659

SHA256
76acfb92164a2536ffa7ef75312d76cbf4027462df5ff8ee9deb80ff14930c2f

SHA512
a252041aa55d1c00295944cca40e72de23d9bdf1b93c6670e71108c3642ee67b8682fa7735a913fabadb0dd977a8110dc9eedfbe8bc14c303ac1803449e68333

Download Submit
\Windows\system\zayjhxpRes080630.exe

Filesize
103KB

MD5
cfdb4036b1b6fc21581f6c0bdb0d9afe

SHA1
332c637df0a8ef70534eae87bc3524fa1031b357

SHA256
96b9d8d02343dae2b820a05e8c854aa21a5d2cb071e025d5c082eadc0a1b59ef

SHA512
0e54f594e7bbd8b3e84936815b65508627aec4babaf8901fb0006495da6526f3fed3fbcb96afa872f94bc8a1abdd18f06c34849cd503132f0e458021dd6baaa1

Download Submit
memory/2748-510-0x00000000000D0000-0x00000000000DD000-memory.dmp

Filesize
52KB

Download
memory/2748-52-0x00000000000D0000-0x00000000000DD000-memory.dmp

Filesize
52KB

Download
memory/2748-68-0x00000000000D0000-0x00000000000DD000-memory.dmp

Filesize
52KB

Download
memory/2748-949-0x00000000000D0000-0x00000000000DD000-memory.dmp

Filesize
52KB

Download