96b9d8d02343dae2b820a05e8c854aa21a5d2cb071e025d5c082eadc0a1b59ef

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
Size

103KB
MD5

cfdb4036b1b6fc21581f6c0bdb0d9afe
SHA1

332c637df0a8ef70534eae87bc3524fa1031b357
SHA256

96b9d8d02343dae2b820a05e8c854aa21a5d2cb071e025d5c082eadc0a1b59ef
SHA512

0e54f594e7bbd8b3e84936815b65508627aec4babaf8901fb0006495da6526f3fed3fbcb96afa872f94bc8a1abdd18f06c34849cd503132f0e458021dd6baaa1
SSDEEP

1536:Qx9tIs/cW0lQ1aH5QjGM7rau7Y3LxKjHVSqQF7/4flSV56WdJfjxppEc1:0ItoaH5QjONG1SBF7AflS76WdJ3e8

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zuoyue = "C:\\Windows\\system32\\inf\\svch0st.exe C:\\Windows\\system32\\lwizyy16_080630.dll zyd16"	zayjhxpRes080630.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	zayjhxpRes080630.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	svch0st.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	zayjhxpRes080630.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
5060	svch0st.exe

Executes dropped EXE 2 IoCs

pid	Process
5060	svch0st.exe
5068	zayjhxpRes080630.exe

Loads dropped DLL 2 IoCs

pid	Process
5060	svch0st.exe
5060	svch0st.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lwizyy16_080630.dll	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mwiszcyys32_080630.dll	zayjhxpRes080630.exe
File created	C:\Windows\SysWOW64\inf\svch0st.exe	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svch0st.exe	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scrsyszy080630.scr	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mwiszcyys32_080630.dll	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scrszyys16_080630.dll	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zuoyu16.ini	zayjhxpRes080630.exe
File opened for modification	C:\Windows\zuoyu16.ini	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File created	C:\Windows\system\zayjhxpRes080630.exe	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
File opened for modification	C:\Windows\zuoyu16.ini	svch0st.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svch0st.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zayjhxpRes080630.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3287317916"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432401600"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3285755550"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EF73DF3E-6C64-11EF-AC6B-7221D8032630} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31129713"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	zayjhxpRes080630.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3285755550"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31129713"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31129713"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1188	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
1188	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
1188	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
1188	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe
5068	zayjhxpRes080630.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
Token: SeDebugPrivilege	1188	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
Token: SeDebugPrivilege	5068	zayjhxpRes080630.exe
Token: SeDebugPrivilege	5068	zayjhxpRes080630.exe
Token: SeDebugPrivilege	5068	zayjhxpRes080630.exe
Token: SeDebugPrivilege	5068	zayjhxpRes080630.exe
Token: SeDebugPrivilege	5068	zayjhxpRes080630.exe
Token: SeDebugPrivilege	5068	zayjhxpRes080630.exe
Token: SeDebugPrivilege	5068	zayjhxpRes080630.exe
Token: SeDebugPrivilege	5068	zayjhxpRes080630.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4980	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4980	IEXPLORE.EXE
4980	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 5060	1188	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe	86
PID 1188 wrote to memory of 5060	1188	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe	86
PID 1188 wrote to memory of 5060	1188	cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe	86
PID 5060 wrote to memory of 2660	5060	svch0st.exe	87
PID 5060 wrote to memory of 2660	5060	svch0st.exe	87
PID 5060 wrote to memory of 2660	5060	svch0st.exe	87
PID 2660 wrote to memory of 5068	2660	cmd.exe	89
PID 2660 wrote to memory of 5068	2660	cmd.exe	89
PID 2660 wrote to memory of 5068	2660	cmd.exe	89
PID 5068 wrote to memory of 4980	5068	zayjhxpRes080630.exe	92
PID 5068 wrote to memory of 4980	5068	zayjhxpRes080630.exe	92
PID 4980 wrote to memory of 2376	4980	IEXPLORE.EXE	93
PID 4980 wrote to memory of 2376	4980	IEXPLORE.EXE	93
PID 4980 wrote to memory of 2376	4980	IEXPLORE.EXE	93
PID 5068 wrote to memory of 4980	5068	zayjhxpRes080630.exe	92

C:\Users\Admin\AppData\Local\Temp\cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfdb4036b1b6fc21581f6c0bdb0d9afe_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\inf\svch0st.exe
  "C:\Windows\system32\inf\svch0st.exe" C:\Windows\system32\lwizyy16_080630.dll zyd16
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c c:\zycj.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\system\zayjhxpRes080630.exe
      "C:\Windows\system\zayjhxpRes080630.exe" i
      4⤵
      Adds policy Run key to start application
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ba1bf8cf86ec57057637af172911cd13

SHA1
32daf654da1afadd3021d486164516318295debf

SHA256
77fb6880c4ae2e78d705501c19c9cd4a4d3d2f9e42d45e313561caa0b6c832e0

SHA512
46780dd891659bde9eb87f07c857a43de3de9eccc53077b437282d1dd0c1339321399b0faa4cc2a6534396cdd4d358209bfe1f9622bda1e5681acef2b9c4a255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
e9354073dc7c4c6e704db4da3f56235c

SHA1
5b927e99de1b868039b81e0e26797b919f91c9ef

SHA256
64c5e2364109bc5b141e8edd13a18d312313ca7a90ac33655fabd62ca242b53e

SHA512
d9b651599c1728883318df6749d834c8d7bdef801f4faf81078c619de85014caab06db821c04c1756df80b98550f6dd2933159192571177da0c9f711d46a1bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\inf\svch0st.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\lwizyy16_080630.dll

Filesize
29KB

MD5
2b68fcc47c8570039662d22945bf5491

SHA1
bf929fd27c521c2de27227fba19c3dc8c46cb659

SHA256
76acfb92164a2536ffa7ef75312d76cbf4027462df5ff8ee9deb80ff14930c2f

SHA512
a252041aa55d1c00295944cca40e72de23d9bdf1b93c6670e71108c3642ee67b8682fa7735a913fabadb0dd977a8110dc9eedfbe8bc14c303ac1803449e68333

Download Submit
C:\Windows\SysWOW64\mwiszcyys32_080630.dll

Filesize
201KB

MD5
3e0608938eac7b06d5bcc5170f951f3c

SHA1
8125073e410a9fdd0f095768104a2af894ce8839

SHA256
bfacaa7dfde8ecd919f8091ea91d4217f57614ca1a6a0cba3a7b1bce7fb2c6f0

SHA512
1b67125fa470491f231ba635848f1da0bb7280fa19de490e386e450bbca5e7c0e0a53c084c49c0bb0d7c2998e4d1e0bc413f137364df1c50ae9e548e6a69b463

Download Submit
C:\Windows\System\zayjhxpRes080630.exe

Filesize
103KB

MD5
cfdb4036b1b6fc21581f6c0bdb0d9afe

SHA1
332c637df0a8ef70534eae87bc3524fa1031b357

SHA256
96b9d8d02343dae2b820a05e8c854aa21a5d2cb071e025d5c082eadc0a1b59ef

SHA512
0e54f594e7bbd8b3e84936815b65508627aec4babaf8901fb0006495da6526f3fed3fbcb96afa872f94bc8a1abdd18f06c34849cd503132f0e458021dd6baaa1

Download Submit
C:\Windows\zuoyu16.ini

Filesize
46B

MD5
70a9cebac5afe6f0b45cb73ff1f4b23a

SHA1
a88b91476a3aca1d5830b75b1576cb2772ba9ce2

SHA256
4af0df4b6ead7950430e7dd66bc1785ca92a66cd77f51fddec7170a28aaa8e2b

SHA512
c298c177cb872bf70252bc91b1c0c8bda1bbfdf826c4953a8453758833cf6248f7193f0cb9c2c40b9d7bec0323edfbf90200c05585ce0f20f277759f70686062

Download Submit
C:\Windows\zuoyu16.ini

Filesize
464B

MD5
bd5e7e1f4df18d9c59f29e512382bc4b

SHA1
37b06b57db1685f3276f58ea54cbfcb10e81a864

SHA256
109e1529d5e6567d123b41cdff863a62f9e2af40b8eb4182e8539d3931a514fb

SHA512
a11cc396e82a7aaa922dad4f5cc32d632582553eb6f3e95d554f9d0012e2ab9d8bc0483294025b314bf50249b9838a3208ddab03eb647a0341f1edd456bad420

Download Submit
C:\Windows\zuoyu16.ini

Filesize
380B

MD5
175a1b07bb910930eb8d50ffdcde4138

SHA1
859ac6fe6636bcc73bd040da80fbc9fe23f75f54

SHA256
520253bed6fdb88c25f98b1569ce56c4b079945104fbe310c3acc26654ef55e4

SHA512
43597c66854cf67bb8604efa1fbdcb6152ab47be1083ede97deb4c893bfd510ff97d37db9ed39c7df4fa56d05fd1a17c43f3a7dd50aed5a0dcfb4808129767c0

Download Submit
C:\Windows\zuoyu16.ini

Filesize
386B

MD5
64eb04d30b15aeb1f4946b1061b8cf79

SHA1
11108a9bca8ed90b99aa2d7f00c073645599f8a1

SHA256
ad4ad82e380b867b54f675a2e383fa62b43fe67864e0388daa3b191ed99b5776

SHA512
04386d395746446318e0317bc7b88ca15bcc9b8a6a8cc38fb630d07808f6d0766d637420f038885e031520c1fa4e17ec4f486ac9fec99bdf5fe8a46619be77c5

Download Submit
C:\Windows\zuoyu16.ini

Filesize
419B

MD5
835532e33795254906799809ec54c359

SHA1
9d223d33bc26a8e52b68398a6025158bf5c8f04f

SHA256
9c5e00bd3f26f50d2d8ee979a23dd125e2f6da842858a08bc3858f688c367f67

SHA512
383c6ec7c78f260e7d8fe7851763de1e0b5cfd3ba6179079c8baf508a556bdd10c92fdd7b808c778deb604bc39bbe3ae08752777a01a603936b79ebeb2e9a498

Download Submit
C:\Windows\zuoyu16.ini

Filesize
432B

MD5
e2f593bc0f9b5996adb908aee6ce6f9c

SHA1
d96a56c29ebc5cb02f3678e639aaedbae5e39855

SHA256
763aa8e5b1e83d703f39a18040c5710b05e0c60f5e9c60d4c309b5237b5abc43

SHA512
0602be7dd716c29ac2c6522bb695f867d3cf9296e436b8e1298ff7d4d67b00254d85ba68ffa741ede67eee70c74186ba6fa8948adcafffb444cfe1f9880e1ee3

Download Submit
\??\c:\zycj.bat

Filesize
52B

MD5
f083d32a39d9f6939ca87034eceed221

SHA1
d058c1c02fd1c46b357a92219913a22d1b984746

SHA256
82e2a76346020613292e1dae72775ea55e47c16fb037f2a3f3d477fbd7c674a6

SHA512
30252d5fe17eee25099b8b1c8c1dd7af66d3d81a8f28a8ab7be29a19991ca61ed74f3b0932bf07692d269f3f9c2c2adc202508b9b7e1462cdf943e8c776d1aee

Download Submit
memory/5060-72-0x00000000001F0000-0x00000000001FD000-memory.dmp

Filesize
52KB

Download
memory/5060-65-0x00000000001F0000-0x00000000001FD000-memory.dmp

Filesize
52KB

Download
memory/5060-56-0x00000000001F0000-0x00000000001FD000-memory.dmp

Filesize
52KB

Download
memory/5060-111-0x00000000001F0000-0x00000000001FD000-memory.dmp

Filesize
52KB

Download