6a024d3b4eabf45133037d02464ac3388570c88a9fe6faba9a6f1042cd857b0a

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 21:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
Size

26KB
MD5

ff5b0b30186671027d17fde28d166f2f
SHA1

16ea51f24b8de99ca31bcba424244b34f0bc0676
SHA256

6a024d3b4eabf45133037d02464ac3388570c88a9fe6faba9a6f1042cd857b0a
SHA512

f56a0f22020597983f600ca302ed70ede95d9f9f325e257b49c0a7fef9c4ae044d9b723c8dec3d9e39269a278fe8b49d7015d38e6a01768fa6943bbd669b42a1
SSDEEP

768:mMKsHCEl626DrxX0ftM/yqRG6ifhMpbebBY:mNsH3l62wrxSMxifhMpCbW

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	wincheck_zy080610.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\mscheck_zy = "rundll32.exe \"C:\\Windows\\system32\\wincheckzy080610.dll\" zyjkl"	wincheck_zy080610.exe

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2952	wincheck_zy080610.exe

Loads dropped DLL 6 IoCs

pid	Process
2536	rundll32.exe
2536	rundll32.exe
2536	rundll32.exe
2536	rundll32.exe
2812	cmd.exe
2812	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wcheckzy.dll	wincheck_zy080610.exe
File created	C:\Windows\SysWOW64\wincheck_zy080610.exe	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wincheck_zy080610.exe	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wincheckzy080610.dll	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wincheckzy080610.dll	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wcheckzy.dll	wincheck_zy080610.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\checkcj_zy.ini	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
File opened for modification	C:\Windows\checkcj_zy.ini	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wincheck_zy080610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
620	PING.EXE
2132	PING.EXE
2680	PING.EXE
2416	PING.EXE
1016	PING.EXE
2832	PING.EXE
2780	PING.EXE
1172	PING.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85CA30C1-7EA9-11EF-AD2E-6E295C7D81A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
2680	PING.EXE
2416	PING.EXE
1016	PING.EXE
2832	PING.EXE
2780	PING.EXE
1172	PING.EXE
620	PING.EXE
2132	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
2952	wincheck_zy080610.exe
2952	wincheck_zy080610.exe
2952	wincheck_zy080610.exe
2952	wincheck_zy080610.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
Token: SeDebugPrivilege	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
Token: SeDebugPrivilege	2952	wincheck_zy080610.exe
Token: SeDebugPrivilege	2952	wincheck_zy080610.exe
Token: SeDebugPrivilege	2952	wincheck_zy080610.exe
Token: SeDebugPrivilege	2952	wincheck_zy080610.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2268	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2268	iexplore.exe
2268	iexplore.exe
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2536	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	30
PID 2424 wrote to memory of 2536	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	30
PID 2424 wrote to memory of 2536	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	30
PID 2424 wrote to memory of 2536	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	30
PID 2424 wrote to memory of 2536	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	30
PID 2424 wrote to memory of 2536	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	30
PID 2424 wrote to memory of 2536	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	30
PID 2424 wrote to memory of 2908	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	32
PID 2424 wrote to memory of 2908	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	32
PID 2424 wrote to memory of 2908	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	32
PID 2424 wrote to memory of 2908	2424	ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe	32
PID 2908 wrote to memory of 2780	2908	cmd.exe	34
PID 2908 wrote to memory of 2780	2908	cmd.exe	34
PID 2908 wrote to memory of 2780	2908	cmd.exe	34
PID 2908 wrote to memory of 2780	2908	cmd.exe	34
PID 2536 wrote to memory of 2812	2536	rundll32.exe	35
PID 2536 wrote to memory of 2812	2536	rundll32.exe	35
PID 2536 wrote to memory of 2812	2536	rundll32.exe	35
PID 2536 wrote to memory of 2812	2536	rundll32.exe	35
PID 2812 wrote to memory of 2952	2812	cmd.exe	37
PID 2812 wrote to memory of 2952	2812	cmd.exe	37
PID 2812 wrote to memory of 2952	2812	cmd.exe	37
PID 2812 wrote to memory of 2952	2812	cmd.exe	37
PID 2952 wrote to memory of 2268	2952	wincheck_zy080610.exe	38
PID 2952 wrote to memory of 2268	2952	wincheck_zy080610.exe	38
PID 2952 wrote to memory of 2268	2952	wincheck_zy080610.exe	38
PID 2952 wrote to memory of 2268	2952	wincheck_zy080610.exe	38
PID 2268 wrote to memory of 1860	2268	iexplore.exe	39
PID 2268 wrote to memory of 1860	2268	iexplore.exe	39
PID 2268 wrote to memory of 1860	2268	iexplore.exe	39
PID 2268 wrote to memory of 1860	2268	iexplore.exe	39
PID 2952 wrote to memory of 2268	2952	wincheck_zy080610.exe	38
PID 2952 wrote to memory of 968	2952	wincheck_zy080610.exe	40
PID 2952 wrote to memory of 968	2952	wincheck_zy080610.exe	40
PID 2952 wrote to memory of 968	2952	wincheck_zy080610.exe	40
PID 2952 wrote to memory of 968	2952	wincheck_zy080610.exe	40
PID 968 wrote to memory of 1172	968	cmd.exe	42
PID 968 wrote to memory of 1172	968	cmd.exe	42
PID 968 wrote to memory of 1172	968	cmd.exe	42
PID 968 wrote to memory of 1172	968	cmd.exe	42
PID 968 wrote to memory of 620	968	cmd.exe	43
PID 968 wrote to memory of 620	968	cmd.exe	43
PID 968 wrote to memory of 620	968	cmd.exe	43
PID 968 wrote to memory of 620	968	cmd.exe	43
PID 968 wrote to memory of 2132	968	cmd.exe	45
PID 968 wrote to memory of 2132	968	cmd.exe	45
PID 968 wrote to memory of 2132	968	cmd.exe	45
PID 968 wrote to memory of 2132	968	cmd.exe	45
PID 968 wrote to memory of 2680	968	cmd.exe	46
PID 968 wrote to memory of 2680	968	cmd.exe	46
PID 968 wrote to memory of 2680	968	cmd.exe	46
PID 968 wrote to memory of 2680	968	cmd.exe	46
PID 968 wrote to memory of 2416	968	cmd.exe	47
PID 968 wrote to memory of 2416	968	cmd.exe	47
PID 968 wrote to memory of 2416	968	cmd.exe	47
PID 968 wrote to memory of 2416	968	cmd.exe	47
PID 968 wrote to memory of 1016	968	cmd.exe	48
PID 968 wrote to memory of 1016	968	cmd.exe	48
PID 968 wrote to memory of 1016	968	cmd.exe	48
PID 968 wrote to memory of 1016	968	cmd.exe	48
PID 968 wrote to memory of 2832	968	cmd.exe	49
PID 968 wrote to memory of 2832	968	cmd.exe	49
PID 968 wrote to memory of 2832	968	cmd.exe	49
PID 968 wrote to memory of 2832	968	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff5b0b30186671027d17fde28d166f2f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\wincheckzy080610.dll" zyjkl
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\mycjjk_zy.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\wincheck_zy080610.exe
      "C:\Windows\system32\wincheck_zy080610.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\program files\internet explorer\iexplore.exe
        
        "C:\program files\internet explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2268
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1860
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\jkDe_zy.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1172
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:620
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2132
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2680
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2416
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\jkDe_zy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cf856fc6ca71b8dc3356abf00226edf

SHA1
ef9307868c3d7af4d33bb214409fa7fd1e556822

SHA256
e84d863ed3f0ad991c657c817b7f1e1cec193b0732bcc02593a82f8b83e734a0

SHA512
14392059021851bccf88d4c2f20632e6df10003d13942649cb26ee3644c536127096a132d5e30a65c7c27eab1b89bb7c507b30073c989f7fe42034cc0eb89851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
327cd19387e5f2b5319a2115e09da8e2

SHA1
aac36d7df96312c89f01c07dab4989661291ae04

SHA256
3f3c32e24fb4b81c0803d5f50b846e7474c871a31dcc6b877be2dc1edd732c92

SHA512
56681845df13511596d293542cd24797d4db8f2f1fe3efd29182049fa50dd86fbf6027125fc81d22eb5f52ddba89c789813788254a6d4e19829b378088bc2693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ea27c380f855f8d32f36180fb3d52b8

SHA1
2a36b4db281668f0e3c3b8e3cf5ff3e1bb4a032b

SHA256
d62604406306e07f5d55e03895b5dbcf2d6e3e78ce030a85138c8675ab8847df

SHA512
a371c6d171c14aae89c3df49b0c1dedbe634b801bc8658e6243c509d43e4fd4a25356fb42952019cb805fb48f63c0f8e39e7f1edf54a9c4db8573490045719eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07477a1480e42255702e5c2ce9bf5d73

SHA1
689373e7c0477948009839a881dc9607da9100f6

SHA256
a611b914f91bdcc7ea0ef52f9f1678fae64d0591d2ef7cd8ef64319ef7aae88d

SHA512
80a76f435d0408cb50aa35a220af7e9d043be6b550d9fb2992fab0509287038ca608ae88d3ba3d8cd7467c69741e580ac156949b5ceb34467f94154060dfac10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86a7aa6cbd2a2e74d49dfad44f40afc3

SHA1
d161521f1130d08c8285e1d598f21499b3098dc9

SHA256
5057a529bc85fe197ad681d6e763cc2d699e1282c369665f0ea9ac2193b27bf7

SHA512
f44abb898469bc0613e9e82a9a748d7f606235ae5725e377e0c9140d91f0f542edbb391472add4cbfa190650ea6b2049f816763cbbeee136d1dbe7e6bcf61c5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00449285d03aad8f91ae4d9bb2802b83

SHA1
87d3bf5cbd68315f5a32aaae98a3c3e34f417b8d

SHA256
46263bd6be1da081b3b3c960d2a3be299fdb3bc9456544d15b9d7aba33464e34

SHA512
7d3f41039e3030c0fab29ede8f3bfd9cc411c2975acad3c99c82e6985e898c364b1bea768d84a054ce1e3b0c104f08461f7d33c8b7690e8cf7cac83124a3e236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59f4ade547c1691f7190ca418a929f81

SHA1
ebd786d5d2e5dccdb3a47ac8ca734669616ad49a

SHA256
36676a9f4735cbf36b857378e88e4d93f1478a228a52f3c53bf7b07db04a8fcb

SHA512
c8234cbf161ccf6cb231689ff0fb6fcf5540693d933b78e68df17eb8b6f8855a3baa666e1810087cd9e9e55a50796f2343bcd47dd57e47da49f45718e5ea4d29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc6fef6bc3c5f3f6a800c267d11bb183

SHA1
7411a5a684d99e494efd7ffdb45f4c8aebd51dd4

SHA256
bb8d6889df7a3cc70787fff8c1f2a5a4caae58b69784c38ddc46d128281a9de3

SHA512
a14915ee4cb012b6f555ceaed5e83c034f753eb24a31b9eaea739bda0ac0d007991848f27272f4c91c3461ab0e12483daba0df39f97a8eadc9bed0ef5ba7ab78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c14f0d37cb5da05f62e96e2541ab6f7c

SHA1
1d95e9459833b4b9a0605e00d6c834fb5a9416a5

SHA256
b6ee49543580e7e68ca607e79a656def8ccc50fd5ec2a6fbf651a5ee99f076d7

SHA512
dbc6d7238dec93b4d0d1a45e544c7964a431be7c15f44b382c4bf13c92cbc7fb66b729045cdd4d6c9d6cdb8aee69bfddf692f669ccfca7cb4a3c30d47ced46fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD05D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD0FC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\wincheck_zy080610.exe

Filesize
26KB

MD5
ff5b0b30186671027d17fde28d166f2f

SHA1
16ea51f24b8de99ca31bcba424244b34f0bc0676

SHA256
6a024d3b4eabf45133037d02464ac3388570c88a9fe6faba9a6f1042cd857b0a

SHA512
f56a0f22020597983f600ca302ed70ede95d9f9f325e257b49c0a7fef9c4ae044d9b723c8dec3d9e39269a278fe8b49d7015d38e6a01768fa6943bbd669b42a1

Download Submit
C:\Windows\SysWOW64\wincheckzy080610.dll

Filesize
27KB

MD5
19d4e5b5697765712b0ac5de5b5a7ffb

SHA1
ae5b7f46afb143560af1ed5350666dc1dfa78199

SHA256
1e89dbb816f13adca629f430d7c72cd5434b992341b7ca6c813e1e608d85dbc0

SHA512
f10692dd5c9236ef42740d2764f1456cac1f1ed116315f00e6e52473827bd62ca20ca2b4d4dce403c61c61d79f4383a7074ed9d14fcf3d2405180362a9e7e213

Download Submit
C:\Windows\checkcj_zy.ini

Filesize
145B

MD5
48d94ef3ab529ddb2d1b77d37cf91009

SHA1
9ea41539b57b516542ce84a24132761eaa93f024

SHA256
62b10f2a2effa9207e4078cfa88d7fd4221c2e4888d1f875e25f6be71877a8ab

SHA512
9ae240e4e40c1ca720deaf6e490956305171960adfaff4803483eb0f24e962327c0ed94e0806e2e95a0001071089f378efc361d78970f29223ae3d7f5031dffa

Download Submit
C:\Windows\checkcj_zy.ini

Filesize
146B

MD5
a7c586caf505a15bdeab4e430ec7716a

SHA1
657f64bef2a7e0afe1b6d4cca98dd17c67a1aea5

SHA256
69cbc9556a9b73fffe729e2c5aeaf905f1515e32c95c984ffd95c9c1213c4d69

SHA512
08514a0c65ca7f64fbfa123c2e568d8e2f85d9e2673d01805f711609acac908f68819113204f6952b37cf9f7f31d0aece847f052ef41c132602bae8538785cd2

Download Submit
C:\jkDe_zy.bat

Filesize
147B

MD5
bc2a96cef3a82e104491a560a6c07ade

SHA1
b1211d95498746ffe220531689877cc7bc52bf66

SHA256
415a6300ca45d9f4be7c893a4f885f5393458e177ad8652ceaea646b1fde23fa

SHA512
f12009a8429055cf1834c6ba9389490638a0c2998d14be2e1a17e46210fcc09f6bfcbd69fc769c78f4ce740c9e9f3db11423ccfa088f47b2d46e0bf795e84c63

Download Submit
C:\jkDe_zy.bat

Filesize
233B

MD5
0ae41ae7dd833462299ba17cd8421816

SHA1
4c1118e0e6a5a805889d90517b24715b895f4425

SHA256
2064fdf6ce3517f2d1fdc03255611ea78a5c7ee8d720d57dc7e8ad4edd51ca64

SHA512
8c4a8ae001d18ced7beee85bba7ffef44f6fc5f8e7705f041c4df0ff54ab1974fbdf2775f1054521de1db3fc99207c35ded3cbb2cb14bb3af016f402121566bd

Download Submit
C:\mycjjk_zy.bat

Filesize
55B

MD5
9e717c3a7882ab630549d85ce4facc1e

SHA1
a0686e6c68940682373c54fbffd1729d67b9d558

SHA256
faeef5b8dae70e655a09d932bbcfb8b029e5fbd080f9d25a5080b49699a7ad28

SHA512
3bcfe57a4cc390b16843cc3310137b510669a8375c3046da3d5e18d608c6e4f299b5ac1e395c5d0f74e820f6f3e895fbc36669acc5f2f2fdc92db07bb7c1ff45

Download Submit
memory/2536-51-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2536-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2536-24-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download