ef35ac2b2e72a54b987a95682fc47faaa06ad0e93520e8122e933702dfdb117c

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
Size

1.3MB
MD5

8891f4022ff23fbf7e4c783ecb318b46
SHA1

86a70dfca73d529d95c39418df80376b1e29de02
SHA256

ef35ac2b2e72a54b987a95682fc47faaa06ad0e93520e8122e933702dfdb117c
SHA512

b081a397077ed18e1c3fc6f0ffcbdae9282310db6d6483f32a8c37006ffe166bb265c2c6dcb20acff5a597c3b8785103091a7d6e21be301c6ab2cb5b736dbe9a
SSDEEP

24576:/RXutlSbt0UXW7ISMBG4ywCv0GRxrwaL8vHy3MGC:/kg+b7uIxwaLOS3Mx

Score

7^/10

discovery upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\???-????????.lnk	FunshionInstall.exe

Executes dropped EXE 8 IoCs

pid	Process
2800	FunshionInstall.exe
3060	msn054.exe
2892	6.exe
2212	66.exe
616	cfkk.exe
2680	p.exe
2116	z.exe
2448	coopen_setup_100067.exe

Loads dropped DLL 32 IoCs

pid	Process
2712	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
2712	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
2800	FunshionInstall.exe
2800	FunshionInstall.exe
2800	FunshionInstall.exe
2800	FunshionInstall.exe
3060	msn054.exe
3060	msn054.exe
3060	msn054.exe
3060	msn054.exe
2892	6.exe
2892	6.exe
2892	6.exe
2892	6.exe
3060	msn054.exe
2800	FunshionInstall.exe
2212	66.exe
2212	66.exe
2800	FunshionInstall.exe
2800	FunshionInstall.exe
616	cfkk.exe
616	cfkk.exe
2800	FunshionInstall.exe
2680	p.exe
2680	p.exe
2116	z.exe
2116	z.exe
616	cfkk.exe
2448	coopen_setup_100067.exe
2448	coopen_setup_100067.exe
2448	coopen_setup_100067.exe
2448	coopen_setup_100067.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000018fb4-95.dat	upx
behavioral1/memory/616-101-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2800-106-0x0000000003320000-0x00000000033C2000-memory.dmp	upx
behavioral1/files/0x0006000000018d48-102.dat	upx
behavioral1/files/0x0004000000017801-122.dat	upx
behavioral1/memory/2116-123-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2680-115-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/616-388-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2680-389-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2116-607-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2680-666-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2116-1103-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2116-1113-0x0000000000400000-0x00000000004A2000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/616-388-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral1/memory/2680-389-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral1/memory/2116-607-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral1/memory/2680-666-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral1/memory/2116-1103-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral1/memory/2116-1113-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cfkk.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\66.ICO	66.exe
File created	C:\Windows\SysWOW64\z.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\coopen_setup_100067.exe	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\z.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259486915	66.exe
File opened for modification	C:\Windows\SysWOW64\66.bat	66.exe
File opened for modification	C:\Windows\SysWOW64\66.ICO	66.exe
File created	C:\Windows\SysWOW64\看韩剧-最新韩剧在线观看.url	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\看韩剧-最新韩剧在线观看.url	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\66.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\p.exe	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\p.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\msn054.exe	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\msn054.exe	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\cfkk.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259481033	FunshionInstall.exe
File created	C:\Windows\SysWOW64\66.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\66.bat	66.exe
File opened for modification	C:\Windows\SysWOW64\coopen_setup_100067.exe	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\fzluc\FunshionInstall.exe	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fzluc\FunshionInstall.exe	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\ppfilm.exe	p.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FunshionInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coopen_setup_100067.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn054.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000018fb9-49.dat	nsis_installer_1
behavioral1/files/0x0005000000018fac-129.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429503683"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000c89baf4fb47eb69a0cee2fc94dcc8a056e92ca4cbfdc85799df01501bddebbf8000000000e8000000002000020000000c666f830aef3accc9d6010e978b5ab6d5d94d6dd506fb208af80c01e3e84e5d7900000004a6836b9923756af33f7e681f96ce019787b5af0232ec3f5dd7967861a7102c761b0fc60d25752932e09c5e37b515237d25e67a0d11c8b045254054eae9832724a68551026ceb732956f7d2bc795c74faa86f4840a0308e7279828e04dae5c7a2d53075a2468bf48508e0f54dac422f30cdf0f39a4bfb9b1aac3c147c6d135e535b63dfbe471e1d87bf59a7a06a1916a40000000d741f5a595e819eccb4c9f732d44626b32dfb392a0692d0fd3035991928f80b157dd5bfe62aac79a709f405f31a4df1d3525020e55489e8ff64d7cbc77973b12	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000008ec6e7467c775761c309f711e3009d5556c4d2e8da3d3413701b1af93aa0ab23000000000e8000000002000020000000da22c8ed9033bb8fd40ad2bc8c66c337078407cac1c6df5b36458f268ccc02b220000000e2e35f034180058752929b3fb910f8f8edb5bf5632125b5589ff389463842db140000000a4494eb08a1ed0ef4baa93b4951b63505aa0b19fa4789f3a15bd3e7b5a97dc1e69c8bb0e7110fc9f377ebd40cff2b7e691e5d7a9c37f52218daf58a4671667d9	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50cb6ec092ebda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA56C261-5785-11EF-8D34-5A77BF4D32F0} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA546101-5785-11EF-8D34-5A77BF4D32F0} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Runs .reg file with regedit 1 IoCs

pid	Process
2912	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2448	coopen_setup_100067.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2116	z.exe
Token: SeIncBasePriorityPrivilege	2116	z.exe
Token: 33	2680	p.exe
Token: SeIncBasePriorityPrivilege	2680	p.exe
Token: 33	2116	z.exe
Token: SeIncBasePriorityPrivilege	2116	z.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2232	IEXPLORE.EXE
1984	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2800	2712	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2800	2712	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2800	2712	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2800	2712	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2800	2712	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2800	2712	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2800	2712	8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe	30
PID 2800 wrote to memory of 3060	2800	FunshionInstall.exe	32
PID 2800 wrote to memory of 3060	2800	FunshionInstall.exe	32
PID 2800 wrote to memory of 3060	2800	FunshionInstall.exe	32
PID 2800 wrote to memory of 3060	2800	FunshionInstall.exe	32
PID 2800 wrote to memory of 3060	2800	FunshionInstall.exe	32
PID 2800 wrote to memory of 3060	2800	FunshionInstall.exe	32
PID 2800 wrote to memory of 3060	2800	FunshionInstall.exe	32
PID 3060 wrote to memory of 2892	3060	msn054.exe	33
PID 3060 wrote to memory of 2892	3060	msn054.exe	33
PID 3060 wrote to memory of 2892	3060	msn054.exe	33
PID 3060 wrote to memory of 2892	3060	msn054.exe	33
PID 3060 wrote to memory of 2892	3060	msn054.exe	33
PID 3060 wrote to memory of 2892	3060	msn054.exe	33
PID 3060 wrote to memory of 2892	3060	msn054.exe	33
PID 2800 wrote to memory of 2212	2800	FunshionInstall.exe	34
PID 2800 wrote to memory of 2212	2800	FunshionInstall.exe	34
PID 2800 wrote to memory of 2212	2800	FunshionInstall.exe	34
PID 2800 wrote to memory of 2212	2800	FunshionInstall.exe	34
PID 2800 wrote to memory of 2212	2800	FunshionInstall.exe	34
PID 2800 wrote to memory of 2212	2800	FunshionInstall.exe	34
PID 2800 wrote to memory of 2212	2800	FunshionInstall.exe	34
PID 2212 wrote to memory of 2836	2212	66.exe	35
PID 2212 wrote to memory of 2836	2212	66.exe	35
PID 2212 wrote to memory of 2836	2212	66.exe	35
PID 2212 wrote to memory of 2836	2212	66.exe	35
PID 2212 wrote to memory of 2836	2212	66.exe	35
PID 2212 wrote to memory of 2836	2212	66.exe	35
PID 2212 wrote to memory of 2836	2212	66.exe	35
PID 2836 wrote to memory of 2912	2836	cmd.exe	37
PID 2836 wrote to memory of 2912	2836	cmd.exe	37
PID 2836 wrote to memory of 2912	2836	cmd.exe	37
PID 2836 wrote to memory of 2912	2836	cmd.exe	37
PID 2836 wrote to memory of 2912	2836	cmd.exe	37
PID 2836 wrote to memory of 2912	2836	cmd.exe	37
PID 2836 wrote to memory of 2912	2836	cmd.exe	37
PID 2800 wrote to memory of 616	2800	FunshionInstall.exe	38
PID 2800 wrote to memory of 616	2800	FunshionInstall.exe	38
PID 2800 wrote to memory of 616	2800	FunshionInstall.exe	38
PID 2800 wrote to memory of 616	2800	FunshionInstall.exe	38
PID 2800 wrote to memory of 616	2800	FunshionInstall.exe	38
PID 2800 wrote to memory of 616	2800	FunshionInstall.exe	38
PID 2800 wrote to memory of 616	2800	FunshionInstall.exe	38
PID 2800 wrote to memory of 2680	2800	FunshionInstall.exe	39
PID 2800 wrote to memory of 2680	2800	FunshionInstall.exe	39
PID 2800 wrote to memory of 2680	2800	FunshionInstall.exe	39
PID 2800 wrote to memory of 2680	2800	FunshionInstall.exe	39
PID 2800 wrote to memory of 2680	2800	FunshionInstall.exe	39
PID 2800 wrote to memory of 2680	2800	FunshionInstall.exe	39
PID 2800 wrote to memory of 2680	2800	FunshionInstall.exe	39
PID 2800 wrote to memory of 2116	2800	FunshionInstall.exe	40
PID 2800 wrote to memory of 2116	2800	FunshionInstall.exe	40
PID 2800 wrote to memory of 2116	2800	FunshionInstall.exe	40
PID 2800 wrote to memory of 2116	2800	FunshionInstall.exe	40
PID 2800 wrote to memory of 2116	2800	FunshionInstall.exe	40
PID 2800 wrote to memory of 2116	2800	FunshionInstall.exe	40
PID 2800 wrote to memory of 2116	2800	FunshionInstall.exe	40
PID 616 wrote to memory of 1492	616	cfkk.exe	41

C:\Users\Admin\AppData\Local\Temp\8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\fzluc\FunshionInstall.exe
  C:\Windows\system32\fzluc\FunshionInstall.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\msn054.exe
    "C:\Windows\system32\msn054.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\6.exe
      "C:\Users\Admin\AppData\Local\Temp\6.exe" 7854
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2892
- - C:\Windows\SysWOW64\66.exe
    "C:\Windows\system32\66.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\system32\66.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s 66.reg
        5⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2912
- - C:\Windows\SysWOW64\cfkk.exe
    "C:\Windows\system32\cfkk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm
      4⤵
      System Location Discovery: System Language Discovery
      PID:1492
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2232
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2480
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1984
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2100
  - - C:\Windows\SysWOW64\coopen_setup_100067.exe
      coopen_setup_100067.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2448
- - C:\Windows\SysWOW64\p.exe
    "C:\Windows\system32\p.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\SysWOW64\z.exe
    "C:\Windows\system32\z.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f25c610eccabb83bf2fb3481f3aebc07

SHA1
94f39e7eaa7abc98e5900131ee1e12272caa8838

SHA256
459648664fbe7f591ed25bd230ddba0739d149f5ccec55f178694205bdd022fb

SHA512
45bc9949ed73f5b15d99017a6aabcdb70909ca41cd88a7c89b5fafc30ad016902e2ca84b9643f74ad93a1a4a416c95617207fe979e50bbde3acb5a51e492ac73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c6628632d06d9913c59e6e036e8b17b

SHA1
facd0f5f63c567a9b1323f04eabe4e4cf182f8d0

SHA256
23a2ac54add2f885f27fd07896e1d5d26bae4d3daf66f20ac15da0c315c261f8

SHA512
e18c04d36d4f9c6ac0c17e7f7bccdf0c42e839535cb7c084816bd0ff3aa5e149440f6eeba1e589fab80a2c5afb8a0ccba1329c20c37bd4ab83bf5f9c9bbe4d46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
918f01865c6114e758dcd3d9655ad597

SHA1
653efc4ceffb0645a59434e87d92c3f1977c50e9

SHA256
8a4a04a063ac80a62d5f964c1ce9ab1ab7bde70a0c1d4dc491dec9625ab04236

SHA512
36ec79414860fe659b7271c8b6132038679a417fa040d42cb95fc98cb8cfcb378a23c4a7ffb8691eead761737c045534bf66684b5409825f072fc480e7f76ee3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b1bd5219dab4b3b28c988e234a7faf5

SHA1
e22476906ca1321bcbf52a16773d342e6cb32647

SHA256
8d725f0715cc380b7fe414a7e0977d2dccb09f4becd6d2416d7e040fc38cf5d1

SHA512
54f3f7d87eb3707b1748448105a3323a161b908a4035625e630f8d4f432dca87222e97e3ae12803a597df1fc71a44ee864ce9690b612c7cd83e00a268f4915bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fcb2cfefedb87e0b0a767a5fc7ca8e5

SHA1
bf7ff02bf05514a74d7073d1b5c8a440963d4e24

SHA256
1f814e3087cf6c14445fcbc9c5be4c353b5cbe267f369563fd55fa03f56045f7

SHA512
e96bcc079f7b8a21f11c7e50cf25548aeceaa6a75cb18311bdb6be5f65e05dde4626d17914f3b1e996adbd16a7aa79583e0b14d86d5b160e50f8ff508661e8eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72a550ae006c376655b7aa974e683251

SHA1
f53fec6c8b41f33a0b98cf4411cf2e54c4365b5b

SHA256
ce4b7ce8d97c357493c341696dcee971308c93c7268d0836ca3b5b30d769a641

SHA512
8b8c5b91028288d22761377bab5e29356dac01580c64c3db0d72a83fe2739c2857e330fdcb0f00504292e104b1939983b3a286cee665fdbf8e07b2209f300c00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
732232950d12fa5449f58918110f237e

SHA1
4ab431a2e180daf9dfd5f859a177417daa0250ae

SHA256
a3550e819e921e9fd4c7f461a8f8c963ae1d407003985cc2e4f4336daf49ebaf

SHA512
70e6e904ea3c7cdb3c4702bb3de6bf4ae63cfa4e443f6e5b41a9de814306e33214898afc37208894bae1b39eb623a6f70c32bcde5e971db4ff0c85c9df33e5e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a4cc96cd7bd38069d18ac816413e531

SHA1
6e5fe9b3b3056fcc0e6ae071bc357577f1a5251f

SHA256
676907847ee881ea13f6353e1e5e94e0330a0349887da00410f28ebc452a4998

SHA512
5b76cabf0ff83dd0eb22e500efddbd6884d9b0f89d840e94794285c25450a2bfd5b74ab4d15a48a7e0315322ae71c96dfc31870a9962dbc0df0f4d6cf6523105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7687f9dc6a2f77e8c79f9fe37a29194

SHA1
a13d465be1f25be6e1c7e57dd143dcc66a809bfe

SHA256
2a89c7417d8a1cf6d36ad7fd8cf7ddc6e80fb0eaa795457f57f2c493d4a2f567

SHA512
16a54417361fd0be23402f14ccda1a3aa7781183d24aa4bb000c1dd529216bd4effaeecf26f79d3eb92d582621ae213aebc899deb7131472dfc5b6a19aaad99e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96b954890f9b2527547199b5f37ab734

SHA1
b22d10779c6ddf80eaf275ad28f8f496e5159f8b

SHA256
e6e271bd97f0d68e8cb60c2567d5d7eaa764d650e0b384acf9b9d3f439bf6707

SHA512
0da47d539e1c51e9f167bc4212c7fb3b9190ca628c67a96a3a750169a6030970e8b76fef5a30ab83e7ce9d8befd3cdbd215571b8d6389b9276e0f491a9b74079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02502abdf4bef6d9d84e548bf0a5560a

SHA1
720d2b88789f2401eaba6b778c0a456c8ab55048

SHA256
51bfddb8f98a58090781d72d7ec26c93d1dc65420f511e7c78c02317327ddd17

SHA512
000bbb0acb0639add0fcbdf2bc69fc85b009a5214e3dfe91bde7d522aed16b37431d89f0c0b66424c8318637d8bf764226322327fa94bd86d26c5bfc9045833e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d01ca3a3c94b6c6430112e02f233c8f

SHA1
e036cd21bc743e8de7c4b1e93c8c3dcfb4e49502

SHA256
cbcb599c3af648e6877a7f53188a3db1dea549411af9d4696267403c6bb44b13

SHA512
5121e0779d1a30ded47d7fa38687c7f117bddd02e66df065e259f449822d6050225dffcc672f329454f94eab60e9e61278d7864ce4e2bd9c945f8f0f5b455172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2729c04b1989174ad7ed2dd500b904b8

SHA1
566ef0116449c9e79bd545180c20a691a5018b4a

SHA256
30b6dfa9f18b1cebabbffd26d368beb27543d7faa2724b82edafbce17b42e348

SHA512
b4afc7071e46e1443fd59b0e216bd51719bb7027af4fe4f6ab5fce856d78708b6f22fbe58dad572da392e0065ac361b0b6ec7fffff560957689351c3d90d4c06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
710d69053c512573fe9fff3b4e891cf7

SHA1
e11176e5e7833e557ae51e8b7c59241b746505af

SHA256
db83268d80dff7e937a9345b6cb834822ca660318da5d8d6b72e0e518e2475e1

SHA512
d947739ddb75260101319c3ea6e04c998101e20fd49b3ba0bfd5deb1534189ee6d73ba499f1a0d4b403575649fa36e0896b38f347c4e63e5054c442c4c9ed324

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d32f425167ce942f0eb3577669fee484

SHA1
cbd71e6c8211e3661c2753edc8ca2f1cf66cb160

SHA256
ed3558106dfca41bde7238e270bf032f7640b986723c3117a1bd4bd4712f125a

SHA512
18172b770a0e3194f6038704f0b260cf9e074383f2be5ee7299aa21726757bceb8f2f3f5b787c61419487f072a19ecf315c9bf2327ab3dd82986d9b310d57de6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
448f530609fa067eb108b2c9502292e5

SHA1
d17041ec1a24fe9a196b031c125983a0bb878934

SHA256
efcddd3a41055149a8c22fe7b17bf400529d3c3cf33bd6f8e6eceb378075ff4c

SHA512
495f659b4d8e6c1797e7a867e97f18e3bf25f50b657c7f7e037112b35f3810853c239116dac8309c6c0ec5087faaeb1c39b72fb9b181821855058eaa881b911b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bb12e5a73f67b4aa79ef0b3b5a48871

SHA1
d0d4367298fb75ceeea24d9c4dd484770be961e9

SHA256
f70e65d85ffa9fcc1fdc5bef854f007bea66087c971fecb9de8f1edfadf183fb

SHA512
9892139dd03ee5ca340f90f724e9eefef7086664317cd64d69e52c227a33daf20c60e667f72ce07c6b1fa2aa5f26032bf93e83699f3018940d3a707d1e7e3a68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fc0b5552124fffc7c04a604a14deb3d

SHA1
5d2c39ba2ab7c49febf93d1d958103e8e2ea8eba

SHA256
e5078b2ac20527594f68d3f460adaee767777acca5e8a6156ab97a5d4394582e

SHA512
ee8ecdf73678f29923ae344a5c9dee00d23d1b1bc234f4836ae6be5202de2a2eac31cf5c0e888d2c6ce5b65efed751a01641d4af62cc4a6fbcf7cc59f20dd117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
613d90869eecc2cd80f8748a80ac4be9

SHA1
9d007baa5af8b9e3c42a9c5e2c2a8893c818373a

SHA256
61eb750b35a8cda20c4892b05ebc46d31fc00c255f929efee680d1b4d5b1232e

SHA512
593f8dcdb17c771aec6c64ef4a0d65cda6455c0cf837ad9df205a8bb8a52f32f3c42cf184f178176214b23e9071c1d730f4ab86abd70f1ed0fd08bf756930489

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b099fc9d642146c310d4a15d7b4812d

SHA1
33bb34712e7597365ef7fc9d347b530580006dc3

SHA256
b8d1491c58d67478dc5c4b9e48de083a6e4c75ce7f99954b03c42a37a3c41e9c

SHA512
6dff7c9675ee21e0feda68f13daa1ce2cb11d4e66d77e50b26d6a0c95f27990e8e1af6b7309eafec4ae8c18d2c6dff60d9f3c9d82a26cb048fde5894c3de6e2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c36ffe25000588acd7a14537796e5f3

SHA1
a1af9272419fe04540cb6bdbdbffe13cb07a1477

SHA256
f73e94d70b81d5509a0b3ac699ccf33e83d4f50f233b235138baf0fdbc8ee14c

SHA512
c95639f17d576f67a9df462a12ee4ad7ad52e2b4e4d46d5dadc3da826152368e9d6a4b1b419580aefc40e5a961679eca3f00f194c703b8a3a052dc1af0affff8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b47fda050ebb25c2c5838ea3bbbd653a

SHA1
d3e4aad075763aab11f880f3ef1e27deb126a7b1

SHA256
3fee70707c2ca2651f760889c89d230904339853f674eeab233c6682cf66e21b

SHA512
de00593517c65141fd430ef53cbe133d73f08538a42070d36a9274e23c6e814481988f2008993c089a2d65615045b7d7a3bae8054ee0484cc24a41b0734cef1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae24c065af7e8fbe1d64b8a1ffbfbeca

SHA1
cbebd5cc33e2d20ba81d3610712369e0f92dd723

SHA256
b7e37026aa5e5c94f5b0aa950b4874abd72a77e47003faad8dc943d433d82532

SHA512
41c85a7230f2e1f1f30fe838a81c26058fde895ea59d8235eec0a2d06a7def8564853deeff835ab6467b7d74f33c502212a8fef5800409063bedad696869bafd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af9dfffc79584b813d17e05c42085cfa

SHA1
16310a6e2437be6b0dbab4a6720d8a2c928359d4

SHA256
1f59dd826a5bcf1553e5dc16783b23be2318270f5a6bd93f85ec740108e31dab

SHA512
4f6d6b5b6070886897f882505d7c7635512a877f025e127ed09fa0cb49a604c66d98cf07a09af6bf426fd8021a7dadd16815baa1c08eff4844cc40f516bcad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e346b8ec9d78d58fe125eb528e49ed74

SHA1
4df6884eb86347f6e466fbdd04c3c98558f6309d

SHA256
fee6e6b8395ef0f9d549ee209c422c7ee8a75b3e0b8e9da2cfcc6dfb7359def0

SHA512
84e0478cfaefbafbd8ea5854468bb81844fd595ecdba61d5f0285e370cc9db61aed1ab87c570ff7ec6324f2cd21b33e7b048a95394107a82d7d0dc0447b48fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EA546101-5785-11EF-8D34-5A77BF4D32F0}.dat

Filesize
3KB

MD5
240befb3a12ce935661382fddf7c2461

SHA1
2ed1a39d74423a4e270b4999aff9f93ecaa62c5f

SHA256
77ec2646d89608ff43b2ac48830b156e89da68652df3626347a583162bfb0451

SHA512
89b0314ac77fc4e8b5bfbd6e2ac17e1bec6605744a1a949f6ce43646848c54de14ed41faebb22ecf660fe72c1f3c51c1bd3546ad3c1d0b88dd754c762ce2bf62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EA56C261-5785-11EF-8D34-5A77BF4D32F0}.dat

Filesize
5KB

MD5
dc6f8cb71f60d82f1ec1deeacffcb520

SHA1
b3e328feb0170949e26c317934c8fd87b01db887

SHA256
281a3de6d3918b46a946c2beb0689148bb75a02a5dd2746e8d9f8131b7770309

SHA512
d9abe35f6472238d5ef382b31181d8ff3abcb6389c00cae25729d0749c5fad85cfe178c79709c1716e804e7d0e6e4fa64c375ad5a4e40979821f252aff7230ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB147.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB264.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj99E1.tmp\ioSpecial.ini

Filesize
613B

MD5
a714e624ff8cbfa4178d66055181845d

SHA1
36af97e319353e62127853b1394bdf722ef315e7

SHA256
22495a3f3602832f524e338d2dbd899398da6a43f43f36ba58644a97000affa8

SHA512
38d385b9d12561bd4137abf61e4da7723f8819f9a25c820a183aab7c2eb4e43804c3e3290d57e119e65036856e86d4724161e6f49ec81d4442bb6d5152006414

Download Submit
C:\Windows\SysWOW64\66.bat

Filesize
35B

MD5
25cbf5fe338535de8ee41ad00521c85d

SHA1
974402d7af3ff2d99ce761ddac6936ece0d5f1fe

SHA256
97bdb7035decc3eaaaee49e9c0cfaf938a8bf7cb18829e6aa64b08ba1e5fb8dc

SHA512
1e867c9e3207eb7ddc962e19656ae36cef5ace44cd5be482df656dec69d70c8a485266b0e7d392e7fe85271faf8639bf0516b7a9827740b710f90cf94af33f68

Download Submit
C:\Windows\SysWOW64\coopen_setup_100067.exe

Filesize
914KB

MD5
0ed46aa6a317bf47a58ab95cc6761e93

SHA1
8f8bbebdf82c90748c7edc24a98b6390af6dd222

SHA256
6ccc49b0d7c51a5d5bd95ab775d4f2047af0d3358396cf603f04bba28ab6a2a5

SHA512
072706ac2790ab418c8e7c5d748a489a228ad63ff025e905d3ca29038ac7a9f9e816e254274067ff0b31cc64e8ed826ea226a5bdc0262a9254f48e6007aff244

Download Submit
\Users\Admin\AppData\Local\Temp\6.exe

Filesize
53KB

MD5
0aa2eeba570f7fae09c21d5bc1a5ad55

SHA1
add5347a2472a20aa2ce287fe26fbbdf0f6a40c0

SHA256
8ad94ac212ba3d41195ea105478eb4a6cd134bfc1ad6a608b1a7c469293d1d70

SHA512
1c2f617372c680110bbb9dc92d9c4163433c2e774625f45104dd2a2ed1f7b5dbf4a0876817da0f3a3247db06630cd32a3ee452bf67d98dae96712a947abadf1e

Download Submit
\Users\Admin\AppData\Local\Temp\nse59C6.tmp\Banner.dll

Filesize
4KB

MD5
5ce60830e6db34a33f12be5018b21ca2

SHA1
1a4f855b358884d0c67053ec606a5a68aadf75b8

SHA256
8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a

SHA512
e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903

Download Submit
\Users\Admin\AppData\Local\Temp\nsj99E1.tmp\InstallOptions.dll

Filesize
12KB

MD5
08c82a46416a5e2b471d457968f53816

SHA1
3e3897c20b9e89b279b4764a633f67955bf8f09a

SHA256
435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9

SHA512
91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d

Download Submit
\Users\Admin\AppData\Local\Temp\nsj99E1.tmp\System.dll

Filesize
10KB

MD5
61151aff8c92ca17b3fab51ce1ca7156

SHA1
68a02015863c2877a20c27da45704028dbaa7eff

SHA256
af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

SHA512
4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

Download Submit
\Users\Admin\AppData\Local\Temp\nst60D7.tmp\System.dll

Filesize
9KB

MD5
afd989ef7eec6bf952bedfce541fe236

SHA1
5654b71c5b1089c2cec6381d8da5bd14a14e1a37

SHA256
5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

SHA512
f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

Download Submit
\Users\Admin\AppData\Local\Temp\nst61C0.tmp\System.dll

Filesize
10KB

MD5
bf01b2d04e8fad306ba2f364cfc4edfa

SHA1
58f42b45ca9fc1818c4498ecd8bac088d20f2b18

SHA256
d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

SHA512
30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

Download Submit
\Windows\SysWOW64\66.exe

Filesize
107KB

MD5
48ebcf8e1fb241b1606503681db0929c

SHA1
181cdafb12492006328d44005e0176b0d5dcd659

SHA256
8bc4dfec55f068786bed2a1823947c1bb69e92500105efc7ad7fe03aa1217e42

SHA512
9cd2109a353c72b304dd63f4dac0b2a00aa931d32112af6fdff569fe6d0b408dbbc0ab2504a4cecc15cfcc3d6e5fa5da1ab6e4ddae893252593315f5e2e553de

Download Submit
\Windows\SysWOW64\cfkk.exe

Filesize
250KB

MD5
98d1fec11a0aecbc609b6e4f54605806

SHA1
917e92c53496be174c3e7954d0035db5cd362acb

SHA256
6c6911528124c524b77eba811c5e4e6783043daf138a19e17da68ea089debc62

SHA512
8a62552b7ed0305ad955dd688aae8cb6c94c08f2dae7a004fa96fa834a1dcea5f0c9814a44686a719336e1a10be1f1e1ad11ca4e27657aacf253cf5b123ae99c

Download Submit
\Windows\SysWOW64\fzluc\FunshionInstall.exe

Filesize
1.8MB

MD5
246f26a450102b53e87f360c6c328f66

SHA1
fa8f3a51d31b785c7865771fe78c1287f324b35a

SHA256
ae36ddd69548deb664d26a0e2a800af4b01a04d13ea3e1b997da14c4a365c0b7

SHA512
daff81fce5b947ec1ef7c336ad04da9556cb7fafc07d81408aaacedf2e41c398eaa4c2e2de9a076244a6812e9033db6426c2954d03008d0d857c55857ea7e7a7

Download Submit
\Windows\SysWOW64\msn054.exe

Filesize
83KB

MD5
d7d65643b8a2fac2f2ef6d8cb3d0a394

SHA1
d4de8ef24f80a7182c3bc3075a5d5d5c08996951

SHA256
6e4378b059b9a06e60b1d4692a7db8b27eebb612a736cdf6d24f2ec11ce5352d

SHA512
1859244869b1ec338e2faef6d0682a1f1cc6da913cf5e215c544b0c861a5daa6669ec22b2a40e05e16c63925a63c9c5065c1383f6505900748eac0d6b4fb814d

Download Submit
\Windows\SysWOW64\p.exe

Filesize
250KB

MD5
93df99ebeeb59896f862837c105c7659

SHA1
9cd0cf39ac2cd61a9a258cca6f3cef3379c22372

SHA256
44d0be642cec26515473ad39a15f62dfb25efd5ab94a6b5e115d759b6338b7b7

SHA512
b3a672878241bddc1c59cee4bcf16c9d437c721819a3a4e1c2f0db1b015847f9e85dec19570a83d2aa0a53afc57f1a26e42774a6d3ed3174d2d429594dc0f956

Download Submit
\Windows\SysWOW64\z.exe

Filesize
250KB

MD5
473801e9358ff5969ae840566001f278

SHA1
8593d24e6ac4069b58575b27e99c7a3db9c1d82f

SHA256
cd00ea08b6966175f31e1f95fb20c8c8b5040018773c608981bfbf4e35ec415c

SHA512
3672a5f0164635d64b1b4dcf18b10170f5641c53c60b10588ac4160e1a5565c563cdc9539e998f2839557afc0c1a8933ee6d13e22309ac8470fc91aad5b5f91b

Download Submit
memory/616-388-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/616-101-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/616-107-0x0000000000CA0000-0x0000000000D42000-memory.dmp

Filesize
648KB

Download
memory/2116-1103-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2116-1113-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2116-123-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2116-607-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2212-92-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2680-115-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2680-389-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2680-667-0x00000000002C0000-0x00000000002CD000-memory.dmp

Filesize
52KB

Download
memory/2680-666-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2800-106-0x0000000003320000-0x00000000033C2000-memory.dmp

Filesize
648KB

Download
memory/2800-99-0x0000000003320000-0x00000000033C2000-memory.dmp

Filesize
648KB

Download
memory/2800-93-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-608-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download