ef35ac2b2e72a54b987a95682fc47faaa06ad0e93520e8122e933702dfdb117c

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FunshionInstall.exe
Size

1.8MB
MD5

246f26a450102b53e87f360c6c328f66
SHA1

fa8f3a51d31b785c7865771fe78c1287f324b35a
SHA256

ae36ddd69548deb664d26a0e2a800af4b01a04d13ea3e1b997da14c4a365c0b7
SHA512

daff81fce5b947ec1ef7c336ad04da9556cb7fafc07d81408aaacedf2e41c398eaa4c2e2de9a076244a6812e9033db6426c2954d03008d0d857c55857ea7e7a7
SSDEEP

24576:u8ld8XDqQDbBpDqQDbBc1JV+sk3/4gnwR7mO/+3GUbhBifT0EPVQwEJRYbRwAzfD:uqd8XxpxIVU4gwOGeLaPbRwaixwV

Score

7^/10

discovery upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\???-????????.lnk	FunshionInstall.exe

Executes dropped EXE 7 IoCs

pid	Process
1916	msn054.exe
2392	6.exe
2616	66.exe
836	cfkk.exe
2928	p.exe
2128	z.exe
1988	coopen_setup_100067.exe

Loads dropped DLL 23 IoCs

pid	Process
620	FunshionInstall.exe
620	FunshionInstall.exe
1916	msn054.exe
1916	msn054.exe
1916	msn054.exe
1916	msn054.exe
1916	msn054.exe
2392	6.exe
2392	6.exe
2392	6.exe
2392	6.exe
2392	6.exe
1916	msn054.exe
620	FunshionInstall.exe
620	FunshionInstall.exe
620	FunshionInstall.exe
620	FunshionInstall.exe
836	cfkk.exe
1988	coopen_setup_100067.exe
1988	coopen_setup_100067.exe
1988	coopen_setup_100067.exe
1988	coopen_setup_100067.exe
1988	coopen_setup_100067.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/files/0x00050000000193a8-79.dat	upx
behavioral5/files/0x0007000000016ccd-90.dat	upx
behavioral5/memory/2128-97-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral5/files/0x0007000000016cd7-99.dat	upx
behavioral5/memory/620-87-0x0000000003610000-0x00000000036B2000-memory.dmp	upx
behavioral5/memory/2928-96-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral5/memory/836-95-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral5/memory/836-629-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral5/memory/2128-631-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral5/memory/2928-630-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral5/memory/2928-646-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral5/memory/2128-1079-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral5/memory/2128-1089-0x0000000000400000-0x00000000004A2000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral5/memory/2128-97-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral5/memory/2928-96-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral5/memory/836-95-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral5/memory/836-629-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral5/memory/2128-631-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral5/memory/2928-630-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral5/memory/2928-646-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral5/memory/2128-1079-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral5/memory/2128-1089-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\66.exe	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\coopen_setup_100067.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\msn054.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\p.exe	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\msn054.exe	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\66.bat	66.exe
File opened for modification	C:\Windows\SysWOW64\66.ICO	66.exe
File created	C:\Windows\SysWOW64\看韩剧-最新韩剧在线观看.url	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\看韩剧-最新韩剧在线观看.url	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\z.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259438211	66.exe
File opened for modification	C:\Windows\SysWOW64\p.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\coopen_setup_100067.exe	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\cfkk.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\cfkk.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\66.bat	66.exe
File created	C:\Windows\SysWOW64\66.ICO	66.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259431019	FunshionInstall.exe
File opened for modification	C:\Windows\SysWOW64\66.exe	FunshionInstall.exe
File created	C:\Windows\SysWOW64\z.exe	FunshionInstall.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\ppfilm.exe	p.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn054.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coopen_setup_100067.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FunshionInstall.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral5/files/0x000500000001945c-33.dat	nsis_installer_1
behavioral5/files/0x0006000000019382-103.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d01c63be92ebda01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429503678"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8334DF1-5785-11EF-A7C8-6EB28AAB65BF} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000007cfcf859ec00c72c877347f97ad7a6ba52aa1395b0b6690cbd08a0d826f61435000000000e8000000002000020000000082acfb2f277c52574983ea63512355a6b7d7cb6a701b1821e7373dc8f82c89b20000000debbb17a231555328303d2402f4cb7b1d254cdcf8609db65395b0862ffe1001040000000a3dab792fe6c515e5aa9c105f0885a45ca75038ace4630a8baac0555e5342ff3dad3e8a211ce83711046ece83a5e0182b9fc3f5fe790be591a44cb915ac1545f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000008958cef69d7d75626f0c3c7f5122f8a14cd48f6893e4956949e64e917c2989b2000000000e80000000020000200000009a7b6dc55796eb8a59b2665169fc787fd7408ef7e7d56e2b5d6f9def33ff2a0190000000f89dc6750ce9381746985f6dafe3aea236e4f60df478f1b63f8598220ebf823d684301e447219fdfa4fbc8ca36ea86f6f83e4f16543e713a7d101e47f88069d214bbbf64977754ea7c04fe04948489ec41361ee5cec31f060d046985c28a78ccadcf6d4929a77e322025a109871c387ed946f3490f7ae545b9d7d3785aaecb568e897a19f9270aca3d22b1c69740684d40000000525cd0f2020a855a2a2dfcd5f94b61b44f950c55dc92c01bb99a12945be234885b32159072d32ec6184ce1a356bbbe1139554c8f9b2fdaec976339e32503f27f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8337501-5785-11EF-A7C8-6EB28AAB65BF} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Runs .reg file with regedit 1 IoCs

pid	Process
2324	regedit.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2128	z.exe
Token: SeIncBasePriorityPrivilege	2128	z.exe
Token: 33	2928	p.exe
Token: SeIncBasePriorityPrivilege	2928	p.exe
Token: 33	2128	z.exe
Token: SeIncBasePriorityPrivilege	2128	z.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2868	IEXPLORE.EXE
2660	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
1748	IEXPLORE.EXE
1748	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1916	620	FunshionInstall.exe	30
PID 620 wrote to memory of 1916	620	FunshionInstall.exe	30
PID 620 wrote to memory of 1916	620	FunshionInstall.exe	30
PID 620 wrote to memory of 1916	620	FunshionInstall.exe	30
PID 620 wrote to memory of 1916	620	FunshionInstall.exe	30
PID 620 wrote to memory of 1916	620	FunshionInstall.exe	30
PID 620 wrote to memory of 1916	620	FunshionInstall.exe	30
PID 1916 wrote to memory of 2392	1916	msn054.exe	31
PID 1916 wrote to memory of 2392	1916	msn054.exe	31
PID 1916 wrote to memory of 2392	1916	msn054.exe	31
PID 1916 wrote to memory of 2392	1916	msn054.exe	31
PID 1916 wrote to memory of 2392	1916	msn054.exe	31
PID 1916 wrote to memory of 2392	1916	msn054.exe	31
PID 1916 wrote to memory of 2392	1916	msn054.exe	31
PID 620 wrote to memory of 2616	620	FunshionInstall.exe	32
PID 620 wrote to memory of 2616	620	FunshionInstall.exe	32
PID 620 wrote to memory of 2616	620	FunshionInstall.exe	32
PID 620 wrote to memory of 2616	620	FunshionInstall.exe	32
PID 2616 wrote to memory of 2648	2616	66.exe	33
PID 2616 wrote to memory of 2648	2616	66.exe	33
PID 2616 wrote to memory of 2648	2616	66.exe	33
PID 2616 wrote to memory of 2648	2616	66.exe	33
PID 2648 wrote to memory of 2324	2648	cmd.exe	35
PID 2648 wrote to memory of 2324	2648	cmd.exe	35
PID 2648 wrote to memory of 2324	2648	cmd.exe	35
PID 2648 wrote to memory of 2324	2648	cmd.exe	35
PID 620 wrote to memory of 836	620	FunshionInstall.exe	36
PID 620 wrote to memory of 836	620	FunshionInstall.exe	36
PID 620 wrote to memory of 836	620	FunshionInstall.exe	36
PID 620 wrote to memory of 836	620	FunshionInstall.exe	36
PID 620 wrote to memory of 2928	620	FunshionInstall.exe	37
PID 620 wrote to memory of 2928	620	FunshionInstall.exe	37
PID 620 wrote to memory of 2928	620	FunshionInstall.exe	37
PID 620 wrote to memory of 2928	620	FunshionInstall.exe	37
PID 620 wrote to memory of 2128	620	FunshionInstall.exe	38
PID 620 wrote to memory of 2128	620	FunshionInstall.exe	38
PID 620 wrote to memory of 2128	620	FunshionInstall.exe	38
PID 620 wrote to memory of 2128	620	FunshionInstall.exe	38
PID 836 wrote to memory of 2984	836	cfkk.exe	39
PID 836 wrote to memory of 2984	836	cfkk.exe	39
PID 836 wrote to memory of 2984	836	cfkk.exe	39
PID 836 wrote to memory of 2984	836	cfkk.exe	39
PID 836 wrote to memory of 1304	836	cfkk.exe	40
PID 836 wrote to memory of 1304	836	cfkk.exe	40
PID 836 wrote to memory of 1304	836	cfkk.exe	40
PID 836 wrote to memory of 1304	836	cfkk.exe	40
PID 1304 wrote to memory of 2660	1304	IEXPLORE.EXE	41
PID 1304 wrote to memory of 2660	1304	IEXPLORE.EXE	41
PID 1304 wrote to memory of 2660	1304	IEXPLORE.EXE	41
PID 1304 wrote to memory of 2660	1304	IEXPLORE.EXE	41
PID 2984 wrote to memory of 2868	2984	IEXPLORE.EXE	42
PID 2984 wrote to memory of 2868	2984	IEXPLORE.EXE	42
PID 2984 wrote to memory of 2868	2984	IEXPLORE.EXE	42
PID 2984 wrote to memory of 2868	2984	IEXPLORE.EXE	42
PID 2868 wrote to memory of 1748	2868	IEXPLORE.EXE	43
PID 2868 wrote to memory of 1748	2868	IEXPLORE.EXE	43
PID 2868 wrote to memory of 1748	2868	IEXPLORE.EXE	43
PID 2868 wrote to memory of 1748	2868	IEXPLORE.EXE	43
PID 2660 wrote to memory of 1160	2660	IEXPLORE.EXE	44
PID 2660 wrote to memory of 1160	2660	IEXPLORE.EXE	44
PID 2660 wrote to memory of 1160	2660	IEXPLORE.EXE	44
PID 2660 wrote to memory of 1160	2660	IEXPLORE.EXE	44
PID 836 wrote to memory of 1988	836	cfkk.exe	46
PID 836 wrote to memory of 1988	836	cfkk.exe	46

C:\Users\Admin\AppData\Local\Temp\FunshionInstall.exe
"C:\Users\Admin\AppData\Local\Temp\FunshionInstall.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\msn054.exe
  "C:\Windows\system32\msn054.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe" 7854
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2392
- C:\Windows\SysWOW64\66.exe
  "C:\Windows\system32\66.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\66.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s 66.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2324
- C:\Windows\SysWOW64\cfkk.exe
  "C:\Windows\system32\cfkk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1748
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1160
- - C:\Windows\SysWOW64\coopen_setup_100067.exe
    coopen_setup_100067.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1988
- C:\Windows\SysWOW64\p.exe
  "C:\Windows\system32\p.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SysWOW64\z.exe
  "C:\Windows\system32\z.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2daedc32726187329ec996dcb4c209f8

SHA1
6d73abad98945e50d4d5091824e3225febebbd75

SHA256
7702bd13ebf33d65e49e1045d804c8fcb7626462828175f538bb10a2798f2a75

SHA512
728904d146f8e5369415fe04cef84a2b2ba2419f3e3fd5af6cf830cb7b6803031abe45a0cbe4dffb33ff679e5c7edc831804252af6fb91b1cc2ff839d1d184ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6352a779dc55d0c70b79d10022fea5a8

SHA1
daa26057ea3323e7d83a4ff63e38a9cea432ff64

SHA256
985e6cd3c9aed448847c05de6c6e3b8152b95e3505357d8e8c654217c0f7bf6c

SHA512
8b750af4a9e69946edf863737848d99c4b2cdb8c0dbc4b30559b6ca436a44649ef3b1df64f22122863d2472c1b9a6051d337ca9591b5cbd4959389f22892ec37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8590215ecd5f5d89746d37aad44c0fef

SHA1
62ada33b06936f9c5c1a9f80db7dc84f76142eac

SHA256
3d6c5a9843b3e4042b94aa557551fa520cb1b5905884ce94cb424b6afe81330b

SHA512
a7268cc459955b722c92de420fde5035ae574ae1db9b25d9c03e363be74a990a227cb62a4d13fb050aef7bfd377977d2fede0932bd6112436f826a091ac7719e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce23946245499d8a935ec4ab7e74340e

SHA1
573a481812a6582274bc334a0218e004c8f542a5

SHA256
0129dd31faf0d8c3562ff5ff7d3f3451dbc03d78bd9242164bf47738be6f1950

SHA512
1dc32b415719ef2757ac802c52f8b01a2e2d342506faedfe0bce3fcca62c9e5560416b094ee90fe88d588974fb1c935221594a940a9c29f16b4f2675550df80a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfbd62b943bf04123259aca508e2fa7b

SHA1
051966dfc2d89c55e743895ce9edea2e28dbf1bc

SHA256
697bb2739389174c70a7acaf9f8ebc811eff967ee5646624269be43a3e4a6fac

SHA512
fce28ed534f99ff12db66b558c94a05ee2e177b4f5d696b14a1ea433a00691d37849e1a52e1546b82f0e1db9b8bbef9825ab67d4f371bfb7d6a5a9dda655fcb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a826176d724b7d4bbe25dda6b69f2a3c

SHA1
1dcd081c8aa87e8b6b82e1bb3540ea66e3605c07

SHA256
1bfe860a754c6c5d85aff4c229e8cbd2a626ba2f2b56c1a73b9839d763fe1208

SHA512
1a088176deb2008162545040018c2da4009062c9076534e05486002b139a1b2b4e5d91f47f30f34a2ea3a599811260875eb923568bccf9bea90ccc565a4769fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ce0c274bb859dd79035b98ee1fa0326

SHA1
43983259ff8a3f98355efa7392d2bfb72a5b89d5

SHA256
62d8a443ca47611501affa1d138aa0671e325de2b432d3853089d669a58bfad7

SHA512
48e9de720d3e528ff7881981aaa7d1c202c39e0fb4c41394fa35a4539fb15c47e834d496e9801061ca6949f552a6a5efc88ac64788599769fb1d5221f7a0aeee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dc0a771dca710110c77f996d8416ae1

SHA1
4bfbb8b4bfa151b67641d0ab767ac77d5f72724e

SHA256
06c793b6d396da7b4bac31c4ff2926ea94c65d2f1789e57aaa8d2043b856e504

SHA512
a8f63c4483eb1ede4b11b22bd0d313ca289b3af2dbc691a75a3445762e98c56a599c53eb44a7790b1b1263a9ac91251e270a3ecd92c6ecff03c3919c7882e5fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a20dff57d615282602a6c13548704080

SHA1
c54cb86a4e807fc4c51cb87f1bb67b90c9548ea4

SHA256
ff15329950bb1d9379dcafbf17d5104810877bc15513dbdad2478ba048be261a

SHA512
4bdfdd2db93052fbcc6d0c4d6b803230ba15f2324e9e9732641857b1f9e54e104665c291c747f5aab2a5da8d7fbfd0473ed0487a79c00f4665626c17b4f8fb43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
137204dadefc3e2fb8c870d537ccedee

SHA1
ad06644280eb369b04a5bd26bfb463bfeef8b039

SHA256
9583bb65669a71ccc377d85531bbd42fde09cfd16a0c926fefd1f092f215d386

SHA512
e56c72c017ade419f509e4af323d179088d3a65e754b9dc1f1afd6591a68da489acb2f0356f06efee0a03911f29265d8db9d971dde00d90dc167b4bc5ac540a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e4ae1d8b31f8cf639a4a453af13fb94

SHA1
569fc2a7dd728385761730646aefc6af1b8bbeb8

SHA256
77bc696ada04146cf2a7d5433f32644c1c11b7e3e6708129a9d01c12644dec06

SHA512
beef39dd230c9a57716abcb3902277b0b5717fb3e77cbc1828e3fabc35fcdf534e41b7b4206b1aae5e0e9f1421fc73cb9e8d9aead8f05f04fcbf85d3f7780b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7690df33221d3aa2a1f7a7fce01aa327

SHA1
3ee5a4eee528f742478629a830368bf89d73131b

SHA256
f7164ba08f4fd74471220d3ae70e620361331e770c30281162f1f4d4fd9e3471

SHA512
76494de7b507c1c5721c89f355c26202b860d98dc82dc25cfb0faff7acae26bf6fc321e7701e78775bd82450e9b509b61f455484b5b69a6525fb676e49cb7646

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ed45460f970a0b93b7f02879f2f0934

SHA1
00bd92f002dfc7230cf899a4af7f9fe03843bf09

SHA256
848e1d28bfab65c47529ccb4112851952bcd0cf767f2ad0f673a561adcfaff9e

SHA512
bb8de27a75dbb06daaa9747df1a4a10ad6aae23a348183f7a1f080e82b231dc87efcd99a0062bbc8943cc96311c65c1587f2e86dcf5fd709aa417c6cd388c233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91f2f11354a879a41b06ad76774684d3

SHA1
cae43ec27c835398dddd020680ac7efb78f713a0

SHA256
a748c842e9e52c8a83468bd873f0de659c5584c5c025cf15de5595b7f2b24dbd

SHA512
8c77b0b4f7b5cb1e378f1fefde23e7c5727f456b202e8f22235e15bcdeb0a68c73e3c97949f4e3887af6fefb2d1c7a5a2490ffb5437d9f109820c6d56c749de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1566fa5b4c8e099d9a9d1a0c70deca44

SHA1
fe1b956b17ad1b780d19189739cb0d3415bea60e

SHA256
e60d45044bcb15ac6e3e896af20c42c0dc958b772806a39f915d4d52ecfddaaf

SHA512
f29b46fe76c810cc761b1f6d35df11ac078d51cb92ad8543a9851862cda8124839ccb39de7600e55189a43b01ea3d32432998c6fd17686540a21692249ccf17c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6ec8f1f7e4293b28359b82ec874824c

SHA1
78b795b83e73fbf26d58fc465224add43733f6ef

SHA256
b25dc674ad33067a12765451534486d5554cf08da134ee4990a88ac839a367c3

SHA512
26bf1cfb6efc15af66bc6ef41822ed4b8cf0d11fd4e55dd0d73f54b5f3edfdbcc87f14af1319cf47ab50d2f2f157392dbd9965f483de248e9d3ce04624de63cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ada3bf2965d5de564984dc89fe75178a

SHA1
f36223744ebf7dc5843fbbc7cabeccd7f574c8a4

SHA256
7239993bf057965aa3d5bfba5110572e593bcc1b75b18a03750c4139695cffdb

SHA512
8aa2c45651043c9ee62f78fb7584dcd05f751d6069cbbd3265c016af7496b6583d21a369c3a634336ec6e9d34f50478717154bbd91103246419e924d91c26200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c59f0901ee6263353e97243a468866c

SHA1
4f003049c5e0a26e44c04355e42c7493329fb5f1

SHA256
dc2d6262fcfe1005cb8d0982b94a207aacbf03dff5dee052c50ad0f0b8450510

SHA512
27d77a3a31bd3fb930d19ff4d743af4fa9cc1a306382430fcfad6733faae042db73abc06fe0373014ceb35aa93ef92ec46fa55391aa94eef5f82e1007c9c9440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0914afb7d2bb89e261b068d5add71430

SHA1
0703877dd8d774c7a8d440b6af60e1ad44335164

SHA256
2e963930bc3503761cf0bfb5b5899322b76af08039a29ecf50813c2fe906b058

SHA512
24faa2312eab94f7187fa22f5fae1849c94126d78a207f58d93c53b05a1e8e3ae5bec26f9126caa1b854ec63cc858fbcb0b5426ff2974934aaa880df180d9e28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8334DF1-5785-11EF-A7C8-6EB28AAB65BF}.dat

Filesize
4KB

MD5
55c83a459c1cc099c52162757953fe90

SHA1
1766995b07dc9db9d9c6a4cdc187395002b04ae0

SHA256
30a4a667ca8bf0e4bba70ae5f4bdf6316886d64597d72702eb5035ee533d2eb8

SHA512
c199619c419e45d19b88ef31bd448a79f95a55aceddc1a3a38bfc7464e36f07e4d634f844949c809f91d85d9ba5ebb7da6f3217f98cbdfc0fb3cc3f077e8ac13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8337501-5785-11EF-A7C8-6EB28AAB65BF}.dat

Filesize
5KB

MD5
86576aee42e1e38ff78dce8a97660005

SHA1
6d29dd42b894f37116a5c4d9504c2f6cc4e73f6f

SHA256
d3bfef4a4aaaa18dbe094372235f2097a4287a6efb61d7e1fe581638e1e858af

SHA512
6e8f7b3a3fbd26fc47a7298a2270a02b3d5a1396736c84052741ffb0374209f52b717d9bc30c76bbd510afa1990118119b61b1b78144689c41497e57ae8b430d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF115.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF1D6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD809.tmp\ioSpecial.ini

Filesize
613B

MD5
d8e966c7dd5d8387a5945d53054b4b6c

SHA1
6719bef15a1f3ee0ddd7b49cb9407a45380006e8

SHA256
18945c76f7efb9659fac928ba97a33afd242f6804e8e2391bc699a25eaa6dacf

SHA512
86d28210e927c889fa01289e15aeaec4226c78ecee462fac8a1ae814581ff6ea4c7cb8ac0b939a336c7217595d7166162ed298d6f35eca5b69078e9570767923

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD809.tmp\ioSpecial.ini

Filesize
637B

MD5
b1c797a0b243170b7a23ebc454403969

SHA1
62c421723826f1ee794e8c36ab5d6cf562169e84

SHA256
c8e3e5ea358fc98bcde8dfc24a35767b18ed208e0525f325c0ba4f9e340ec55b

SHA512
daab90d3ee57d2f85fd44ed48c5bb500ff8d6e6c6dbf59b7d41cf8eb4db709d98a25c47a0d9b455ab35738494250eb52fca8e4b88a55a7760429486881cbd77b

Download Submit
C:\Windows\SysWOW64\66.bat

Filesize
35B

MD5
25cbf5fe338535de8ee41ad00521c85d

SHA1
974402d7af3ff2d99ce761ddac6936ece0d5f1fe

SHA256
97bdb7035decc3eaaaee49e9c0cfaf938a8bf7cb18829e6aa64b08ba1e5fb8dc

SHA512
1e867c9e3207eb7ddc962e19656ae36cef5ace44cd5be482df656dec69d70c8a485266b0e7d392e7fe85271faf8639bf0516b7a9827740b710f90cf94af33f68

Download Submit
C:\Windows\SysWOW64\p.exe

Filesize
250KB

MD5
93df99ebeeb59896f862837c105c7659

SHA1
9cd0cf39ac2cd61a9a258cca6f3cef3379c22372

SHA256
44d0be642cec26515473ad39a15f62dfb25efd5ab94a6b5e115d759b6338b7b7

SHA512
b3a672878241bddc1c59cee4bcf16c9d437c721819a3a4e1c2f0db1b015847f9e85dec19570a83d2aa0a53afc57f1a26e42774a6d3ed3174d2d429594dc0f956

Download Submit
\Users\Admin\AppData\Local\Temp\6.exe

Filesize
53KB

MD5
0aa2eeba570f7fae09c21d5bc1a5ad55

SHA1
add5347a2472a20aa2ce287fe26fbbdf0f6a40c0

SHA256
8ad94ac212ba3d41195ea105478eb4a6cd134bfc1ad6a608b1a7c469293d1d70

SHA512
1c2f617372c680110bbb9dc92d9c4163433c2e774625f45104dd2a2ed1f7b5dbf4a0876817da0f3a3247db06630cd32a3ee452bf67d98dae96712a947abadf1e

Download Submit
\Users\Admin\AppData\Local\Temp\nstD809.tmp\InstallOptions.dll

Filesize
12KB

MD5
08c82a46416a5e2b471d457968f53816

SHA1
3e3897c20b9e89b279b4764a633f67955bf8f09a

SHA256
435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9

SHA512
91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d

Download Submit
\Users\Admin\AppData\Local\Temp\nstD809.tmp\System.dll

Filesize
10KB

MD5
61151aff8c92ca17b3fab51ce1ca7156

SHA1
68a02015863c2877a20c27da45704028dbaa7eff

SHA256
af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

SHA512
4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9B38.tmp\System.dll

Filesize
9KB

MD5
afd989ef7eec6bf952bedfce541fe236

SHA1
5654b71c5b1089c2cec6381d8da5bd14a14e1a37

SHA256
5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

SHA512
f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9B85.tmp\System.dll

Filesize
10KB

MD5
bf01b2d04e8fad306ba2f364cfc4edfa

SHA1
58f42b45ca9fc1818c4498ecd8bac088d20f2b18

SHA256
d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

SHA512
30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

Download Submit
\Windows\SysWOW64\66.exe

Filesize
107KB

MD5
48ebcf8e1fb241b1606503681db0929c

SHA1
181cdafb12492006328d44005e0176b0d5dcd659

SHA256
8bc4dfec55f068786bed2a1823947c1bb69e92500105efc7ad7fe03aa1217e42

SHA512
9cd2109a353c72b304dd63f4dac0b2a00aa931d32112af6fdff569fe6d0b408dbbc0ab2504a4cecc15cfcc3d6e5fa5da1ab6e4ddae893252593315f5e2e553de

Download Submit
\Windows\SysWOW64\cfkk.exe

Filesize
250KB

MD5
98d1fec11a0aecbc609b6e4f54605806

SHA1
917e92c53496be174c3e7954d0035db5cd362acb

SHA256
6c6911528124c524b77eba811c5e4e6783043daf138a19e17da68ea089debc62

SHA512
8a62552b7ed0305ad955dd688aae8cb6c94c08f2dae7a004fa96fa834a1dcea5f0c9814a44686a719336e1a10be1f1e1ad11ca4e27657aacf253cf5b123ae99c

Download Submit
\Windows\SysWOW64\coopen_setup_100067.exe

Filesize
914KB

MD5
0ed46aa6a317bf47a58ab95cc6761e93

SHA1
8f8bbebdf82c90748c7edc24a98b6390af6dd222

SHA256
6ccc49b0d7c51a5d5bd95ab775d4f2047af0d3358396cf603f04bba28ab6a2a5

SHA512
072706ac2790ab418c8e7c5d748a489a228ad63ff025e905d3ca29038ac7a9f9e816e254274067ff0b31cc64e8ed826ea226a5bdc0262a9254f48e6007aff244

Download Submit
\Windows\SysWOW64\msn054.exe

Filesize
83KB

MD5
d7d65643b8a2fac2f2ef6d8cb3d0a394

SHA1
d4de8ef24f80a7182c3bc3075a5d5d5c08996951

SHA256
6e4378b059b9a06e60b1d4692a7db8b27eebb612a736cdf6d24f2ec11ce5352d

SHA512
1859244869b1ec338e2faef6d0682a1f1cc6da913cf5e215c544b0c861a5daa6669ec22b2a40e05e16c63925a63c9c5065c1383f6505900748eac0d6b4fb814d

Download Submit
\Windows\SysWOW64\z.exe

Filesize
250KB

MD5
473801e9358ff5969ae840566001f278

SHA1
8593d24e6ac4069b58575b27e99c7a3db9c1d82f

SHA256
cd00ea08b6966175f31e1f95fb20c8c8b5040018773c608981bfbf4e35ec415c

SHA512
3672a5f0164635d64b1b4dcf18b10170f5641c53c60b10588ac4160e1a5565c563cdc9539e998f2839557afc0c1a8933ee6d13e22309ac8470fc91aad5b5f91b

Download Submit
memory/620-87-0x0000000003610000-0x00000000036B2000-memory.dmp

Filesize
648KB

Download
memory/620-195-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/620-632-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/620-26-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/620-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/620-85-0x0000000003610000-0x00000000036B2000-memory.dmp

Filesize
648KB

Download
memory/836-95-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/836-629-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-97-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-631-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-1079-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-1089-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2616-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2928-630-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-96-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2928-646-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download