Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
FunshionInstall.exe
Resource
win7-20240708-en
General
-
Target
FunshionInstall.exe
-
Size
1.8MB
-
MD5
246f26a450102b53e87f360c6c328f66
-
SHA1
fa8f3a51d31b785c7865771fe78c1287f324b35a
-
SHA256
ae36ddd69548deb664d26a0e2a800af4b01a04d13ea3e1b997da14c4a365c0b7
-
SHA512
daff81fce5b947ec1ef7c336ad04da9556cb7fafc07d81408aaacedf2e41c398eaa4c2e2de9a076244a6812e9033db6426c2954d03008d0d857c55857ea7e7a7
-
SSDEEP
24576:u8ld8XDqQDbBpDqQDbBc1JV+sk3/4gnwR7mO/+3GUbhBifT0EPVQwEJRYbRwAzfD:uqd8XxpxIVU4gwOGeLaPbRwaixwV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FunshionInstall.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 66.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\???-????????.lnk FunshionInstall.exe -
Executes dropped EXE 7 IoCs
pid Process 3236 msn054.exe 3584 6.exe 3312 66.exe 4832 cfkk.exe 4556 p.exe 1304 z.exe 1944 coopen_setup_100067.exe -
Loads dropped DLL 6 IoCs
pid Process 3236 msn054.exe 3584 6.exe 3584 6.exe 3236 msn054.exe 1944 coopen_setup_100067.exe 1944 coopen_setup_100067.exe -
resource yara_rule behavioral6/files/0x000700000002362b-67.dat upx behavioral6/files/0x0007000000023628-75.dat upx behavioral6/memory/4832-83-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral6/files/0x0007000000023627-87.dat upx behavioral6/memory/4556-93-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral6/memory/1304-96-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral6/memory/1304-189-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral6/memory/4832-187-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral6/memory/4556-188-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral6/memory/4556-214-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral6/memory/4556-216-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral6/memory/1304-228-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral6/memory/1304-232-0x0000000000400000-0x00000000004A2000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral6/memory/4556-93-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral6/memory/1304-96-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral6/memory/1304-189-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral6/memory/4832-187-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral6/memory/4556-188-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral6/memory/4556-214-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral6/memory/4556-216-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral6/memory/1304-228-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral6/memory/1304-232-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\z.exe FunshionInstall.exe File created C:\Windows\SysWOW64\coopen_setup_100067.exe FunshionInstall.exe File created C:\Windows\SysWOW64\msn054.exe FunshionInstall.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240674703 66.exe File opened for modification C:\Windows\SysWOW64\66.ICO 66.exe File created C:\Windows\SysWOW64\66.ICO 66.exe File opened for modification C:\Windows\SysWOW64\看韩剧-最新韩剧在线观看.url FunshionInstall.exe File created C:\Windows\SysWOW64\66.exe FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\coopen_setup_100067.exe FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\msn054.exe FunshionInstall.exe File created C:\Windows\SysWOW64\cfkk.exe FunshionInstall.exe File created C:\Windows\SysWOW64\66.bat 66.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240667687 FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\66.exe FunshionInstall.exe File created C:\Windows\SysWOW64\z.exe FunshionInstall.exe File created C:\Windows\SysWOW64\p.exe FunshionInstall.exe File created C:\Windows\SysWOW64\看韩剧-最新韩剧在线观看.url FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\p.exe FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\cfkk.exe FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\66.bat 66.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created \??\c:\windows\ppfilm.exe p.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coopen_setup_100067.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunshionInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn054.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral6/files/0x000700000002362f-28.dat nsis_installer_1 behavioral6/files/0x0007000000023629-103.dat nsis_installer_1 -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d08fb8be92ebda01 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124370" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E9609949-5785-11EF-A2A4-6ADB259EA846} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124370" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3207110490" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e063b1be92ebda01 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124370" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124370" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3207110490" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3231329692" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3231329692" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c000000000200000000001066000000010000200000003be58127189514bea6e8062f0e9bd4fe3bf73a467117c0a31b4edbe621d338cb000000000e80000000020000200000005609124082c9151d469a04acba4319e7afce9adab048cd77f63a1a03e0e623cf2000000058e6298b60f2ee7aa83b1c82f4e3dc558c6be494668855cbbfa3fdb000d4909240000000af4bc39500ba68f1b8a4b0de8245ee0c2e86b2bf34fd5a505a225028419a83aaa72e142b3f4286a57f329dedf8b8a81794cb20b1cc8f26bf465116e23fec9628 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000046f74c4116a6ab3ed2310f8ffddb38bf4bc87c0aacb3600d31013b25ea2ddc70000000000e800000000200002000000094c18e8d164dd1b6e4e6cd2b94a82ad249d2490723c01507fbd12faf3a57b95c20000000a5bd834fcb289a55aa3c08e68367d17c8698b21151c3999a22157cf42ddb24a1400000001f8e8d4bca4ca151886ede1181dc8bffe54206485e55a9bd9ee36ef3716de28bc65dc1f26096713c832c9b5cacf253857f419cecdf756b0e61085b74c24bc6c4 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430106788" IEXPLORE.EXE -
Runs .reg file with regedit 1 IoCs
pid Process 3560 regedit.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 33 1304 z.exe Token: SeIncBasePriorityPrivilege 1304 z.exe Token: 33 4556 p.exe Token: SeIncBasePriorityPrivilege 4556 p.exe Token: 33 1304 z.exe Token: SeIncBasePriorityPrivilege 1304 z.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1688 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1688 IEXPLORE.EXE 1688 IEXPLORE.EXE 872 IEXPLORE.EXE 872 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1040 wrote to memory of 3236 1040 FunshionInstall.exe 93 PID 1040 wrote to memory of 3236 1040 FunshionInstall.exe 93 PID 1040 wrote to memory of 3236 1040 FunshionInstall.exe 93 PID 3236 wrote to memory of 3584 3236 msn054.exe 95 PID 3236 wrote to memory of 3584 3236 msn054.exe 95 PID 3236 wrote to memory of 3584 3236 msn054.exe 95 PID 1040 wrote to memory of 3312 1040 FunshionInstall.exe 101 PID 1040 wrote to memory of 3312 1040 FunshionInstall.exe 101 PID 1040 wrote to memory of 3312 1040 FunshionInstall.exe 101 PID 3312 wrote to memory of 4824 3312 66.exe 102 PID 3312 wrote to memory of 4824 3312 66.exe 102 PID 3312 wrote to memory of 4824 3312 66.exe 102 PID 4824 wrote to memory of 3560 4824 cmd.exe 104 PID 4824 wrote to memory of 3560 4824 cmd.exe 104 PID 4824 wrote to memory of 3560 4824 cmd.exe 104 PID 1040 wrote to memory of 4832 1040 FunshionInstall.exe 107 PID 1040 wrote to memory of 4832 1040 FunshionInstall.exe 107 PID 1040 wrote to memory of 4832 1040 FunshionInstall.exe 107 PID 1040 wrote to memory of 4556 1040 FunshionInstall.exe 108 PID 1040 wrote to memory of 4556 1040 FunshionInstall.exe 108 PID 1040 wrote to memory of 4556 1040 FunshionInstall.exe 108 PID 1040 wrote to memory of 1304 1040 FunshionInstall.exe 109 PID 1040 wrote to memory of 1304 1040 FunshionInstall.exe 109 PID 1040 wrote to memory of 1304 1040 FunshionInstall.exe 109 PID 4832 wrote to memory of 844 4832 cfkk.exe 110 PID 4832 wrote to memory of 844 4832 cfkk.exe 110 PID 4832 wrote to memory of 844 4832 cfkk.exe 110 PID 4832 wrote to memory of 800 4832 cfkk.exe 111 PID 4832 wrote to memory of 800 4832 cfkk.exe 111 PID 4832 wrote to memory of 800 4832 cfkk.exe 111 PID 800 wrote to memory of 2576 800 IEXPLORE.EXE 113 PID 800 wrote to memory of 2576 800 IEXPLORE.EXE 113 PID 844 wrote to memory of 1688 844 IEXPLORE.EXE 112 PID 844 wrote to memory of 1688 844 IEXPLORE.EXE 112 PID 1688 wrote to memory of 872 1688 IEXPLORE.EXE 114 PID 1688 wrote to memory of 872 1688 IEXPLORE.EXE 114 PID 1688 wrote to memory of 872 1688 IEXPLORE.EXE 114 PID 4832 wrote to memory of 1944 4832 cfkk.exe 116 PID 4832 wrote to memory of 1944 4832 cfkk.exe 116 PID 4832 wrote to memory of 1944 4832 cfkk.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\FunshionInstall.exe"C:\Users\Admin\AppData\Local\Temp\FunshionInstall.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\msn054.exe"C:\Windows\system32\msn054.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe" 78543⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3584
-
-
-
C:\Windows\SysWOW64\66.exe"C:\Windows\system32\66.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\system32\66.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\regedit.exeregedit /s 66.reg4⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3560
-
-
-
-
C:\Windows\SysWOW64\cfkk.exe"C:\Windows\system32\cfkk.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:872
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm4⤵
- Modifies Internet Explorer settings
PID:2576
-
-
-
C:\Windows\SysWOW64\coopen_setup_100067.execoopen_setup_100067.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1944
-
-
-
C:\Windows\SysWOW64\p.exe"C:\Windows\system32\p.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\SysWOW64\z.exe"C:\Windows\system32\z.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:81⤵PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
53KB
MD50aa2eeba570f7fae09c21d5bc1a5ad55
SHA1add5347a2472a20aa2ce287fe26fbbdf0f6a40c0
SHA2568ad94ac212ba3d41195ea105478eb4a6cd134bfc1ad6a608b1a7c469293d1d70
SHA5121c2f617372c680110bbb9dc92d9c4163433c2e774625f45104dd2a2ed1f7b5dbf4a0876817da0f3a3247db06630cd32a3ee452bf67d98dae96712a947abadf1e
-
Filesize
9KB
MD5afd989ef7eec6bf952bedfce541fe236
SHA15654b71c5b1089c2cec6381d8da5bd14a14e1a37
SHA2565e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8
SHA512f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c
-
Filesize
12KB
MD508c82a46416a5e2b471d457968f53816
SHA13e3897c20b9e89b279b4764a633f67955bf8f09a
SHA256435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9
SHA51291e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d
-
Filesize
10KB
MD561151aff8c92ca17b3fab51ce1ca7156
SHA168a02015863c2877a20c27da45704028dbaa7eff
SHA256af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d
SHA5124f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e
-
Filesize
652B
MD5b85a6114a9e0c041a8320c597f1bc995
SHA18b8ab682b9f2f9e46ec147ae32b5d09fa004fe8e
SHA2565fd66f2b162374a8f330ff720c605b7a336d0642ae47db16d838bdffac23980c
SHA512bda1c78f64f87c3873a4ced0089de312447f5ac9bd5bdf15b8be5c8edd7706769ddb684b9fb28d9c4109dc0fe68e6f6649994b93d568e0c3086014fcd0415e07
-
Filesize
10KB
MD5bf01b2d04e8fad306ba2f364cfc4edfa
SHA158f42b45ca9fc1818c4498ecd8bac088d20f2b18
SHA256d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903
SHA51230ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7
-
Filesize
35B
MD525cbf5fe338535de8ee41ad00521c85d
SHA1974402d7af3ff2d99ce761ddac6936ece0d5f1fe
SHA25697bdb7035decc3eaaaee49e9c0cfaf938a8bf7cb18829e6aa64b08ba1e5fb8dc
SHA5121e867c9e3207eb7ddc962e19656ae36cef5ace44cd5be482df656dec69d70c8a485266b0e7d392e7fe85271faf8639bf0516b7a9827740b710f90cf94af33f68
-
Filesize
107KB
MD548ebcf8e1fb241b1606503681db0929c
SHA1181cdafb12492006328d44005e0176b0d5dcd659
SHA2568bc4dfec55f068786bed2a1823947c1bb69e92500105efc7ad7fe03aa1217e42
SHA5129cd2109a353c72b304dd63f4dac0b2a00aa931d32112af6fdff569fe6d0b408dbbc0ab2504a4cecc15cfcc3d6e5fa5da1ab6e4ddae893252593315f5e2e553de
-
Filesize
250KB
MD598d1fec11a0aecbc609b6e4f54605806
SHA1917e92c53496be174c3e7954d0035db5cd362acb
SHA2566c6911528124c524b77eba811c5e4e6783043daf138a19e17da68ea089debc62
SHA5128a62552b7ed0305ad955dd688aae8cb6c94c08f2dae7a004fa96fa834a1dcea5f0c9814a44686a719336e1a10be1f1e1ad11ca4e27657aacf253cf5b123ae99c
-
Filesize
914KB
MD50ed46aa6a317bf47a58ab95cc6761e93
SHA18f8bbebdf82c90748c7edc24a98b6390af6dd222
SHA2566ccc49b0d7c51a5d5bd95ab775d4f2047af0d3358396cf603f04bba28ab6a2a5
SHA512072706ac2790ab418c8e7c5d748a489a228ad63ff025e905d3ca29038ac7a9f9e816e254274067ff0b31cc64e8ed826ea226a5bdc0262a9254f48e6007aff244
-
Filesize
83KB
MD5d7d65643b8a2fac2f2ef6d8cb3d0a394
SHA1d4de8ef24f80a7182c3bc3075a5d5d5c08996951
SHA2566e4378b059b9a06e60b1d4692a7db8b27eebb612a736cdf6d24f2ec11ce5352d
SHA5121859244869b1ec338e2faef6d0682a1f1cc6da913cf5e215c544b0c861a5daa6669ec22b2a40e05e16c63925a63c9c5065c1383f6505900748eac0d6b4fb814d
-
Filesize
250KB
MD593df99ebeeb59896f862837c105c7659
SHA19cd0cf39ac2cd61a9a258cca6f3cef3379c22372
SHA25644d0be642cec26515473ad39a15f62dfb25efd5ab94a6b5e115d759b6338b7b7
SHA512b3a672878241bddc1c59cee4bcf16c9d437c721819a3a4e1c2f0db1b015847f9e85dec19570a83d2aa0a53afc57f1a26e42774a6d3ed3174d2d429594dc0f956
-
Filesize
250KB
MD5473801e9358ff5969ae840566001f278
SHA18593d24e6ac4069b58575b27e99c7a3db9c1d82f
SHA256cd00ea08b6966175f31e1f95fb20c8c8b5040018773c608981bfbf4e35ec415c
SHA5123672a5f0164635d64b1b4dcf18b10170f5641c53c60b10588ac4160e1a5565c563cdc9539e998f2839557afc0c1a8933ee6d13e22309ac8470fc91aad5b5f91b