Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3Funshion/@...��.exe
windows7-x64
3Funshion/@...��.exe
windows10-2004-x64
3$PLUGINSDI...nt.dll
windows7-x64
3$PLUGINSDI...nt.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3Funshion/CoreAAC.dll
windows7-x64
1Funshion/CoreAAC.dll
windows10-2004-x64
1Funshion/C...rt.exe
windows7-x64
1Funshion/C...rt.exe
windows10-2004-x64
1Funshion/FAQ.url
windows7-x64
6Funshion/FAQ.url
windows10-2004-x64
3Funshion/Funshion.exe
windows7-x64
4Funshion/Funshion.exe
windows10-2004-x64
5Funshion/G...ss.dll
windows7-x64
3Funshion/G...ss.dll
windows10-2004-x64
3Funshion/L...an.dll
windows7-x64
1Funshion/L...an.dll
windows10-2004-x64
1Funshion/R...ng.dll
windows7-x64
3Funshion/R...ng.dll
windows10-2004-x64
3Funshion/S...me.url
windows7-x64
6Funshion/S...me.url
windows10-2004-x64
3Funshion/S...wn.url
windows7-x64
6Funshion/S...wn.url
windows10-2004-x64
3Funshion/U...ry.url
windows7-x64
6Funshion/U...ry.url
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
Funshion/@绿化工具.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
Funshion/@绿化工具.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/linker.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/linker.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Funshion/CoreAAC.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
Funshion/CoreAAC.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Funshion/CrashReport.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
Funshion/CrashReport.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Funshion/FAQ.url
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
Funshion/FAQ.url
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Funshion/Funshion.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
Funshion/Funshion.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Funshion/GetMACAddress.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
Funshion/GetMACAddress.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Funshion/LangResEnAmerican.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
Funshion/LangResEnAmerican.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Funshion/RouterSetting.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral26
Sample
Funshion/RouterSetting.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Funshion/SoftReadme.url
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
Funshion/SoftReadme.url
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Funshion/SoftwareDown.url
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral30
Sample
Funshion/SoftwareDown.url
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Funshion/UpdateHistory.url
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
Funshion/UpdateHistory.url
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
Funshion/Funshion.exe
-
Size
2.7MB
-
MD5
12c92913e1e2f029be52e0f3103c3c16
-
SHA1
27c755028045ba0304033a68121a255482aa7bf7
-
SHA256
d1faf8d2282bbe2f15715f703076a145f0c64e3b8c7d2f6f966ad9bcce9f463f
-
SHA512
48baa2229cc6c63991fb6a471ab3043f877da6b2dbfeb9a1196a2a6237386621ac4f240d2752c463f17a49f3d0d74716cb0f9009ea3d55efef101644a1fb391d
-
SSDEEP
49152:xJUfDTk1VsrS2tOWQMtXDeN0y7lBnvrOqyd+gsAnT6LAsr:snkjq/DeN0yH6q0+lLAo
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log dxdiag.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main Funshion.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ddeexec\ = "%1" Funshion.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\FilterData = 020000000000600002000000000000003070693300000000000000000100000000000000000000003074793300000000500000006000000031706933080000000000000000000000000000000000000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000 Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\InprocServer32\ThreadingModel = "Both" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\CLSID = "{E21BE468-5C18-43EB-B0CC-DB93A847D769}" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}\InprocServer32 Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ddeexec\Topic\ = "FSP" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{765035B3-5944-4A94-806B-20EE3415F26F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Funshion\\rmsp.ax" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}\ = "RealAudio Decoder" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}\InprocServer32\ThreadingModel = "Both" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C78B8E2-6C4D-11D1-AEE2-0000F7754B98}\InprocServer32\ThreadingModel = "Both" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3C78B8E2-6C4D-11D1-AEE2-0000F7754B98} Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3C78B8E2-6C4D-11D1-AEE2-0000F7754B98}\FriendlyName = "AAC Parser" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\ = "CoreAAC Audio Decoder" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Funshion\\CoreAAC.ax" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Funshion\\rmsp.ax" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}\InprocServer32 Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E} Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C78B8E2-6C4D-11D1-AEE2-0000F7754B98}\ = "aac_parser" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3C78B8E2-6C4D-11D1-AEE2-0000F7754B98}\CLSID = "{3C78B8E2-6C4D-11D1-AEE2-0000F7754B98}" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E}\ = "CoreAAC Audio Decoder Info" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\CLSID = "{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fsp\DefaultIcon Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ddeexec\Application Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{765035B3-5944-4A94-806B-20EE3415F26F}\CLSID = "{765035B3-5944-4A94-806B-20EE3415F26F}" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C78B8E2-6C4D-11D1-AEE2-0000F7754B98}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Funshion\\aac_parser.ax" Funshion.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3C78B8E2-6C4D-11D1-AEE2-0000F7754B98}\FilterData = 02000000000040000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000800000009000000083eb36e44f52ce119f530020af0ba77087eb36e44f52ce119f530020af0ba7706175647300001000800000aa00389b71ff00000000001000800000aa00389b71 Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fsp Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Funshion\\Funshion.exe\" %1" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{238D0F23-5DC9-45A6-9BE2-666160C324DD}\ = "RealVideo Decoder" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{765035B3-5944-4A94-806B-20EE3415F26F}\FriendlyName = "RealMedia Source" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E}\InprocServer32 Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fsp\ = "URL: fsp Protocol" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{765035B3-5944-4A94-806B-20EE3415F26F}\InprocServer32 Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E21BE468-5C18-43EB-B0CC-DB93A847D769} Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Funshion\\CoreAAC.ax" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\FriendlyName = "RealMedia Splitter" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{765035B3-5944-4A94-806B-20EE3415F26F} Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{238D0F23-5DC9-45A6-9BE2-666160C324DD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Funshion\\rmsp.ax" Funshion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Funshion\\rmsp.ax" Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" dxdiag.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{941A4793-A705-4312-8DFC-C11CA05F397E}\FilterData = 020000000000400002000000000000003070693300000000000000000900000000000000000000003074793300000000e0000000f00000003174793300000000e0000000000100003274793300000000e0000000100100003374793300000000e0000000200100003474793300000000e0000000300100003574793300000000e0000000400100003674793300000000e0000000500100003774793300000000e0000000600100003874793300000000e0000000700100003170693308000000000000000100000000000000000000003074793300000000e0000000800100006175647300001000800000aa00389b7131345f3400001000800000aa00389b7132385f3800001000800000aa00389b714154524300001000800000aa00389b71434f4f4b00001000800000aa00389b71444e455400001000800000aa00389b715349505200001000800000aa00389b71ff00000000001000800000aa00389b715241414300001000800000aa00389b715241435000001000800000aa00389b710100000000001000800000aa00389b71 Funshion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{57428EC6-C2B2-44A2-AA9C-28F0B6A5C48E}\Source Filter = "{E436EBB5-524F-11CE-9F53-0020AF0BA770}" Funshion.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 828 dxdiag.exe 828 dxdiag.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeManageVolumePrivilege 2192 Funshion.exe Token: SeRestorePrivilege 828 dxdiag.exe Token: SeRestorePrivilege 828 dxdiag.exe Token: SeRestorePrivilege 828 dxdiag.exe Token: SeRestorePrivilege 828 dxdiag.exe Token: SeRestorePrivilege 828 dxdiag.exe Token: SeRestorePrivilege 828 dxdiag.exe Token: SeRestorePrivilege 828 dxdiag.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 2192 Funshion.exe 828 dxdiag.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2636 2192 Funshion.exe 28 PID 2192 wrote to memory of 2636 2192 Funshion.exe 28 PID 2192 wrote to memory of 2636 2192 Funshion.exe 28 PID 2192 wrote to memory of 2636 2192 Funshion.exe 28 PID 2192 wrote to memory of 828 2192 Funshion.exe 30 PID 2192 wrote to memory of 828 2192 Funshion.exe 30 PID 2192 wrote to memory of 828 2192 Funshion.exe 30 PID 2192 wrote to memory of 828 2192 Funshion.exe 30 PID 2192 wrote to memory of 2156 2192 Funshion.exe 35 PID 2192 wrote to memory of 2156 2192 Funshion.exe 35 PID 2192 wrote to memory of 2156 2192 Funshion.exe 35 PID 2192 wrote to memory of 2156 2192 Funshion.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Funshion\Funshion.exe"C:\Users\Admin\AppData\Local\Temp\Funshion\Funshion.exe"1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\Funshion\XPSP2Patch\evid4226-vc80-mt.exe--silent2⤵PID:2636
-
-
C:\Windows\SysWOW64\dxdiag.exedxdiag.exe /whql:off /t C:\Users\Admin\funshion\fsdxdiag.txt2⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:828
-
-
C:\Windows\SysWOW64\tracert.exetracert.exe -d -h 16 -w 800 209.131.36.1582⤵PID:2156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4R90HQQX\errorPageStrings[2]
Filesize2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
Filesize
129B
MD5252c55e068d62fbe2ba1932dd83ac40c
SHA1b2ab22f5e407dc62c65be2e968a2cab6d79782e1
SHA25640c2bb267f04ece42442d4fc62538d95ff8d50176c5063114e9bbbb91d84d281
SHA51244fd6a5ed6bcecfe7f24439d7881ded7bed956f9bdc1c9c7134541f3a0b1ebe86ecbcd230a902cd4c7faa59d1d361c8336d8b3d73e849f79c224b1a33e20ddf1
-
Filesize
156B
MD5096aed8d4981b0d4c64695a05fc83a6d
SHA1072ee3334d2dbf2a72b32763bf2207f1ebe91369
SHA25688fd6ab7ad01eb9a8e15c4950fc44b9a6549c35640175fa62313f556ecd9790a
SHA5128cceacc4da9e10ab38842ad66ccd3b9bef0bc43186cd0fafb189769ae38ffefb54fcb01a7e4db5b6cbde273da963fbbceef038a959efcb367e3795175ad61328
-
Filesize
72B
MD5d4e46d8d02f0ef65cf60a1a3723ba70f
SHA1ceb19e356594a07f7811e1ef811fccd935dc1b4e
SHA256abf8143c836df5bafe398cc275b02d840813d93f7a40ccd642d01f9ec9a3b646
SHA512b2e9a8b5356a001b15676251cc9e99cb5a2f28e2e350eb3539b39485fe0b2408c30e131cd5e1e999e7f24640e14b4fcf0e3061d716008dc32884759cae8d9d74
-
Filesize
192B
MD518cbc1233d905de963c2966d548c38b6
SHA14fdb3b64e335a57595ff51e09953994fc58f2da7
SHA256233a8d5c4e6de7a9a564293006b183427676e6baef14c1ae2a01a63549f76260
SHA5124f23205421b0f697422e6710239ddf534473c94a5a09a8466537723928120ed8418e77e191c1f5ca8008cf8338ded24c1d7b09ab3e2d51fb790c3e603c3344c6
-
Filesize
238B
MD597351ac65a77734ddaa0fda64f881fdd
SHA1850fcba4a29ab5fcc3fc731ce677d1f9a0c32889
SHA256e558d4cfbd9d7ccb7fbe693386302445639a68c4ff3db900e6c0e6dcfbf5d3d6
SHA5126caa396c70508d4e8613068a240aadd1c684d1ff0b75520c3521d9f991e51a47d11a78a9bb449d09f5aab6c4f59e5134544ec97843efd70859a1218fbfab20e6
-
Filesize
320B
MD599c5959bff131001dd76be3dca5ce7d0
SHA19f098ddf36edbb7ae84ee071d9819ba8306be4f9
SHA25664323a6d7c6d9910f28b1a0cfa9019549dc1da164b5152ebb3800a37976dfe83
SHA512a272119e4ce883c09c42e7d8e430d20d0db5551ee2b97926d24933c9a1ce9e7f42be2cfdc880d5a0131cbf1ae4e0a5bfc7d7295cd853e15eb7d74900e3933b72
-
Filesize
65B
MD5098663c45b01751b04762fc0673f566c
SHA16d746d9355e37feb05df8f47121b1ea57f5feced
SHA2568d1ff906f8fecd9c5e66d49a309dcb45eb923ece244d9c299ce9ffe3d4b0ca09
SHA512028b3dbf32756d01be54df786d50ad941a6a7ca033863d7b4c696be62cfd1a1701b598ff9a761f073821237f395bcf21edf479ef609a66a1ae7c62b95210c356
-
Filesize
84B
MD509c482888fbc41e0e24af137c684f47f
SHA194598fb470baafcb34eaa68271a7292481e0101d
SHA256427ab42b688fa370cff14cc83d0c0a1b87453e0368b4ceb67b87f3c45934de60
SHA5126ffb3544b7a680d02e7f8fd9b46382bc4cf449e8545624be27cb8e9799b3b09da7e371dffba3db015d2f77f13d37c0c82efe271fcece222a7cd6c89a2618a1e2