86812eaf4cfc634f78fc757e5bd92a1562679f892a4c3afe87c673bc2d3dfa2e

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
Size

7.3MB
MD5

6cd1d2e97532ba4b38930fdb67cc0e36
SHA1

9c79f624643117c71cdcd8203b2bd530339dd3c4
SHA256

86812eaf4cfc634f78fc757e5bd92a1562679f892a4c3afe87c673bc2d3dfa2e
SHA512

271cbe2c8a88f0b8935b831541e97996596eee31b976759e85dc9bbf7bfc0aef89836e7538ce73c245d451eed86322732d44ab8b77e592f7ddd906e65a2199d3
SSDEEP

196608:FEthOxzH3FY4gA/yN8eA+QDt3BcE24PJP1ruUl:FEKzH1YPAJ/5B+4XZl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe

Loads dropped DLL 1 IoCs

pid	Process
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\funshion.ini	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
File created	C:\Windows\SysWOW64\funshion.ini	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEB50740-7BEF-11CE-9BD9-0000E202599C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB8-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}\CLSID = "{51B4ABF3-748F-4E3B-A276-C828330E926A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}\FriendlyName = "Internal Script Command Renderer"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{301056D0-6DFF-11D2-9EEB-006008039E37}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\CLSID = "{E4206432-01A1-4BEE-B3E1-3702C8EDC574}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\CLSID = "{1B544C20-FD0B-11CE-8C63-00AA0044B51E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\FriendlyName = "MIDI Parser"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{301056D0-6DFF-11D2-9EEB-006008039E37}\FriendlyName = "MJPEG Decompressor"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\http	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\FriendlyName = "Line 21 Decoder 2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\CLSID = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\file\Source Filter = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{70E102B0-5556-11CE-97C0-00AA0055595A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\CLSID = "{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\FilterData = 02000000000060000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000800000009000000083eb36e44f52ce119f530020af0ba77088eb36e44f52ce119f530020af0ba7707669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor\CLSID = "{B80AB0A0-7416-11D2-9EEB-006008039E37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB85-524F-11CE-9F53-0020AF0BA770}\Source Filter = "{E436EBB5-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\https	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4979309-7A32-495E-8A92-7B014AAD4961}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\CLSID = "{6A08CF80-0E18-11CF-A24D-0020AFD79767}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB84-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\FilterData = 02000000010080000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\CLSID = "{33FACFE0-A9BE-11D0-A520-00A0D10129C0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Multi-file Parser"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}\FilterData = 02000000000020000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\CLSID = "{FEB50740-7BEF-11CE-9BD9-0000E202599C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A1-7548-11CF-A520-0080C77EF58A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB8D-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 1292	4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	83
PID 4644 wrote to memory of 1292	4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	83
PID 4644 wrote to memory of 1292	4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	83
PID 4644 wrote to memory of 2416	4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	84
PID 4644 wrote to memory of 2416	4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	84
PID 4644 wrote to memory of 2416	4644	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\quartz.dll"
  2⤵
  - Modifies registry class
  PID:1292
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /u /s "C:\Program Files (x86)\Funshion Online\2.8.6.75\funoictl.dll"
  2⤵
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SetupFiles\Funshion\gma.dll

Filesize
484KB

MD5
62266ab38841a6161ed3680553b44c4c

SHA1
ee1f981e1ffb3c234ddf06643b26cd24d46556f5

SHA256
ca8b14774d35c88115417154411e70fbe5c6677fee77f059fbd236b36f0cba0e

SHA512
b82327aa29dd2a7f97867aaa91c821094d94495e8364aceef71e957e84eeec9a1b259cb51be68df330adbe2ed6b7f8fc4ea7816abb120a4ae4be3bd548732321

Download Submit
C:\Users\Admin\funshion.ini

Filesize
108B

MD5
9d04714bbeb535afdec3241f6ebde960

SHA1
ec00dcd74db3c64ad9f8dc461c2ab0c4959382c9

SHA256
5a493f797fb4ff5307b5064f0aac741a40875614377b2fce82143adec765216a

SHA512
8652ed94cb4b9f2a64a35f6eb1fac6ccc4bb8ac238f4af02b5191d742090ff561b4481a47bc84761c665662b9523a120186eb08844ff2777817ba958a08a88ca

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
37B

MD5
2ea4451d2bf7de019dd5e92341c94660

SHA1
ec5817fbdfe097aadd9bfa26bea6195310162beb

SHA256
b6f729f1e203f8065a783c9b6d5a4cb9e84f42228c4ab28869f26af003fcdc22

SHA512
10c11ce16a8d22b22814513282a3fce9b0ce3499e3f04bc5d41fe9d0ee784ecddd974a262c706edcc0fc3b9744118d88f0b05598213822629ccd105a7c8182a3

Download Submit