1d58d12ef715ed47ab3579415d2150924f1599e779fbde45e0cac4eba8329b87

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 21:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d491e562718925e63b9f01101f44eb54.exe
Size

4.6MB
MD5

d491e562718925e63b9f01101f44eb54
SHA1

22ec1735b00e0a6a78c9a45072d468440bf2e6e5
SHA256

1d58d12ef715ed47ab3579415d2150924f1599e779fbde45e0cac4eba8329b87
SHA512

ddd23165b463ee8b9f7be2fcc0d71f8b8bcc7ab2e747aa6e8b4d5661539f1aac238e9873284700ae302cd4908537a7fb0ca61621c2f80fa1eadf4f827d8143f3
SSDEEP

98304:Oc11SEwcRMamscD/S5JB2Kc6CUmJP706G8uX/MQPeYcYRnbd/QCLe3pohp4go:U/ctmVEe61+P70L8uXEQPeY1Z/QCE+nI

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	Funshion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	d491e562718925e63b9f01101f44eb54.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	FunshionInstall.exe

Executes dropped EXE 8 IoCs

pid	Process
3796	FunshionInstall_C55521.exe
2980	xml2fspdata.exe
4136	FunshionInstall.exe
4640	evid4226-vc80-mt.exe
2264	Funshion.exe
4364	FunshionService.exe
3920	evid4226-vc80-mt.exe
1164	funshion_clone.exe

Loads dropped DLL 61 IoCs

pid	Process
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
2868	regsvr32.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
4136	FunshionInstall.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
4364	FunshionService.exe
2264	Funshion.exe
2264	Funshion.exe
4364	FunshionService.exe
4364	FunshionService.exe
1164	funshion_clone.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3368-0-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral2/memory/3368-519-0x0000000000400000-0x0000000000437000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Funshion = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe /tray"	FunshionInstall_C55521.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CoreAAC.ax	FunshionInstall_C55521.exe
File opened for modification	C:\Windows\SysWOW64\FunShion.ini	FunshionInstall_C55521.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C55521.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarDownload.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarTrail.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayListAddBtn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollLinkBkgnd.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarThumb.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetHeadHover.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarDownloadEn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionNormalBtn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskListStatSelIcon.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarDownload.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\pndx5016.dll	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnNormal.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnMuteSmall.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\InstallLangAm.dll	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarSplid.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\StatusBarSplid.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\dbghelp.dll	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcLeftBtmCorner.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarUpArrowRound.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarRefresh.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarRestore.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarStopEn.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\upnp.dll	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnNonTop.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarRestoreEn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarForward.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnSimple.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetTrailHover.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\Funshion-install.ico	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPre.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnFullView.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPlayList.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarDelete.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\4.bmp	funshion_clone.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\Encrypt.dll	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnBarList.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarForward.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarHomePage.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\funshion.ini	Funshion.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\evid4226-vc80-mt.exe	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayListRemove.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateIconFail.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\6.bmp	funshion_clone.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarRefreshEn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarUpArrow.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\4.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPreSmall.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarStopEn.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateBtmUpdateBtn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateCapCloseBtn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayInfoBtmBar.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarBkgndRightSmall.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarBefore.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\ch_rcmd.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TipBottomArrow.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TipRightArrow.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayListAddBtn.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnTop.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarUpArrow.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\taskpause.ico	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcRightTopCorner.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarBkgndSmall.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\3.bmp	FunshionInstall_C55521.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000400000001e5eb-5.dat	nsis_installer_1

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1000	taskkill.exe
4968	taskkill.exe
4524	taskkill.exe
4064	taskkill.exe
4360	taskkill.exe
2488	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{DC8DE303-B7D9-4E57-B17D-1273AC067542}	dxdiag.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsp	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8670C736-F614-427B-8ADA-BBADC587194B}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3ECBC41-581A-4476-B693-A63340462D8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\FriendlyName = "File Source (URL)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\CLSID = "{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\FilterData = 020000000100004002000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b7180eb36e44f52ce119f530020af0ba77081eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A3-7548-11CF-A520-0080C77EF58A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\FriendlyName = "File stream renderer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\FriendlyName = "MPEG Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ = "open"	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\ = "CoreAAC Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dxdiag.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8670C736-F614-427b-8ADA-BBADC587194B}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\FilterData = 0200000000006000030000000000000030706933000000000000000001000000000000000000000030747933000000008800000098000000317069330000000000000000010000000000000000000000307479330000000088000000a8000000327069330800000000000000010000000000000000000000307479330000000088000000b80000007669647300001000800000aa00389b71406a9b5a221ad111bad900609744111a416a9b5a221ad111bad900609744111a00000000000000000000000000000000	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\DefaultIcon	Funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion\DefaultIcon\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\",1"	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Wave Parser"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{301056D0-6DFF-11D2-9EEB-006008039E37}\FilterData = 0200000000006000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000007669647300001000800000aa00389b714d4a504700001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}\FilterData = 020000000100800001000000000000003070693302000000000000000200000000000000000000003074793300000000480000005800000031747933000000006800000058000000646d637300001000800000aa00389b71000000000000000000000000000000007478747300001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\file\Source Filter = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}\ = "CoreAAC Audio Decoder About"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{70E102B0-5556-11CE-97C0-00AA0055595A}\CLSID = "{70E102B0-5556-11CE-97C0-00AA0055595A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\CLSID = "{D3588AB0-0781-11CE-B03A-0020AF0BA770}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\CLSID = "{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{AA137041-5DB1-4B14-853B-62329921D5C6}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\CLSID = "{4A2286E0-7BEF-11CE-9BD9-0000E202599C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB8B-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B87BEB7B-8D29-423F-AE4D-6582C10175AC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
3796	FunshionInstall_C55521.exe
4912	dxdiag.exe
4912	dxdiag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2264	Funshion.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeManageVolumePrivilege	4364	FunshionService.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
2264	Funshion.exe
4912	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3796	3368	d491e562718925e63b9f01101f44eb54.exe	92
PID 3368 wrote to memory of 3796	3368	d491e562718925e63b9f01101f44eb54.exe	92
PID 3368 wrote to memory of 3796	3368	d491e562718925e63b9f01101f44eb54.exe	92
PID 3796 wrote to memory of 4744	3796	FunshionInstall_C55521.exe	94
PID 3796 wrote to memory of 4744	3796	FunshionInstall_C55521.exe	94
PID 3796 wrote to memory of 4744	3796	FunshionInstall_C55521.exe	94
PID 4744 wrote to memory of 4968	4744	cmd.exe	96
PID 4744 wrote to memory of 4968	4744	cmd.exe	96
PID 4744 wrote to memory of 4968	4744	cmd.exe	96
PID 3796 wrote to memory of 3100	3796	FunshionInstall_C55521.exe	98
PID 3796 wrote to memory of 3100	3796	FunshionInstall_C55521.exe	98
PID 3796 wrote to memory of 3100	3796	FunshionInstall_C55521.exe	98
PID 3100 wrote to memory of 4524	3100	cmd.exe	100
PID 3100 wrote to memory of 4524	3100	cmd.exe	100
PID 3100 wrote to memory of 4524	3100	cmd.exe	100
PID 3796 wrote to memory of 1492	3796	FunshionInstall_C55521.exe	101
PID 3796 wrote to memory of 1492	3796	FunshionInstall_C55521.exe	101
PID 3796 wrote to memory of 1492	3796	FunshionInstall_C55521.exe	101
PID 1492 wrote to memory of 4064	1492	cmd.exe	104
PID 1492 wrote to memory of 4064	1492	cmd.exe	104
PID 1492 wrote to memory of 4064	1492	cmd.exe	104
PID 3796 wrote to memory of 64	3796	FunshionInstall_C55521.exe	105
PID 3796 wrote to memory of 64	3796	FunshionInstall_C55521.exe	105
PID 3796 wrote to memory of 64	3796	FunshionInstall_C55521.exe	105
PID 64 wrote to memory of 4360	64	cmd.exe	107
PID 64 wrote to memory of 4360	64	cmd.exe	107
PID 64 wrote to memory of 4360	64	cmd.exe	107
PID 3796 wrote to memory of 1076	3796	FunshionInstall_C55521.exe	108
PID 3796 wrote to memory of 1076	3796	FunshionInstall_C55521.exe	108
PID 3796 wrote to memory of 1076	3796	FunshionInstall_C55521.exe	108
PID 1076 wrote to memory of 2488	1076	cmd.exe	110
PID 1076 wrote to memory of 2488	1076	cmd.exe	110
PID 1076 wrote to memory of 2488	1076	cmd.exe	110
PID 3796 wrote to memory of 4780	3796	FunshionInstall_C55521.exe	111
PID 3796 wrote to memory of 4780	3796	FunshionInstall_C55521.exe	111
PID 3796 wrote to memory of 4780	3796	FunshionInstall_C55521.exe	111
PID 4780 wrote to memory of 1000	4780	cmd.exe	113
PID 4780 wrote to memory of 1000	4780	cmd.exe	113
PID 4780 wrote to memory of 1000	4780	cmd.exe	113
PID 3796 wrote to memory of 2868	3796	FunshionInstall_C55521.exe	114
PID 3796 wrote to memory of 2868	3796	FunshionInstall_C55521.exe	114
PID 3796 wrote to memory of 2868	3796	FunshionInstall_C55521.exe	114
PID 3796 wrote to memory of 4596	3796	FunshionInstall_C55521.exe	115
PID 3796 wrote to memory of 4596	3796	FunshionInstall_C55521.exe	115
PID 3796 wrote to memory of 4596	3796	FunshionInstall_C55521.exe	115
PID 3796 wrote to memory of 4200	3796	FunshionInstall_C55521.exe	116
PID 3796 wrote to memory of 4200	3796	FunshionInstall_C55521.exe	116
PID 3796 wrote to memory of 4200	3796	FunshionInstall_C55521.exe	116
PID 3796 wrote to memory of 2980	3796	FunshionInstall_C55521.exe	118
PID 3796 wrote to memory of 2980	3796	FunshionInstall_C55521.exe	118
PID 3796 wrote to memory of 2980	3796	FunshionInstall_C55521.exe	118
PID 3796 wrote to memory of 4136	3796	FunshionInstall_C55521.exe	123
PID 3796 wrote to memory of 4136	3796	FunshionInstall_C55521.exe	123
PID 3796 wrote to memory of 4136	3796	FunshionInstall_C55521.exe	123
PID 4136 wrote to memory of 4640	4136	FunshionInstall.exe	125
PID 4136 wrote to memory of 4640	4136	FunshionInstall.exe	125
PID 4136 wrote to memory of 4640	4136	FunshionInstall.exe	125
PID 4136 wrote to memory of 2264	4136	FunshionInstall.exe	129
PID 4136 wrote to memory of 2264	4136	FunshionInstall.exe	129
PID 4136 wrote to memory of 2264	4136	FunshionInstall.exe	129
PID 2264 wrote to memory of 4364	2264	Funshion.exe	131
PID 2264 wrote to memory of 4364	2264	Funshion.exe	131
PID 2264 wrote to memory of 4364	2264	Funshion.exe	131
PID 4364 wrote to memory of 4912	4364	FunshionService.exe	132

C:\Users\Admin\AppData\Local\Temp\d491e562718925e63b9f01101f44eb54.exe
"C:\Users\Admin\AppData\Local\Temp\d491e562718925e63b9f01101f44eb54.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C55521.exe
  "C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C55521.exe" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "Funshion.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "FSPServer.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "FunshionService.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "Updater.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "FunshionUpdate.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "FunshionUpgrade.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1000
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\CoreAAC.ax"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2868
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\quartz.dll"
    3⤵
    - Modifies registry class
    PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C rename "C:\Users\Admin\funshion\historyTorrent\*.torrent" *.fsp
    3⤵
    PID:4200
- - C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe
    "C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe" "C:\Program Files (x86)\Funshion Online\Funshion\control\\"
    3⤵
    - Executes dropped EXE
    PID:2980
- - C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\FunshionInstall.exe
    "C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\FunshionInstall.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\evid4226-vc80-mt.exe
      --silent
      4⤵
      Executes dropped EXE
      PID:4640
  - - C:\Program Files (x86)\Funshion Online\Funshion\Funshion.exe
      "C:\Program Files (x86)\Funshion Online\Funshion\Funshion.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe
        
        "C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe" UISTARTFSPSERVER
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\SysWOW64\dxdiag.exe
        
        dxdiag.exe /whql:off /t C:\Users\Admin\funshion\fsdxdiag.txt
        6⤵
        Drops file in System32 directory
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4912
      - C:\Windows\SysWOW64\tracert.exe
        
        tracert.exe -d -h 16 -w 800 209.131.36.158
        6⤵
        
        PID:4780
    - - C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\evid4226-vc80-mt.exe
        
        --silent
        5⤵
        Executes dropped EXE
        
        PID:3920
  - - C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\funshion_clone.exe
      "C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\funshion_clone.exe" 1 2 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:1164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\selfdel.bat""
        5⤵
        
        PID:3464

Network

DNS

16.53.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.53.126.40.in-addr.arpa

IN PTR

Response
DNS

61.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.179.17.96.in-addr.arpa

IN PTR

Response

61.179.17.96.in-addr.arpa

IN PTR

a96-17-179-61deploystaticakamaitechnologiescom
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

partner.funshion.com

FunshionInstall.exe

Remote address:

8.8.8.8:53

Request

partner.funshion.com

IN A

Response

partner.funshion.com

IN A

118.193.104.9

partner.funshion.com

IN A

118.193.104.10
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=39EEED5004CD60EA394CF916052D61B7; domain=.bing.com; expires=Sat, 12-Apr-2025 21:28:44 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D229FDB1C42F464EA74A85C60554558C Ref B: LON04EDGE1209 Ref C: 2024-03-18T21:28:44Z
date: Mon, 18 Mar 2024 21:28:43 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39EEED5004CD60EA394CF916052D61B7

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=21DofzzTPrTqmbiufBID0wHpLzR0uVmfpEffz22rhcg; domain=.bing.com; expires=Sat, 12-Apr-2025 21:28:44 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 93E08FE6437D41DDB597958076563A83 Ref B: LON04EDGE1209 Ref C: 2024-03-18T21:28:44Z
date: Mon, 18 Mar 2024 21:28:43 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39EEED5004CD60EA394CF916052D61B7; MSPTC=21DofzzTPrTqmbiufBID0wHpLzR0uVmfpEffz22rhcg

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CEA92689A34E44C1AFFDF05706F6B63D Ref B: LON04EDGE1209 Ref C: 2024-03-18T21:28:44Z
date: Mon, 18 Mar 2024 21:28:43 GMT
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

partner.funshion.com

FunshionInstall.exe

Remote address:

8.8.8.8:53

Request

partner.funshion.com

IN A

Response

partner.funshion.com

IN A

118.193.104.9

partner.funshion.com

IN A

118.193.104.10
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

195.177.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.177.78.104.in-addr.arpa

IN PTR

Response

195.177.78.104.in-addr.arpa

IN PTR

a104-78-177-195deploystaticakamaitechnologiescom
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

fs.funshion.com

Funshion.exe

Remote address:

8.8.8.8:53

Request

fs.funshion.com

IN A

Response

fs.funshion.com

IN CNAME

fs.fspcdn.com

fs.fspcdn.com

IN A

118.193.104.9

fs.fspcdn.com

IN A

118.193.104.10
DNS

ns.funshion.com

FunshionService.exe

Remote address:

8.8.8.8:53

Request

ns.funshion.com

IN A

Response

ns.funshion.com

IN A

113.219.224.41
DNS

sqm.funshion.com

FunshionService.exe

Remote address:

8.8.8.8:53

Request

sqm.funshion.com

IN A

Response

sqm.funshion.com

IN CNAME

stat.funshion.net

stat.funshion.net

IN A

118.193.104.46

stat.funshion.net

IN A

118.193.104.43

stat.funshion.net

IN A

118.193.104.44

stat.funshion.net

IN A

118.193.104.48

stat.funshion.net

IN A

118.193.104.45

stat.funshion.net

IN A

118.193.104.47

stat.funshion.net

IN A

118.193.104.42

stat.funshion.net

IN A

118.193.104.41
DNS

service-bs.funshion.com

FunshionService.exe

Remote address:

8.8.8.8:53

Request

service-bs.funshion.com

IN A

Response

service-bs.funshion.com

IN A

113.219.224.4
DNS

ns3.funshion.com

FunshionService.exe

Remote address:

8.8.8.8:53

Request

ns3.funshion.com

IN A

Response

ns3.funshion.com

IN A

122.228.76.92
DNS

41.224.219.113.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.224.219.113.in-addr.arpa

IN PTR

Response
DNS

4.224.219.113.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.224.219.113.in-addr.arpa

IN PTR

Response
DNS

92.76.228.122.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.76.228.122.in-addr.arpa

IN PTR

Response
DNS

ad.funshion.com

Funshion.exe

Remote address:

8.8.8.8:53

Request

ad.funshion.com

IN A

Response

ad.funshion.com

IN CNAME

fs.fspcdn.com

fs.fspcdn.com

IN A

118.193.104.9

fs.fspcdn.com

IN A

118.193.104.10
DNS

update.funshion.com

Funshion.exe

Remote address:

8.8.8.8:53

Request

update.funshion.com

IN A

Response

update.funshion.com

IN CNAME

partner.funshion.com

partner.funshion.com

IN A

118.193.104.9

partner.funshion.com

IN A

118.193.104.10
DNS

46.104.193.118.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.104.193.118.in-addr.arpa

IN PTR

Response
DNS

www.btstream.org

Funshion.exe

Remote address:

8.8.8.8:53

Request

www.btstream.org

IN A

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

55.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.179.17.96.in-addr.arpa

IN PTR

Response

55.179.17.96.in-addr.arpa

IN PTR

a96-17-179-55deploystaticakamaitechnologiescom
DNS

89.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.135.221.88.in-addr.arpa

IN PTR

Response

89.135.221.88.in-addr.arpa

IN PTR

a88-221-135-89deploystaticakamaitechnologiescom
DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR

Response
DNS

68.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.179.17.96.in-addr.arpa

IN PTR

Response

68.179.17.96.in-addr.arpa

IN PTR

a96-17-179-68deploystaticakamaitechnologiescom
DNS

68.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.179.17.96.in-addr.arpa

IN PTR
DNS

fs.funshion.com

Funshion.exe

Remote address:

8.8.8.8:53

Request

fs.funshion.com

IN A

Response

fs.funshion.com

IN CNAME

fs.fspcdn.com

fs.fspcdn.com

IN A

118.193.104.9

fs.fspcdn.com

IN A

118.193.104.10
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

27.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

27.73.42.20.in-addr.arpa

IN PTR

Response

118.193.104.9:80

partner.funshion.com

FunshionInstall_C55521.exe

104 B
2
204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

tls, http2

2.6kB
9.3kB
24
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

HTTP Response

204
118.193.104.9:80

partner.funshion.com

FunshionInstall.exe

156 B
3
222.35.250.56:21

FunshionInstall.exe

260 B
5
118.193.104.9:80

fs.funshion.com

Funshion.exe

260 B
5
118.193.104.9:80

update.funshion.com

Funshion.exe

156 B
3
118.193.104.9:80

update.funshion.com

Funshion.exe

156 B
3
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

260 B
5
118.193.104.10:80

update.funshion.com

Funshion.exe

260 B
5
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

260 B
5
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

260 B
5
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

260 B
5
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

260 B
5
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

208 B
4

8.8.8.8:53

16.53.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

16.53.126.40.in-addr.arpa
8.8.8.8:53

61.179.17.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

61.179.17.96.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

partner.funshion.com

dns

FunshionInstall.exe

66 B
98 B
1
1

DNS Request

partner.funshion.com

DNS Response

118.193.104.9

118.193.104.10
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

partner.funshion.com

dns

FunshionInstall.exe

66 B
98 B
1
1

DNS Request

partner.funshion.com

DNS Response

118.193.104.9

118.193.104.10
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

195.177.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

195.177.78.104.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

fs.funshion.com

dns

Funshion.exe

61 B
117 B
1
1

DNS Request

fs.funshion.com

DNS Response

118.193.104.9

118.193.104.10
8.8.8.8:53

ns.funshion.com

dns

FunshionService.exe

61 B
77 B
1
1

DNS Request

ns.funshion.com

DNS Response

113.219.224.41
8.8.8.8:53

sqm.funshion.com

dns

FunshionService.exe

62 B
221 B
1
1

DNS Request

sqm.funshion.com

DNS Response

118.193.104.46

118.193.104.43

118.193.104.44

118.193.104.48

118.193.104.45

118.193.104.47

118.193.104.42

118.193.104.41
8.8.8.8:53

service-bs.funshion.com

dns

FunshionService.exe

69 B
85 B
1
1

DNS Request

service-bs.funshion.com

DNS Response

113.219.224.4
8.8.8.8:53

ns3.funshion.com

dns

FunshionService.exe

62 B
78 B
1
1

DNS Request

ns3.funshion.com

DNS Response

122.228.76.92
113.219.224.41:8000

ns.funshion.com

FunshionService.exe

276 B
6
113.219.224.41:8080

ns.funshion.com

FunshionService.exe

276 B
6
122.228.76.92:8000

ns3.funshion.com

FunshionService.exe

276 B
6
122.228.76.92:8080

ns3.funshion.com

FunshionService.exe

276 B
6
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

75 B
1
8.8.8.8:53

41.224.219.113.in-addr.arpa

dns

73 B
161 B
1
1

DNS Request

41.224.219.113.in-addr.arpa
8.8.8.8:53

4.224.219.113.in-addr.arpa

dns

72 B
160 B
1
1

DNS Request

4.224.219.113.in-addr.arpa
8.8.8.8:53

92.76.228.122.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

92.76.228.122.in-addr.arpa
118.193.104.46:8000

sqm.funshion.com

FunshionService.exe

60 B
1
8.8.8.8:53

ad.funshion.com

dns

Funshion.exe

61 B
117 B
1
1

DNS Request

ad.funshion.com

DNS Response

118.193.104.9

118.193.104.10
8.8.8.8:53

update.funshion.com

dns

Funshion.exe

65 B
119 B
1
1

DNS Request

update.funshion.com

DNS Response

118.193.104.9

118.193.104.10
10.127.0.1:1900

FunshionService.exe

129 B
1
8.8.8.8:53

46.104.193.118.in-addr.arpa

dns

73 B
161 B
1
1

DNS Request

46.104.193.118.in-addr.arpa
8.8.8.8:53

www.btstream.org

dns

Funshion.exe

62 B
144 B
1
1

DNS Request

www.btstream.org
118.193.104.46:8000

sqm.funshion.com

FunshionService.exe

60 B
1
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

75 B
1
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

55.179.17.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

55.179.17.96.in-addr.arpa
118.193.104.46:8000

sqm.funshion.com

FunshionService.exe

60 B
1
8.8.8.8:53

89.135.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

89.135.221.88.in-addr.arpa
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

75 B
1
118.193.104.46:8000

sqm.funshion.com

FunshionService.exe

60 B
1
8.8.8.8:53

81.171.91.138.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

81.171.91.138.in-addr.arpa
118.193.104.46:8000

sqm.funshion.com

FunshionService.exe

60 B
1
8.8.8.8:53

68.179.17.96.in-addr.arpa

dns

142 B
135 B
2
1

DNS Request

68.179.17.96.in-addr.arpa

DNS Request

68.179.17.96.in-addr.arpa
8.8.8.8:53

fs.funshion.com

dns

Funshion.exe

61 B
117 B
1
1

DNS Request

fs.funshion.com

DNS Response

118.193.104.9

118.193.104.10
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
118.193.104.46:8000

sqm.funshion.com

FunshionService.exe

60 B
1
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

75 B
1
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

75 B
1
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
113.219.224.4:8000

service-bs.funshion.com

FunshionService.exe

75 B
1
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
118.193.104.46:8000

sqm.funshion.com

FunshionService.exe

60 B
1
8.8.8.8:53

27.73.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

27.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion Online\Funshion\Dump.dll

Filesize
172KB

MD5
859737636bc7a4f0332a6cc6f0fee978

SHA1
620e86d7e9b408733a65ed5b53b04af49c3d9d68

SHA256
a01a479dbe7323b439b9cace4586f4caa60a367a264f6d298bde84c0654a6e9f

SHA512
c4f5b08184fe3d6f233bad8fbf36403ecc75a80aa92fbf495c99ea7a1d0cd02a1c2f3e2affeafd148ae101c40a2eb1d3eab5a6beafc0c570b05da5fa6589abaf

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\Encrypt.dll

Filesize
64KB

MD5
5468eb7b4cd7e648a337a187e565447d

SHA1
f0269db098eb699ec7583ab40dd4bfb311a51b5d

SHA256
68cf718e9196b462248af847a430e7c40e2b1e3c9022d02e8cbfc21b1321f3be

SHA512
af48c98fd449f7e4733605cc6c57259df459f49820f7a572174a9b07dfd52c1fe9c0cd8b6866463c72b1150c9d5505dbb580bffb276f85ef19650a5dac7e9d43

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\Funshion.exe

Filesize
1.7MB

MD5
7d0e2c6e8a3d63cd2ce485cf317cb18a

SHA1
865d742ee46fc2a4bad7e2dcb1019bdd3ca28a9b

SHA256
5f9aff8c92a97af3c3f5a3a0b2144462939422ada4a3140141acfdd6d807ff31

SHA512
15a562e4c8002755d99168c8f4a475447d7f22f813b58ac48c7f3421a39023d31462b41a02d7652c59a3ccd5371a4fa9a6918af48230c919f9fb8e5333f7532b

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe

Filesize
1.3MB

MD5
aa4d443ed02f4ae37cb9231d21af8240

SHA1
276c018f2b9781edde5586a6f77a6662e5d62c16

SHA256
0843a1532b22e22b1e93fe28aa25b61dc41b889514f42068933e285d4257ca52

SHA512
8091ebf45277d80bb71a4c23a614196566425094eee59fda62674e928c6858380246e0b8585b0d5b2211120cc571488eb8651e96fc0e8723dd4c963709f4fd8d

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunshionUpgrade.exe

Filesize
864KB

MD5
ebdd11d2fb62d2b9d168086d14a9ec8d

SHA1
0061672dda631c94da384ca14a3e0d5a4dc7dd09

SHA256
00aff41529b6623086bacc7762c66e636aeabf3678da50187133a95de8c07297

SHA512
42cbede8610ba9a5c0d2178027aa05938a9b79719ac997dafc7944d704924f57cb91a7a46646fd7fe8eb94a43efe4caaaf6a1d22434411df4e65c1be8de7a730

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\GetMACAddress.dll

Filesize
224KB

MD5
2e546196d65baa49989d64f57f3ba990

SHA1
e6ee44af14487e668242cbb97fdc4bdf63fbd670

SHA256
fa7681a9877e6ee1c14615279f86323b205333e2937376717cc4ce97cd6399c1

SHA512
8c10f096b1c17ddbad084ecf8fcad1a1d7aed6adece8e362ba6bb62c66d23c6a2390aea99219428e49b3b87e2550bd9ffe0752ad4d4d0c7388dbd28995d15081

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\FunshionInstall.exe

Filesize
328KB

MD5
f195ce8cb9177a66204288af45ddbac8

SHA1
31a76ec0d12996dbb47257ccc900b5c16781831f

SHA256
ead0369a09dab18384fa7c5c0316c733655bffefde8d8dda2568bab4904fe3eb

SHA512
c208381c76b3adaa0aaa0b32805c712446f498d4ffc15a122018fe4afb97ad182a8e2ffe0683073a7754c70e5c6ddc8828519d9fb455b248285928bde0e7842b

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\InstallLangAm.dll

Filesize
76KB

MD5
896f5999d7f56adc70145e904b83d0fa

SHA1
ea7d310ab9d40214e545555dff758710107c9fe0

SHA256
23a2c345446b9f86b25418b2baf405aeffd8d536dddedcf7f89f63c09c3c343b

SHA512
8cd6bec1cad73e973ebb25366d041fb7ba14ec48477e8db7f591921796397b515addb0f7cf5f925242958df852ad653476add896672f599613c58517dce69ec9

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\evid4226-vc80-mt.exe

Filesize
148KB

MD5
2cad6ec5f4a0e3c812407226991e76f1

SHA1
3a2601b1e35ec73ba9215b5dff3ef201a09d899a

SHA256
e235eef38fcf7d979be5300ecf48e7fcc0e19bbc3930faff965dec751700b518

SHA512
7bccc01604d7af51f788bf51a0c4d8e33417397fb1cd88104698d406f55cca1fe24ac57bc325c8a581807e2ff7590dcc53602bc26c5d51686a98d8fa4700eccf

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\install.ini

Filesize
223B

MD5
730f05e650a7b1705a03b398091dea42

SHA1
f5e49471cbc4aed199ccfac705146ced3114b282

SHA256
602d9ad302bef391af76d7642887a6ca035d42d4218f09d8246f156b3687eaad

SHA512
3fc96ec2c0545eb5ed487a3c7fd29362317e477d0ad3f29e730eb0951adee879624e05d5484ecb16f767a3074dd066e67e0bfac9c348843fb69592cdc3be0d09

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\dbghelp.dll

Filesize
1020KB

MD5
74edbb03de3291fcf2094af1fb363f1d

SHA1
16b5d948ed7843576781dc4f2a391607ac0120a4

SHA256
dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa

SHA512
b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\funshion.ini

Filesize
72B

MD5
d5f98ba70a13f8802a3ee9175b265e68

SHA1
b1783e58a9c02bfd6077760001e15c3d58a3b4da

SHA256
fbeb47f844e840905a507418da125a27d567e3a39488450f0d4b383b44bf6289

SHA512
c92a820c482ab0db20242638f557e97ebe2061f6c835ff474b016a4cf7eb01d607b45e0ecb09b72cb747708bf920a064cbfb86f79359f065645fd64dcd25a92c

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\funshion.ini

Filesize
129B

MD5
5ff87d8ca10435cfff6e587a1e48800a

SHA1
a794b6aeaa4663079d2e998f55c9474f5375fff8

SHA256
2b3f4967d7a01809813cff2f2ca49f97c4fbc97acbe67059d3747c41b6727f72

SHA512
5e202eb11e10d08672daadbd617ea5b3de480e40943d7e3366b7a0175a5ae53a1e51cf7f251f32084486d2ae78f7f2b8d41bb861af83e661da178d646e33c1f2

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionBkgnd.bmp

Filesize
170B

MD5
e2e96fc57ca20d75dd23d005d74a3f7b

SHA1
28865c67dcb3688d7bb939cebe65584f9e9288d2

SHA256
c6f438c69b1d8f5691b8aa2beb983bfab2bbae883d01f43b5e05ad0c536235cb

SHA512
aac571fae1dee9d9d6b022763d76dd787423a460f5282fd7727595a95e4ec517d2fe3db5501acaa80ef7859c4a666b70c28bb5cf065b3c47b130bde993e14ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C55521.exe

Filesize
4.5MB

MD5
56ff0b1e8b2219c269f528a64b620c50

SHA1
629be6f2f2af1a2673e0d4c07da58367bf086e7a

SHA256
e28f4e81b8c6880c01ea2fb2fa652e598c42ebb621374cb46f20e4eac06e5c5f

SHA512
b0224868d29205e2670bd504a741da86bf4b38ca40a65914122f36666b344ff0ba83ef651f59aabecc210428c276216f9f3b9a423b4606a3717df713f61a7c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\funshion.ini

Filesize
708B

MD5
12dba1d1fc630944b6cfde2205f011f2

SHA1
d37b1140bc2afa762fc2db9a457fab3612176540

SHA256
963ad99dd01b1ba49cf230963c2fc41f01146f419192a4c99e99462a3d172798

SHA512
a3e47828c9195bb17f25838161685087baedb58e4e5739e7857c74ca43ec6adf240c93cc4ff8021bc02c0cbdaf9ff95136d05d87559818cecd6967405cf4a39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\NSISdl.dll

Filesize
12KB

MD5
a10c9c9f5474ed8c13ff5e182655eb9f

SHA1
ffa6073f6b1724183d570c368c3025430de1ee33

SHA256
17055e463a04435bdb5fea5d634af12a4678ff5d680196da230879ad24622ee3

SHA512
bd7222d4ee6516b9be7f498858812ebfa824f657ef5298cfc813ad91fdfb6129642232d4c47f2edc4c2b8d2619ba7530a5195d53e9017435e7e8ef742f60fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\System.dll

Filesize
10KB

MD5
4eff5fafd746f5decb93a44e3a3d570c

SHA1
a11aa7681b7e2df1c7f7492a127d332d1495ea8a

SHA256
cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5

SHA512
cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe

Filesize
124KB

MD5
174db01920fc8b493ee6668d854f0726

SHA1
2e4368c1b4715dce7455e31738a5b76b1b070f50

SHA256
ac7b0bc4635c24f07d64da94451309b12229db326e0fac8612558de695003291

SHA512
bad21688cb4c6789ddec6e129188e42c545ccfd9c9861279998ebf3c3fd5ec3e22e9c0465b9f25d7c357ed8d4a38ec5d1024bd6ff38adbaeedb67b39c1fdb5c4

Download Submit
C:\Users\Admin\funshion.ini

Filesize
842B

MD5
b5a35cacd5bf0e34ce5f728fe4480c56

SHA1
3eee76275b1076e93ef911d9aa7fb75ce1b4c77a

SHA256
aa90d1b38f994ff7d2a32a711ae35258128964c0d2efd69f6238373da5162021

SHA512
86edd2bf56b2d53041ec19842c06e708ad2c8676027f4eba2dfaf9d2b00fd54878f54b4510571ac40e77346eb4a9e99535a324bdbe75d29b18ef3380ba773f03

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
645520a668f0734300e196ab75f49d9c

SHA1
76c7e721c73b9267a691e92c35d0ffe382e6d195

SHA256
18d45934cd4b1db9af7bfe7fafe5769a3be0a5d428f937ad7795ace0bd007f0f

SHA512
6fc4568ea29087cbc6dc441c926d30c28b1619d538bc0319defa2f52b283a7caeaa2eac7802a525945fddcfd9dc7cfc51aa115146e628d55755032f13932a4d9

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
cd4445b6440048ea15319583dfdb6d14

SHA1
b051d6c6084ef9fea91e701c7850566b5171b62c

SHA256
271197c4e5e4ee6fb750fea07bc4ea7ccf54256461ae78d5b48af0606a9ea049

SHA512
14ea077e296d1bb48fba13926a4def98ad3064da482cacd30f14ae897158648ed315c391d332e31234e92b17d1b7ac32fa5e8e474d479dbac7666fcbb116955b

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
61f34e224dd3c1ffc6f237fda8047f90

SHA1
acd99cc1365f2932fa27506da87d9cbc5b8d14dc

SHA256
f3e689ccbe1db2572bd0c0e6f7f3edca6cc63a8d68e0cedae0c3921270d7f3dc

SHA512
aee7d64babb55d4b4beb45770539954e139711c86d548acd8784a724cc1bad1533a790d45a43166393c09cdeebdba51febc6424290ff9e3a5940ca1aecf9fd53

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
c674c61d17067d3e8c51367e78f9b9da

SHA1
9564f107087dd03339876e60f2ee48b5627a92a0

SHA256
3236ecca8ebb68ca47f74955b61096be58295a06dad4570249d334ceeadd28bd

SHA512
e87aa05fdfe658643cda9fb9d28d63bcfe42f7abd6146dfa2f55ac4357625726ddc509bb64cde3b8f90a9e9e1d9346a0ef2103792c7cef49c962bb504d5608a0

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
23e793000c00d4d1c73d9afa53074dcc

SHA1
4ffb96f8e2850d6b4cdd71f7241c62fc2d8e6875

SHA256
5b350833b45bd41c310c6c754529d4d89e96df17b031f442d3ac691b6426a926

SHA512
5daea7c6165f86692d2e9bd86fc309adabad31693274dcfadb2aa668ef5c21fdf6d93b29501e6a4c6652571adde20fbc4794f83885ac651b17f9c53a8c579127

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
917426dcd79c75d7eaf94a7cfd6f190c

SHA1
4e07f092839934a41a54b034511463367e383c8b

SHA256
c65f4d5f193b37aaa2fc8f1741279abec56dbd8f5e31524db103b10058465c6a

SHA512
cb15c863844c3b2f6353f199cd7682504fcc1443ec63cc9f717340a1ac9ecaf5ef0ff018e9acb596187c4887cea10b392d55e52c19a8908b2e2f7d4d1c9bc045

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
d234e4104dffb9735c958fa08847d2b4

SHA1
e83de75bbb4e0378005abc90d885ab59707a021b

SHA256
f0ecdbc5c858db02fc4412396f76dd09af2587ac551281760db1fd0202b32192

SHA512
9969584f17a6d282e1c1e03691177dd6c566227d0f1f4b343446e53262c9765fff5da6d727937acf351dfd8d8d50f53e9dd2439663631ee4381e503717b45f48

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
bab13e79d79d0df124b0ec6803615c11

SHA1
865cf51533caece28daca4b7f1d4fad07ced621d

SHA256
fd0ff286e930d4b6cebedd4581e97422a68d3c8b1b75ed4773766bc052cacf79

SHA512
63f27c73430b35065f509876141e9b7e3a8eb7770865c8af77450cf079292339ce14759eae0bf1f28dd8ac6871c6af23dfb2fb423dc9dea577e14993a3e4f09e

Download Submit
C:\Windows\SysWOW64\CoreAAC.ax

Filesize
592KB

MD5
6636fd123e77073c1a07d1ec0831334c

SHA1
39ea6f28d5b30675760f29df68160a81d5df349e

SHA256
e85c1802ae3c7af9b7967ceadaf0504823f092abba04ba912576edbfd421e76a

SHA512
3ac59d1ad36eb1c052c272a11c6dd78dbebb5061b8b79a2a1f0108f8208be7fb9cc8e6208124b12c779e2bdc845882cfd432a84427e2c5c312c4d3275b054849

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
1KB

MD5
ec397732ee3012fd3ce1bebce29c45e8

SHA1
3508d37d60d0e51fc8ec859e2a713fdeee171a72

SHA256
1d0ca8a19832d911f88ff808ac6b9b3b3b9d7d84678807bdb73e1ea5e2f2e382

SHA512
965f1bcba63b1df76f5ab4e04eddb43581a96dac70f8800f81f87ede032f22f0fd057dfb713478509a16ea71974015b7f5a5c2c5397f28d9198bc1ee46771bf0

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
1KB

MD5
48f857ee04973674e4d7d816b0b09f13

SHA1
1dbc967640a0cc3bbd7d3e725df7ac7c01ad720f

SHA256
333398b05a34a4e6ac083f41ec4850fac55d3510d47969bc0024cfeec3fd549c

SHA512
89b32b0ddf6746631fe180e8d9dc43968c5283e42921d6df2d2c1e1b4d77a2721a0c884cdb3e0873f2da03facee445e9850ba9ceb9d7e18978a3d89f1471fbf3

Download Submit
memory/2264-538-0x0000000000BC0000-0x0000000000BFA000-memory.dmp

Filesize
232KB

Download
memory/2264-541-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/2264-873-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/2264-592-0x0000000005F10000-0x0000000005F2B000-memory.dmp

Filesize
108KB

Download
memory/2264-816-0x00000000076D0000-0x0000000007C2C000-memory.dmp

Filesize
5.4MB

Download
memory/2264-586-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/3368-519-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3368-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3796-391-0x0000000002430000-0x000000000246A000-memory.dmp

Filesize
232KB

Download
memory/3796-398-0x00000000032F0000-0x000000000331D000-memory.dmp

Filesize
180KB

Download
memory/4364-611-0x0000000002550000-0x000000000258A000-memory.dmp

Filesize
232KB

Download
memory/4364-605-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/4364-597-0x00000000007F0000-0x0000000000801000-memory.dmp

Filesize
68KB

Download
memory/4364-600-0x0000000000A50000-0x0000000000A8A000-memory.dmp

Filesize
232KB

Download
memory/4364-826-0x0000000003D00000-0x0000000003D2B000-memory.dmp

Filesize
172KB

Download
memory/4364-598-0x0000000000780000-0x00000000007AE000-memory.dmp

Filesize
184KB

Download
memory/4912-832-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4912-831-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4912-837-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4912-836-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4912-838-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4912-840-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4912-839-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4912-842-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4912-841-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4912-830-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.