1d58d12ef715ed47ab3579415d2150924f1599e779fbde45e0cac4eba8329b87

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d491e562718925e63b9f01101f44eb54.exe
Size

4.6MB
MD5

d491e562718925e63b9f01101f44eb54
SHA1

22ec1735b00e0a6a78c9a45072d468440bf2e6e5
SHA256

1d58d12ef715ed47ab3579415d2150924f1599e779fbde45e0cac4eba8329b87
SHA512

ddd23165b463ee8b9f7be2fcc0d71f8b8bcc7ab2e747aa6e8b4d5661539f1aac238e9873284700ae302cd4908537a7fb0ca61621c2f80fa1eadf4f827d8143f3
SSDEEP

98304:Oc11SEwcRMamscD/S5JB2Kc6CUmJP706G8uX/MQPeYcYRnbd/QCLe3pohp4go:U/ctmVEe61+P70L8uXEQPeY1Z/QCE+nI

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
1444	FunshionInstall_C55521.exe
2036	xml2fspdata.exe
2060	FunshionInstall.exe
1304	evid4226-vc80-mt.exe
2936	Funshion.exe
2000	FunshionService.exe
2600	evid4226-vc80-mt.exe
2112	funshion_clone.exe

Loads dropped DLL 64 IoCs

pid	Process
1716	d491e562718925e63b9f01101f44eb54.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
2180	regsvr32.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
2036	xml2fspdata.exe
2036	xml2fspdata.exe
2036	xml2fspdata.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
2060	FunshionInstall.exe
2060	FunshionInstall.exe
2060	FunshionInstall.exe
2060	FunshionInstall.exe
2060	FunshionInstall.exe
2060	FunshionInstall.exe
1304	evid4226-vc80-mt.exe
1304	evid4226-vc80-mt.exe
1304	evid4226-vc80-mt.exe
2060	FunshionInstall.exe
2060	FunshionInstall.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1716-0-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral1/memory/1716-543-0x0000000000400000-0x0000000000437000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C55521.exe
File created	C:\Windows\SysWOW64\CoreAAC.ax	FunshionInstall_C55521.exe
File opened for modification	C:\Windows\SysWOW64\FunShion.ini	FunshionInstall_C55521.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\dbghelp.dll	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarBkgndRightSmall.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarDeleteEn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateBtmCloseBtn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\install.ini	funshion_clone.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnTitleLeft.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\upnp.dll	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayInfoTitleBk.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnNonTop.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\5.bmp	funshion_clone.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcRightBtmCorner.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateIconSuc.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarUpArrow.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayInfoHeaderBkgnd.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnNext.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarStop.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TextBtnBk.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\nicdescr.dat	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarBefore.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnNormal.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPlay.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerTipCloseBtn.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\RpcLoading.gif	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\SplidBarMark.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\Funshion-install.ico	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarDownload.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarStop.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarStopEn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\taskstop.ico	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\funshion_clone.exe	FunshionInstall.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\Encrypt.dll	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\DiskWarnning.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBufferInfoWndRight.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskListStatSelIcon.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskManagerCloseBtn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetTrail.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\WebCloseBtn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\taskdown.ico	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\coreavc.ax	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\dbghelp.dll	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\3.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnTitleRight.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\4.bmp	funshion_clone.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\funshionplugin2.dll	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPause.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\SplidBarBkgnd.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\drvc.dll	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\LangResEnAmerican.dll	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\SettingDlgIcon.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskBarBtnIcon.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcRightTopCorner.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayFlickerBtn.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\StatusBarRight.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\StatusBarSplid.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskBarBtnMenu.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\Dump.dll	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\FunshionInstall.exe	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarBkgndRightSmall.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\detector.dll	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\Dialog.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnTitleLeft.bmp	FunshionInstall_C55521.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnMuteSmall.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\skin\SplidBarBkgnd.bmp	FunshionInstall_C55521.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\bmps\ch_fin.bmp	funshion_clone.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000012251-4.dat	nsis_installer_1
behavioral1/files/0x000400000001cb1b-367.dat	nsis_installer_1

Kills process with taskkill 6 IoCs

evasion

pid	Process
2544	taskkill.exe
2476	taskkill.exe
2516	taskkill.exe
2876	taskkill.exe
1268	taskkill.exe
748	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	Funshion.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\CLSID = "{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\ = "URL: fsp Protocol"	Funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\ = "Funshion file"	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\FriendlyName = "CoreAAC Audio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\ = "CoreAAC Audio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\command	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion\DefaultIcon\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\",1"	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\Command	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\ = "open"	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\DefaultIcon	Funshion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp	Funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E}\ = "CoreAAC Audio Decoder Info"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E}\InprocServer32\ = "C:\\Windows\\SysWow64\\CoreAAC.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\Topic	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\DefaultIcon\ = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe"	Funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\command\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\" \"%1\""	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\Topic\ = "FSP"	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ddeexec\Topic\ = "FSP"	Funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\ = "%1"	FunshionInstall_C55521.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsp	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ddeexec\Topic	Funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\DefaultIcon\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\",1"	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion\DefaultIcon	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\command	Funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\command\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\" %1"	Funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ddeexec\Application\ = "Funshion"	Funshion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\FilterData = 020000000000800002000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000006175647300001000800000aa00389b71ff00000000001000800000aa00389b714d50344100001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\Application\ = "Funshion"	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\Application	FunshionInstall_C55521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\URL Protocol	Funshion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\DefaultIcon	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion	FunshionInstall_C55521.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\InprocServer32\ = "C:\\Windows\\SysWow64\\CoreAAC.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\Command\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\" \"%1\" /dummy"	FunshionInstall_C55521.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1444	FunshionInstall_C55521.exe
1848	dxdiag.exe
1848	dxdiag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2936	Funshion.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeManageVolumePrivilege	2000	FunshionService.exe
Token: SeRestorePrivilege	1848	dxdiag.exe
Token: SeRestorePrivilege	1848	dxdiag.exe
Token: SeRestorePrivilege	1848	dxdiag.exe
Token: SeRestorePrivilege	1848	dxdiag.exe
Token: SeRestorePrivilege	1848	dxdiag.exe
Token: SeRestorePrivilege	1848	dxdiag.exe
Token: SeRestorePrivilege	1848	dxdiag.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
2936	Funshion.exe
1848	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1444	1716	d491e562718925e63b9f01101f44eb54.exe	28
PID 1716 wrote to memory of 1444	1716	d491e562718925e63b9f01101f44eb54.exe	28
PID 1716 wrote to memory of 1444	1716	d491e562718925e63b9f01101f44eb54.exe	28
PID 1716 wrote to memory of 1444	1716	d491e562718925e63b9f01101f44eb54.exe	28
PID 1716 wrote to memory of 1444	1716	d491e562718925e63b9f01101f44eb54.exe	28
PID 1716 wrote to memory of 1444	1716	d491e562718925e63b9f01101f44eb54.exe	28
PID 1716 wrote to memory of 1444	1716	d491e562718925e63b9f01101f44eb54.exe	28
PID 1444 wrote to memory of 2492	1444	FunshionInstall_C55521.exe	29
PID 1444 wrote to memory of 2492	1444	FunshionInstall_C55521.exe	29
PID 1444 wrote to memory of 2492	1444	FunshionInstall_C55521.exe	29
PID 1444 wrote to memory of 2492	1444	FunshionInstall_C55521.exe	29
PID 1444 wrote to memory of 2492	1444	FunshionInstall_C55521.exe	29
PID 1444 wrote to memory of 2492	1444	FunshionInstall_C55521.exe	29
PID 1444 wrote to memory of 2492	1444	FunshionInstall_C55521.exe	29
PID 2492 wrote to memory of 2476	2492	cmd.exe	31
PID 2492 wrote to memory of 2476	2492	cmd.exe	31
PID 2492 wrote to memory of 2476	2492	cmd.exe	31
PID 2492 wrote to memory of 2476	2492	cmd.exe	31
PID 2492 wrote to memory of 2476	2492	cmd.exe	31
PID 2492 wrote to memory of 2476	2492	cmd.exe	31
PID 2492 wrote to memory of 2476	2492	cmd.exe	31
PID 1444 wrote to memory of 1968	1444	FunshionInstall_C55521.exe	33
PID 1444 wrote to memory of 1968	1444	FunshionInstall_C55521.exe	33
PID 1444 wrote to memory of 1968	1444	FunshionInstall_C55521.exe	33
PID 1444 wrote to memory of 1968	1444	FunshionInstall_C55521.exe	33
PID 1444 wrote to memory of 1968	1444	FunshionInstall_C55521.exe	33
PID 1444 wrote to memory of 1968	1444	FunshionInstall_C55521.exe	33
PID 1444 wrote to memory of 1968	1444	FunshionInstall_C55521.exe	33
PID 1968 wrote to memory of 2516	1968	cmd.exe	35
PID 1968 wrote to memory of 2516	1968	cmd.exe	35
PID 1968 wrote to memory of 2516	1968	cmd.exe	35
PID 1968 wrote to memory of 2516	1968	cmd.exe	35
PID 1968 wrote to memory of 2516	1968	cmd.exe	35
PID 1968 wrote to memory of 2516	1968	cmd.exe	35
PID 1968 wrote to memory of 2516	1968	cmd.exe	35
PID 1444 wrote to memory of 2632	1444	FunshionInstall_C55521.exe	36
PID 1444 wrote to memory of 2632	1444	FunshionInstall_C55521.exe	36
PID 1444 wrote to memory of 2632	1444	FunshionInstall_C55521.exe	36
PID 1444 wrote to memory of 2632	1444	FunshionInstall_C55521.exe	36
PID 1444 wrote to memory of 2632	1444	FunshionInstall_C55521.exe	36
PID 1444 wrote to memory of 2632	1444	FunshionInstall_C55521.exe	36
PID 1444 wrote to memory of 2632	1444	FunshionInstall_C55521.exe	36
PID 2632 wrote to memory of 2876	2632	cmd.exe	38
PID 2632 wrote to memory of 2876	2632	cmd.exe	38
PID 2632 wrote to memory of 2876	2632	cmd.exe	38
PID 2632 wrote to memory of 2876	2632	cmd.exe	38
PID 2632 wrote to memory of 2876	2632	cmd.exe	38
PID 2632 wrote to memory of 2876	2632	cmd.exe	38
PID 2632 wrote to memory of 2876	2632	cmd.exe	38
PID 1444 wrote to memory of 1972	1444	FunshionInstall_C55521.exe	39
PID 1444 wrote to memory of 1972	1444	FunshionInstall_C55521.exe	39
PID 1444 wrote to memory of 1972	1444	FunshionInstall_C55521.exe	39
PID 1444 wrote to memory of 1972	1444	FunshionInstall_C55521.exe	39
PID 1444 wrote to memory of 1972	1444	FunshionInstall_C55521.exe	39
PID 1444 wrote to memory of 1972	1444	FunshionInstall_C55521.exe	39
PID 1444 wrote to memory of 1972	1444	FunshionInstall_C55521.exe	39
PID 1972 wrote to memory of 1268	1972	cmd.exe	41
PID 1972 wrote to memory of 1268	1972	cmd.exe	41
PID 1972 wrote to memory of 1268	1972	cmd.exe	41
PID 1972 wrote to memory of 1268	1972	cmd.exe	41
PID 1972 wrote to memory of 1268	1972	cmd.exe	41
PID 1972 wrote to memory of 1268	1972	cmd.exe	41
PID 1972 wrote to memory of 1268	1972	cmd.exe	41
PID 1444 wrote to memory of 1696	1444	FunshionInstall_C55521.exe	42

C:\Users\Admin\AppData\Local\Temp\d491e562718925e63b9f01101f44eb54.exe
"C:\Users\Admin\AppData\Local\Temp\d491e562718925e63b9f01101f44eb54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C55521.exe
  "C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C55521.exe" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "Funshion.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "FSPServer.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "FunshionService.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "Updater.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"
    3⤵
    PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "FunshionUpdate.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "FunshionUpgrade.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2544
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\CoreAAC.ax"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2180
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\quartz.dll"
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C rename "C:\Users\Admin\funshion\historyTorrent\*.torrent" *.fsp
    3⤵
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe
    "C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe" "C:\Users\Admin\funshion\control\\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2036
- - C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\FunshionInstall.exe
    "C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\FunshionInstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2060
  - - C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\evid4226-vc80-mt.exe
      --silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1304
  - - C:\Program Files (x86)\Funshion Online\Funshion\Funshion.exe
      "C:\Program Files (x86)\Funshion Online\Funshion\Funshion.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2936
    - - C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe
        
        "C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe" UISTARTFSPSERVER
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
      - C:\Windows\SysWOW64\dxdiag.exe
        
        dxdiag.exe /whql:off /t C:\Users\Admin\funshion\fsdxdiag.txt
        6⤵
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1848
      - C:\Windows\SysWOW64\tracert.exe
        
        tracert.exe -d -h 16 -w 800 209.131.36.158
        6⤵
        
        PID:1856
    - - C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\evid4226-vc80-mt.exe
        
        --silent
        5⤵
        Executes dropped EXE
        
        PID:2600
  - - C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\funshion_clone.exe
      "C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\funshion_clone.exe" 1 2 3
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\selfdel.bat""
        5⤵
        
        PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\InstallLangAm.dll

Filesize
76KB

MD5
896f5999d7f56adc70145e904b83d0fa

SHA1
ea7d310ab9d40214e545555dff758710107c9fe0

SHA256
23a2c345446b9f86b25418b2baf405aeffd8d536dddedcf7f89f63c09c3c343b

SHA512
8cd6bec1cad73e973ebb25366d041fb7ba14ec48477e8db7f591921796397b515addb0f7cf5f925242958df852ad653476add896672f599613c58517dce69ec9

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\install.ini

Filesize
223B

MD5
730f05e650a7b1705a03b398091dea42

SHA1
f5e49471cbc4aed199ccfac705146ced3114b282

SHA256
602d9ad302bef391af76d7642887a6ca035d42d4218f09d8246f156b3687eaad

SHA512
3fc96ec2c0545eb5ed487a3c7fd29362317e477d0ad3f29e730eb0951adee879624e05d5484ecb16f767a3074dd066e67e0bfac9c348843fb69592cdc3be0d09

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\selfdel.bat

Filesize
177B

MD5
4727526a41d85575132bbfae2de9aa1c

SHA1
6c7999135daa4ea29e81a1cb53ee992503b1b4c5

SHA256
becc1f2ce5d18943311b8fc76ec06b95d36f4718a81ef6a2bb5646d21935a55c

SHA512
cd56bcbf1c19b8c7b7d40dea50c56396415877c9c957be6e7359133bf3ee5aacbeb1eb1faecb0f98c0b95aca94aad52aa8170591caeaa508143ba474f9c9de27

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\funshion.ini

Filesize
72B

MD5
d5f98ba70a13f8802a3ee9175b265e68

SHA1
b1783e58a9c02bfd6077760001e15c3d58a3b4da

SHA256
fbeb47f844e840905a507418da125a27d567e3a39488450f0d4b383b44bf6289

SHA512
c92a820c482ab0db20242638f557e97ebe2061f6c835ff474b016a4cf7eb01d607b45e0ecb09b72cb747708bf920a064cbfb86f79359f065645fd64dcd25a92c

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\funshion.ini

Filesize
129B

MD5
fdf67b5cf450713a1135a865ba25baaa

SHA1
b8a3234378ce5c6fc08266876ff966a7b145c3f4

SHA256
57826f96b14ade1de999f54e29300a1e7b3be004665d6010c23351a5467de7fe

SHA512
44c29ff33068b25e00a27d964ca090dbe9d7a1987fcb2bc220ae9bc441d8d793f33608b3795ffc10efea83e7d9295254a0e2e53b180b15506db1fc481fcccb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\funshion.ini

Filesize
708B

MD5
12dba1d1fc630944b6cfde2205f011f2

SHA1
d37b1140bc2afa762fc2db9a457fab3612176540

SHA256
963ad99dd01b1ba49cf230963c2fc41f01146f419192a4c99e99462a3d172798

SHA512
a3e47828c9195bb17f25838161685087baedb58e4e5739e7857c74ca43ec6adf240c93cc4ff8021bc02c0cbdaf9ff95136d05d87559818cecd6967405cf4a39e

Download Submit
C:\Users\Admin\funshion.ini

Filesize
904B

MD5
c53915a72404a6b3583cba5de5db6462

SHA1
4ffbf936278cdeea8e02389e196f6219d084b62a

SHA256
1c4ee9f4cf486cf13416173375f0238bd0c9d39215f76129299b162006cad899

SHA512
64e7a190d9843bda94a355ffcd1143c49e94ca1bc19a31f020ae64432ebc439a32fbd061bbc46436f1b86d6fe128961224f38f9400bfcc36426f2b695e2defa7

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
71c6ffc4494715342a18ebf6a4bad656

SHA1
a41c59279a0500ba1a17fc371666d1de7b5a20fd

SHA256
90a2e377e310753cab67a2a82ba0fbc097ad9ef19e864778dd393439f300a9dd

SHA512
9ebe5c01acfff0032db2590c43183b777651505248f583c8427ed4aaeda4014207520b83a40f226f682eab4162bd0dfe1685e7b4e63da60e7ce8c2964965408f

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
0f1e61870bdd11f3c47f1ce54f2338bb

SHA1
08fc44041b5f7d5850e0b44d46ee3453adb03486

SHA256
8bc87a2210fcc3e9d525f27feee0a755add1ea53d3f9caa74781086f7b0d9709

SHA512
a4d72a64ef6c1351f16eff541671db967e4ed8ddf05f1dbd3dac40449a49c7b18dd149996ca139fb8aa9b1ddc5d1744a897246ef4fe4b232279b0ac18a015494

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
111cecb49d03a70ddb5ee94638349387

SHA1
99d12d25ba643a34323105e609c9b5f71b3987b2

SHA256
0428193c2e81024320cb5dd3221c40fec07c700ebac23f15561277bbaee6af60

SHA512
ede8bc4fcf37709233e5ea07b8481513c90906664ef0f39a92f647e2b4b8eaac94bdccc3cab3b9857dd01908af4dd782a6e5ad1bd5afd5cbc3032b9afe235c7f

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
5bd5b9de995f7980616288f859ef1c30

SHA1
c7be2e04b4f28877431948c71ba2b7613c2bed4f

SHA256
9e3c36d7d7e4585b15c45bd2b390fd06f285939d752aef8145b2db8112882144

SHA512
ce81d2f885373e8a3fe7f9a6e153ba8914c8120ce317bf14acba059eecc73186b5200c20f3200bac7aeb8a5afc547ee2639d40cc907b2e5242185f7d37d466e1

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
dc442c0b391a68ba5fb651aad71671a8

SHA1
e11db6da2fcec9bf3e86b1d4b755568a5262084e

SHA256
5a43b63866eee9617d875d057f324678ba680c97d5d722961b9d66031745795b

SHA512
6d974025d7108e0e7a8753dbb4b3af600d0857c2427f2173767b7151cabaae95bb00492567b03171a9a678f5c45798c12452fdfc7a2ffa5f11b070bf8db0f81a

Download Submit
C:\Windows\SysWOW64\CoreAAC.ax

Filesize
592KB

MD5
6636fd123e77073c1a07d1ec0831334c

SHA1
39ea6f28d5b30675760f29df68160a81d5df349e

SHA256
e85c1802ae3c7af9b7967ceadaf0504823f092abba04ba912576edbfd421e76a

SHA512
3ac59d1ad36eb1c052c272a11c6dd78dbebb5061b8b79a2a1f0108f8208be7fb9cc8e6208124b12c779e2bdc845882cfd432a84427e2c5c312c4d3275b054849

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
1KB

MD5
6eb185907c40a73c1b9f98c20a129435

SHA1
7a1fc7f7075834d87c4fb6523b72c4ca61d0f25e

SHA256
50ffd39d6cc9066bd731e5e62bb751335005130b46009b57ba58028a3e24f176

SHA512
ee949c2c9fa961506280790f71ded25b7018f41f385d9c3ac2097c42c435235b71bc1b22377459af231fe81859bc83449f6c366b2fc011347c38dcaca1cc89b5

Download Submit
\Program Files (x86)\Funshion Online\Funshion\Dump.dll

Filesize
172KB

MD5
859737636bc7a4f0332a6cc6f0fee978

SHA1
620e86d7e9b408733a65ed5b53b04af49c3d9d68

SHA256
a01a479dbe7323b439b9cace4586f4caa60a367a264f6d298bde84c0654a6e9f

SHA512
c4f5b08184fe3d6f233bad8fbf36403ecc75a80aa92fbf495c99ea7a1d0cd02a1c2f3e2affeafd148ae101c40a2eb1d3eab5a6beafc0c570b05da5fa6589abaf

Download Submit
\Program Files (x86)\Funshion Online\Funshion\Funshion.exe

Filesize
1.7MB

MD5
7d0e2c6e8a3d63cd2ce485cf317cb18a

SHA1
865d742ee46fc2a4bad7e2dcb1019bdd3ca28a9b

SHA256
5f9aff8c92a97af3c3f5a3a0b2144462939422ada4a3140141acfdd6d807ff31

SHA512
15a562e4c8002755d99168c8f4a475447d7f22f813b58ac48c7f3421a39023d31462b41a02d7652c59a3ccd5371a4fa9a6918af48230c919f9fb8e5333f7532b

Download Submit
\Program Files (x86)\Funshion Online\Funshion\GetMACAddress.dll

Filesize
224KB

MD5
2e546196d65baa49989d64f57f3ba990

SHA1
e6ee44af14487e668242cbb97fdc4bdf63fbd670

SHA256
fa7681a9877e6ee1c14615279f86323b205333e2937376717cc4ce97cd6399c1

SHA512
8c10f096b1c17ddbad084ecf8fcad1a1d7aed6adece8e362ba6bb62c66d23c6a2390aea99219428e49b3b87e2550bd9ffe0752ad4d4d0c7388dbd28995d15081

Download Submit
\Program Files (x86)\Funshion Online\Funshion\Uninstall.exe

Filesize
252KB

MD5
5e30a7ac51128cb54f8c1010da707c3b

SHA1
8b7e0f69b1685e2257389d738f0bea1bb1785407

SHA256
51aa21c8344fa766a5cbd3cd74f1753b432537b3814d455f7b6bd4b62a7df3dc

SHA512
fd826b9718d1c9b0836d0f3805372dc571c0e2bc88c0f901064f5b5489867bd3d5921c018955ab263c2e007fa1105441b6994b28d928eb5cd5d059415fea3101

Download Submit
\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\FunshionInstall.exe

Filesize
328KB

MD5
f195ce8cb9177a66204288af45ddbac8

SHA1
31a76ec0d12996dbb47257ccc900b5c16781831f

SHA256
ead0369a09dab18384fa7c5c0316c733655bffefde8d8dda2568bab4904fe3eb

SHA512
c208381c76b3adaa0aaa0b32805c712446f498d4ffc15a122018fe4afb97ad182a8e2ffe0683073a7754c70e5c6ddc8828519d9fb455b248285928bde0e7842b

Download Submit
\Program Files (x86)\Funshion Online\Funshion\XPSP2Patch\evid4226-vc80-mt.exe

Filesize
148KB

MD5
2cad6ec5f4a0e3c812407226991e76f1

SHA1
3a2601b1e35ec73ba9215b5dff3ef201a09d899a

SHA256
e235eef38fcf7d979be5300ecf48e7fcc0e19bbc3930faff965dec751700b518

SHA512
7bccc01604d7af51f788bf51a0c4d8e33417397fb1cd88104698d406f55cca1fe24ac57bc325c8a581807e2ff7590dcc53602bc26c5d51686a98d8fa4700eccf

Download Submit
\Users\Admin\AppData\Local\Temp\FunshionInstall_C55521.exe

Filesize
4.5MB

MD5
56ff0b1e8b2219c269f528a64b620c50

SHA1
629be6f2f2af1a2673e0d4c07da58367bf086e7a

SHA256
e28f4e81b8c6880c01ea2fb2fa652e598c42ebb621374cb46f20e4eac06e5c5f

SHA512
b0224868d29205e2670bd504a741da86bf4b38ca40a65914122f36666b344ff0ba83ef651f59aabecc210428c276216f9f3b9a423b4606a3717df713f61a7c30

Download Submit
\Users\Admin\AppData\Local\Temp\nst13D1.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nst13D1.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
\Users\Admin\AppData\Local\Temp\nst13D1.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nst13D1.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nst13D1.tmp\NSISdl.dll

Filesize
12KB

MD5
a10c9c9f5474ed8c13ff5e182655eb9f

SHA1
ffa6073f6b1724183d570c368c3025430de1ee33

SHA256
17055e463a04435bdb5fea5d634af12a4678ff5d680196da230879ad24622ee3

SHA512
bd7222d4ee6516b9be7f498858812ebfa824f657ef5298cfc813ad91fdfb6129642232d4c47f2edc4c2b8d2619ba7530a5195d53e9017435e7e8ef742f60fdb5

Download Submit
\Users\Admin\AppData\Local\Temp\nst13D1.tmp\System.dll

Filesize
10KB

MD5
4eff5fafd746f5decb93a44e3a3d570c

SHA1
a11aa7681b7e2df1c7f7492a127d332d1495ea8a

SHA256
cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5

SHA512
cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72

Download Submit
\Users\Admin\AppData\Local\Temp\nst13D1.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
\Users\Admin\AppData\Local\Temp\xml2fspdata.exe

Filesize
124KB

MD5
174db01920fc8b493ee6668d854f0726

SHA1
2e4368c1b4715dce7455e31738a5b76b1b070f50

SHA256
ac7b0bc4635c24f07d64da94451309b12229db326e0fac8612558de695003291

SHA512
bad21688cb4c6789ddec6e129188e42c545ccfd9c9861279998ebf3c3fd5ec3e22e9c0465b9f25d7c357ed8d4a38ec5d1024bd6ff38adbaeedb67b39c1fdb5c4

Download Submit
memory/1444-415-0x0000000003960000-0x000000000399A000-memory.dmp

Filesize
232KB

Download
memory/1444-420-0x00000000039A0000-0x00000000039CD000-memory.dmp

Filesize
180KB

Download
memory/1716-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1716-543-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1848-838-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1848-854-0x0000000000600000-0x000000000062A000-memory.dmp

Filesize
168KB

Download
memory/1848-848-0x0000000000600000-0x000000000062A000-memory.dmp

Filesize
168KB

Download
memory/1848-840-0x0000000002AE0000-0x0000000002B3C000-memory.dmp

Filesize
368KB

Download
memory/1848-842-0x0000000002AE0000-0x0000000002B3C000-memory.dmp

Filesize
368KB

Download
memory/1848-841-0x0000000002AE0000-0x0000000002B3C000-memory.dmp

Filesize
368KB

Download
memory/1848-836-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1848-839-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1848-837-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2000-833-0x0000000000870000-0x000000000089B000-memory.dmp

Filesize
172KB

Download
memory/2000-606-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2000-604-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2000-618-0x0000000000590000-0x00000000005CA000-memory.dmp

Filesize
232KB

Download
memory/2000-609-0x0000000000360000-0x000000000039A000-memory.dmp

Filesize
232KB

Download
memory/2000-608-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/2936-824-0x0000000005F50000-0x00000000064AC000-memory.dmp

Filesize
5.4MB

Download
memory/2936-550-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/2936-552-0x0000000000600000-0x000000000063A000-memory.dmp

Filesize
232KB

Download
memory/2936-599-0x0000000004DE0000-0x0000000004DFB000-memory.dmp

Filesize
108KB

Download