f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Size

5.4MB
MD5

46acc3fd90233d5b2fc9dffc05733eac
SHA1

4061c7f486ae44fdee3a35a2c69740c753963596
SHA256

f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0
SHA512

14fc0071288256ba8ad3c32c0f387da10c16d0ec3a1cbb292ca57f0bc2923fae6ca2d6821d5461f9f2fd2f52c2e75480ae488a255f59cc3588cad122ce5de39a
SSDEEP

98304:E2KNVQyPDrBdfSNW40xhlkauVz1/c490/8+rc+NFs4eR7ThbxrS3nZ0g:YYsd6HehlkVP488Q4eRbxmJn

Score

10^/10

adware discovery evasion persistence stealer

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 7 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\funshionserviceudp = "v2.10\|Action=Allow\|Active=TRUE\|Dir=In\|Protocol=17\|Profile=Private\|App=C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshionservice.exe\|Name=funshionserviceudp\|"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\funshionupgradetcp = "v2.10\|Action=Allow\|Active=TRUE\|Dir=In\|Protocol=6\|Profile=Private\|App=C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshionupgrade.exe\|Name=funshionupgradetcp\|"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\funshionupgradeudp = "v2.10\|Action=Allow\|Active=TRUE\|Dir=In\|Protocol=17\|Profile=Private\|App=C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshionupgrade.exe\|Name=funshionupgradeudp\|"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\firewallrules	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\funshiontcp = "v2.10\|Action=Allow\|Active=TRUE\|Dir=In\|Protocol=6\|Profile=Private\|App=C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshion.exe\|Name=funshiontcp\|"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\funshionudp = "v2.10\|Action=Allow\|Active=TRUE\|Dir=In\|Protocol=17\|Profile=Private\|App=C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshion.exe\|Name=funshionudp\|"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\funshionservicetcp = "v2.10\|Action=Allow\|Active=TRUE\|Dir=In\|Protocol=6\|Profile=Private\|App=C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshionservice.exe\|Name=funshionservicetcp\|"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe

Executes dropped EXE 4 IoCs

pid	Process
2476	xml2fspdata.exe
1508	ASBarBroker.exe
2752	funshion.exe
1976	FunshionService.exe

Loads dropped DLL 64 IoCs

pid	Process
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
2476	xml2fspdata.exe
2476	xml2fspdata.exe
2476	xml2fspdata.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1236	regsvr32.exe
1236	regsvr32.exe
1236	regsvr32.exe
1236	regsvr32.exe
1236	regsvr32.exe
1236	regsvr32.exe
1508	ASBarBroker.exe
1508	ASBarBroker.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
1976	FunshionService.exe
1976	FunshionService.exe
1976	FunshionService.exe
1976	FunshionService.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Funshion = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\" startbywindows tray"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Funshion = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshion.exe startbywindows tray"	funshion.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}\NoExplorer = "1"	regsvr32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\funshion.ini	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File opened for modification	C:\Windows\SysWOW64\FunShion.ini	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Windows\system32\Funshion.scr	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Windows\SysWOW64\FunshionService.timestamp	FunshionService.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionMenuF.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ListHeaderSplid.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayListVerSplidMark.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayInfoHeaderBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnFullView.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarDownArrowL.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskManagerCloseTxtBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TextBtnBk.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\imgDrawMenuItem.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\imgCleanFileBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcFrameBtm.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayListRemove.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarHead.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnBarItem.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\Funshion-install.ico	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarBkgndRight.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPre.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarLeftBk.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskListRePlayBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TipRightArrow.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateBtmCloseBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPause.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarStop.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\funshion.ini	FunshionService.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarShopPage.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcLeftTopCorner.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBufferInfoWndBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarBeforeSmall.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\RadioBtnPt.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollLinkBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateCapCloseBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarBack.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarHomePage.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarUpArrowRound.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateCapBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\bmpCleanFile.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\bmpMenuBk.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcFrameLeft.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\WebToolBarBk.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\Media\Install Latest Funshion.lnk	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPlay.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarRestore.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnMute.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\StatusBarBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarMoveUp.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\DiskWarnning.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcRightTopCorner.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PauseFlickerBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.diagnose	FunshionService.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\HidePlayInfoBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarShowPlayer.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcRightBtmCorner.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\pndx5016.dll	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\Dump.dll	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\OptionSplideBarThumb.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnNormal.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollLinkFrm.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\SplidBarBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMngBtnIcon.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarShowPlayerEn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarDownloadSmall.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000400000001d425-405.dat	nsis_installer_1
behavioral1/files/0x000400000001d425-405.dat	nsis_installer_2

Kills process with taskkill 8 IoCs

evasion

pid	Process
2040	taskkill.exe
2140	taskkill.exe
2180	taskkill.exe
2304	taskkill.exe
2364	taskkill.exe
2776	taskkill.exe
3000	taskkill.exe
2008	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\ScreenSaveActive = "1"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Funshion.scr"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下，你就知道"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	funshion.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Low Rights	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TypedURLs	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=funshion010_oem_dg"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr"	ASBarBroker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmvb\ = "FunshionRMVB"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\ProgID\ = "ASBarBroker.BDBroker.1"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\InprocServer32\ = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr\\funshionAddr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib\Version = "1.0"	ASBarBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\EditFlags = "65536"	funshion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ddeexec\Application	funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsp\ = "Funshion Task"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionMp4\ = "FunshionMedia"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ = "VLC.mp4"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\ = "%1"	funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\LocalServer32\ = "\"C:\\PROGRA~2\\FUNSHI~1\\Funshion\\FUNSHI~1\\ASBarBroker.exe\""	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmvb\ = "VLC.rmvb"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ = "open"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSP	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ = "ISnavHttpProtocol"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionMp4\shell\open\command	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionRMVB\shell	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BF1E80D5-1697-C5E2-F5E6-873FF731DE35.Addr\ = "BF1E80D5-1697-C5E2-F5E6-873FF731DE35 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\FLAGS	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\CLSID\ = "{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\ = "ASBarBroker 1.0 Type Library"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funshion task\Shell\open\ddeexec\topic	funshion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\Programmable\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BF1E80D5-1697-C5E2-F5E6-873FF731DE35.Addr\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib\ = "{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\command	funshion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BF1E80D5-1697-C5E2-F5E6-873FF731DE35.Addr.1\ = "BF1E80D5-1697-C5E2-F5E6-873FF731DE35 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\VersionIndependentProgID\ = "ASBarBroker.BDBroker"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib\ = "{D02E3AB9-7796-40cb-BDFC-20D834FE1F75}"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionMp4\shell\open	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fc!\ = "Funshion Task"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\0\win32\ = "C:\\PROGRA~2\\FUNSHI~1\\Funshion\\FUNSHI~1\\ASBarBroker.exe"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib\ = "{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionMp4\shell\open\command\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\" \"%1\""	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}\VersionIndependentProgID\ = "BF1E80D5-1697-C5E2-F5E6-873FF731DE35.Addr"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\ = "BDBroker Class"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\URL Protocol	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionMp4\DefaultIcon	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\CLSID	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion\DefaultIcon	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BF1E80D5-1697-C5E2-F5E6-873FF731DE35.Addr\CLSID\ = "{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeShutdownPrivilege	2752	funshion.exe
Token: SeManageVolumePrivilege	1976	FunshionService.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe
2752	funshion.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1264	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	30
PID 1932 wrote to memory of 1264	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	30
PID 1932 wrote to memory of 1264	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	30
PID 1932 wrote to memory of 1264	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	30
PID 1932 wrote to memory of 1264	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	30
PID 1932 wrote to memory of 1264	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	30
PID 1932 wrote to memory of 1264	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	30
PID 1264 wrote to memory of 2304	1264	cmd.exe	32
PID 1264 wrote to memory of 2304	1264	cmd.exe	32
PID 1264 wrote to memory of 2304	1264	cmd.exe	32
PID 1264 wrote to memory of 2304	1264	cmd.exe	32
PID 1264 wrote to memory of 2304	1264	cmd.exe	32
PID 1264 wrote to memory of 2304	1264	cmd.exe	32
PID 1264 wrote to memory of 2304	1264	cmd.exe	32
PID 1932 wrote to memory of 2280	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	34
PID 1932 wrote to memory of 2280	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	34
PID 1932 wrote to memory of 2280	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	34
PID 1932 wrote to memory of 2280	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	34
PID 1932 wrote to memory of 2280	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	34
PID 1932 wrote to memory of 2280	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	34
PID 1932 wrote to memory of 2280	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	34
PID 2280 wrote to memory of 2364	2280	cmd.exe	36
PID 2280 wrote to memory of 2364	2280	cmd.exe	36
PID 2280 wrote to memory of 2364	2280	cmd.exe	36
PID 2280 wrote to memory of 2364	2280	cmd.exe	36
PID 2280 wrote to memory of 2364	2280	cmd.exe	36
PID 2280 wrote to memory of 2364	2280	cmd.exe	36
PID 2280 wrote to memory of 2364	2280	cmd.exe	36
PID 1932 wrote to memory of 1936	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	37
PID 1932 wrote to memory of 1936	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	37
PID 1932 wrote to memory of 1936	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	37
PID 1932 wrote to memory of 1936	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	37
PID 1932 wrote to memory of 1936	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	37
PID 1932 wrote to memory of 1936	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	37
PID 1932 wrote to memory of 1936	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	37
PID 1936 wrote to memory of 2776	1936	cmd.exe	39
PID 1936 wrote to memory of 2776	1936	cmd.exe	39
PID 1936 wrote to memory of 2776	1936	cmd.exe	39
PID 1936 wrote to memory of 2776	1936	cmd.exe	39
PID 1936 wrote to memory of 2776	1936	cmd.exe	39
PID 1936 wrote to memory of 2776	1936	cmd.exe	39
PID 1936 wrote to memory of 2776	1936	cmd.exe	39
PID 1932 wrote to memory of 2680	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	40
PID 1932 wrote to memory of 2680	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	40
PID 1932 wrote to memory of 2680	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	40
PID 1932 wrote to memory of 2680	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	40
PID 1932 wrote to memory of 2680	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	40
PID 1932 wrote to memory of 2680	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	40
PID 1932 wrote to memory of 2680	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	40
PID 2680 wrote to memory of 3000	2680	cmd.exe	42
PID 2680 wrote to memory of 3000	2680	cmd.exe	42
PID 2680 wrote to memory of 3000	2680	cmd.exe	42
PID 2680 wrote to memory of 3000	2680	cmd.exe	42
PID 2680 wrote to memory of 3000	2680	cmd.exe	42
PID 2680 wrote to memory of 3000	2680	cmd.exe	42
PID 2680 wrote to memory of 3000	2680	cmd.exe	42
PID 1932 wrote to memory of 880	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	43
PID 1932 wrote to memory of 880	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	43
PID 1932 wrote to memory of 880	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	43
PID 1932 wrote to memory of 880	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	43
PID 1932 wrote to memory of 880	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	43
PID 1932 wrote to memory of 880	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	43
PID 1932 wrote to memory of 880	1932	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	43
PID 880 wrote to memory of 2008	880	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
"C:\Users\Admin\AppData\Local\Temp\f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe"
1⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Funshion.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FSPServer.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionService.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Updater.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpdate.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpgrade.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\quartz.dll"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C rename "C:\Users\Admin\funshion\historyTorrent\*.torrent" *.fsp
  2⤵
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe
  "C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe" "C:\Users\Admin\funshion\control\\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "funshionupgrade.exe"
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "funshionupgrade.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1236
- - C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe
    "C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "funshion.scr"
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "funshion.scr"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- C:\Program Files (x86)\Funshion Online\Funshion\funshion.exe
  "C:\Program Files (x86)\Funshion Online\Funshion\funshion.exe" startbyinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2752
- - C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe
    "C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe" UISTARTFSPSERVER
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe

Filesize
128KB

MD5
aecf47200f80613e5aeed4285441ade5

SHA1
a1006ab28a7c3c43beadcf72dc148be33ef90fab

SHA256
796c475af15f5f7d179a2a490901617a958e4063781a2443c4c8ce95688e8756

SHA512
c8550608c8a06108cbcf097fb94011d1928bd6439d830ac78aadab4e31d0e50b23b791552553acd3e731399b94cfa8a7947f2505eb48bf095eee62173a45ec0f

Download Submit
C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\conf.xml

Filesize
259B

MD5
879fcee362a01be6ad2cc994fea5e09d

SHA1
974bd6211cb91911c16964c852d746d62da9d684

SHA256
168e3418ab45d3221834d7d1ef71bec2ca435476a8f65d6660c38b298b5cbe34

SHA512
4dabd2643f3280b0778d3edae4512b6d772b06a5e0b81a1c99909455a4ec1345b53acd2f1fcb46726e371329213c3af4018831596b2b6da0eb8f9879631df1c4

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
151B

MD5
4a4d93a9af189d1fc9911ee37faba9e4

SHA1
8b0f54ef26e7641c76a8dbb1d0be2ba1d9f57b30

SHA256
487c1652dd714b91ea66f014e276d6fa25ac3fed0681213f5da07eab2310b9d8

SHA512
25d8b15a91e7f614b445e61a08ac06aa52a09a605197e7565390e87c530a654783a9a9db4b0a77d3d6d1c95c4fae5a3c1c8b09609c2140bd101b129b77caabf9

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
216B

MD5
c1dfaf9db867a12eb040f8a4f44b0beb

SHA1
8754a16a3791406cb6062d93e83f1674f773e718

SHA256
079b9e1c5d464e6b9b0b4820088c2ff4624f64e05abea8645a620eae02851be4

SHA512
67aebfc9242437ecd98584f7237818c7efc22fc77510b5c7d52a61ec4f34242b23983b4f49d030af55ea6c7cb14f75f5dc0264911ae9a24bbdf673f6623d7edd

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll

Filesize
1.1MB

MD5
e2f76eb0a099a8472196bb922b86353b

SHA1
59f7a982c73277463942ebd4e1ccc6204436cc6d

SHA256
255c95b7dfc1f56d0c745064d07c264cd94ba8415e3be835a7a0dadafb936965

SHA512
578af8e2c68295d3ef010613cd065e4985bb488d4d3507cbb7d9c8c491f2d13ef5ae4941dbe1a02287c813144c9dfdeec7b6c590dd0e4ec626459f4e7257af26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nicdescr.dat

Filesize
1KB

MD5
0fb9927e7a9ca8c5f5af8bb4fd7857df

SHA1
40b512129c1d3de5b11c81300e0cbeb781f06873

SHA256
52348ac96775f546a3d057edf50aaf69e0aeb03edc7972055496c014c31dc738

SHA512
331228608c543b66e04e6d9960b51ed1b26bbaad4d48a9254121618cfca31e2a68d194aa1bde071b1a4e3d03d27174dbc5efcc5a7e0cb5a5064c9cee270609ab

Download Submit
C:\Users\Admin\funshion.ini

Filesize
387B

MD5
84d5441e142b1802c53b3958e6d21fb3

SHA1
006d0238224bc6095e5a65abf8260a6df5ea0376

SHA256
961d07e67ad466782c81befb543bdef95e0eefa698653ce2c2a6c78610948e89

SHA512
a0a3b5005d18c2b3d4f553629dd9172e6d38b5b5ae80a924e6f1afa1840ba31b14470da01b0c40916da9915c1c497f70db2e9a618958443c3bffd069444672cd

Download Submit
C:\Users\Admin\funshion.ini

Filesize
729B

MD5
1e385ba7b2e46d6abf5bcf2687ce567d

SHA1
d2bc47149674115ed9adb50b57d5a9b6ebfd88ac

SHA256
9311fc9c98bc22bb517185870f346597cde7cb5fedecb813c566f1caf24b941d

SHA512
77c5f6162c385da93c69a261f44f39f64afc2c7dffb5634c5308c14a0571505e4d8bfd6605121905fa65fb3ed8dcc6cf8262e57c6a36ac9fb1184050d52ef335

Download Submit
C:\Users\Admin\funshion.ini

Filesize
996B

MD5
46d6cb5ebedc15a3d79df3ea08a9a23d

SHA1
b706f0ae33d5ddb3af511eb716a9cbc3a7b3d0ef

SHA256
666c0a689e976d59b99b9172f4c282dedb25638596f9176678e11f1ebb9d3f7a

SHA512
948b0175e7046171c417b551984408d12703871b05b5733683a015563182598d7a2b6dd87f4d0478e9a5d952b3470239924f5521fa5f0437b7ddbc915d3d68fb

Download Submit
C:\Users\Admin\funshion.ini

Filesize
988B

MD5
413630f14c1147253d39d250fbaacafd

SHA1
ec7bdba1f4cf839134a95a52bf873a362215d750

SHA256
21dfb9459c37c5f0fcdb7e1e95f504204cdfb9991a6f791855b5b9e4618db207

SHA512
83f42e759ce0714a4f2ba79aa39260cd03c310f9bb9f8758e97c98f81990ae3ff723fe0a168dd2fd27adb9b1939684bdc4612e1c8151cf36ef7da2cf069fa464

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
ed38c2b1dcc897737c27106c230ebd68

SHA1
1dbf1e7d77a507330a4cdc8fa7c5e008577c1bce

SHA256
9a22d6a50b192d0c9f3425c0b9c80409a1853ab30a58deb663e99cdd6278c00b

SHA512
68556816f4b05b7e8c2295cfffb1cbe4c03375a043230fe6d739203f1f1a46528562e006ef5adda46816ed5fdb9adadc38c2f0ead4a4e36bfcb50b237b47c6c1

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
0f8cd4137277a21fa4706f4a309781b2

SHA1
441ba0a36c9fc690eb2bd3b80cd40861a3d37074

SHA256
4fcb94786f472e118cf3be87c2651dd70abf9fb7e78b574b504821e3dbfe0dd3

SHA512
12a7f25e8a81ce3786fed4b4c404c615e7e9d3166a342fc0b203d6ea06d3f34b353bb214dbdf3fff6984db7ddc3cf0b98eac89dff420687af9207cb347001b9a

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
55e439d382c07b9052d49a9c91e2d026

SHA1
37ec5eb18d66688dc4265a0cc9ae8957ba934d09

SHA256
93ec96287098f0662b8ec18c570bf0edc71ad6a4649644129ccb82e5b7835c35

SHA512
081016e011de474ae699bc508bb6e46d407d69be80a670957acbc1cc546953bd6f15de05bfb4a2efe45521ffe1197c6e184e1194f430f90d95a9740652ca3a10

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
c40a5fbb3b01950ec561600865bd2e4d

SHA1
a78c28afcaf15607de187d12fcf96cad248c2f26

SHA256
bd9642a08917c3f48464b044b4eb1aff55c6126bf860e1427ae4a9b1368486d7

SHA512
3f9d35e0b7f8e3340a306eff6ff86eaf393f98d83a186e6bf52958e577f7e227a1a51d3c8ddca713c413ed315e34729d6e3c745117ef4782b4f889be61e16dee

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
a508c839314ea74e5582fd63ed31f83c

SHA1
036f939d1609edb7cced6c5b7ff666095a6f2aa1

SHA256
f8a46008e562c651d4a19c6630dad1f33ee5229684c0081abedd3be855c960ca

SHA512
0f74d13c1bc495431c42eea0ebc67a1d7bc18cd28ec095836bb84316e126791f54fda37b156021e323f094957a8f5508754695794114e264ec28273e2fa21a3e

Download Submit
\Program Files (x86)\Funshion Online\Funshion\Funshion.exe

Filesize
2.4MB

MD5
e8d51b1aefe8abf8515d45ab8a18d268

SHA1
de74f3daf0388b9cf757fa8b8d11211b03ef9499

SHA256
4ffa78135cd56c03caefa98ef66bb16ad46c458a1434dda0cfee4cb94468a43f

SHA512
5975306bfc7ec23117aa59739a0bfcc52e22c7679dc8f2d7b9ac368b72408791a3fc81eed896abf80a36505d28424bf63e1a08b08b0e120044daf7e7d2cb8ee2

Download Submit
\Program Files (x86)\Funshion Online\Funshion\Uninstall.exe

Filesize
271KB

MD5
2a48dc20f26a1c63136e2d776bc901b8

SHA1
2d8c8d95633b97fece19a45529341ac6652f414c

SHA256
d4ff99240ca24374f72191b43999019ed2107da0b09e4ccea2515424af3c36a6

SHA512
ea9ba8c0a6d6faddcaa69437306ab7e09a8861ab9cd12b0092547b106347e397975fc164d690d748bacc5deecad4b5aa2ff999f723c644748da74d77670c06b3

Download Submit
\Program Files (x86)\Funshion Online\Funshion\dbghelp.dll

Filesize
1020KB

MD5
74edbb03de3291fcf2094af1fb363f1d

SHA1
16b5d948ed7843576781dc4f2a391607ac0120a4

SHA256
dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa

SHA512
b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289

Download Submit
\Users\Admin\AppData\Local\Temp\getmacaddress.dll

Filesize
156KB

MD5
860e633786ad08a8013327052695d669

SHA1
67eb0e35b86e677b99ff5947e28c8b55a9d81690

SHA256
d6017709adc7f6bed36c3ad932d5e68c699418c9baade81dca0c145d4661cc46

SHA512
2acde6cccab29aab16d0b6235351b0239eda19ae568553bdb8f80c8fc49ece72deafd1237e08f14c1d4ea3facbade97db8c442ecb500d7d5928a7e920fd3f85a

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC39.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC39.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC39.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC39.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC39.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC39.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC39.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
\Users\Admin\AppData\Local\Temp\xml2fspdata.exe

Filesize
124KB

MD5
135aa003b748c1aa76c0610fee3f980e

SHA1
edf79f78c6fb39cf632c9ffd5bb1436016d5852f

SHA256
cbf8551809f88b3602f4a29b2e04920fc8ff4674d38da93d769bbbfe1683241c

SHA512
6d36e0a8fcaa544fd4f8a1656e8c23cadcdb4a83734822bbcfcc0fca97861ebd13d08b36a448065e01948c9bf7df07204fe9f2cf226314ad20469b396a85bbe8

Download Submit
memory/1932-85-0x0000000000760000-0x0000000000788000-memory.dmp

Filesize
160KB

Download
memory/1932-454-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/1932-470-0x00000000021C0000-0x00000000021E8000-memory.dmp

Filesize
160KB

Download
memory/1932-9-0x0000000000570000-0x000000000057B000-memory.dmp

Filesize
44KB

Download
memory/1976-770-0x0000000000290000-0x00000000002B1000-memory.dmp

Filesize
132KB

Download
memory/1976-768-0x0000000000240000-0x000000000028A000-memory.dmp

Filesize
296KB

Download
memory/1976-819-0x0000000000660000-0x0000000000688000-memory.dmp

Filesize
160KB

Download
memory/1976-885-0x0000000002020000-0x0000000002059000-memory.dmp

Filesize
228KB

Download
memory/2752-887-0x00000000061C0000-0x0000000006803000-memory.dmp

Filesize
6.3MB

Download
memory/2752-690-0x0000000005810000-0x000000000582C000-memory.dmp

Filesize
112KB

Download