f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Size

5.4MB
MD5

46acc3fd90233d5b2fc9dffc05733eac
SHA1

4061c7f486ae44fdee3a35a2c69740c753963596
SHA256

f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0
SHA512

14fc0071288256ba8ad3c32c0f387da10c16d0ec3a1cbb292ca57f0bc2923fae6ca2d6821d5461f9f2fd2f52c2e75480ae488a255f59cc3588cad122ce5de39a
SSDEEP

98304:E2KNVQyPDrBdfSNW40xhlkauVz1/c490/8+rc+NFs4eR7ThbxrS3nZ0g:YYsd6HehlkVP488Q4eRbxmJn

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	funshion.exe

Executes dropped EXE 4 IoCs

pid	Process
4348	xml2fspdata.exe
4596	ASBarBroker.exe
4584	funshion.exe
3188	FunshionService.exe

Loads dropped DLL 64 IoCs

pid	Process
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
2976	regsvr32.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
4584	funshion.exe
4584	funshion.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Funshion = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\" startbywindows tray"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Funshion = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshion.exe startbywindows tray"	funshion.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83164193-93A3-4ECE-B554-F90E89C431CE}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83164193-93A3-4ECE-B554-F90E89C431CE}	regsvr32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\funshion.ini	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File opened for modification	C:\Windows\SysWOW64\FunShion.ini	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Windows\system32\Funshion.scr	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Windows\SysWOW64\FunshionService.timestamp	FunshionService.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\Buffering.gif	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnVolumeSmall.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarDownArrowL.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskBarBtnOpenLcl.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\pndx5032.dll	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetTrailL.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskTabBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\bmpClearDisk.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionMaxBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBufferInfoWndRight.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayInfoBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\RadioBtnPt.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetHead.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\conf.xml	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\OptionBtnArrow.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnBarBk.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarPlay.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarSplid.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateCaption.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionText.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CheckBox_Check.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarHead.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\Funshion\funshion.ini	FunshionService.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\CrashReport.exe	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CheckBox_Box.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\RadioBtnBox.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\CoreAAC.ax	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\DiskWarnning.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBufferInfoWndBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPlayList.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateBtmUpdateBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\bmpMenuBk.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\Funshion-install.ico	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarHomePage.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarBkgndRightSmall.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionTextEn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionMenuF.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnSetting.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnBarItem.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarGamePage.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcRightTopCorner.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetTrail.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateCapBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\ASBarBroker.exe	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\OptionSplideBarThumb.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PauseAdCloseBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarBkgnd.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TipRightArrow.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\bmpPlayBarTip.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayListRemove.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnMuteSmall.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\RpcStartDlgBk.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\HidePlayInfoBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnVolume.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarDownload.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPauseSmall.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\RpcLoading.gif	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ChangeModeBtn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetHeadHover.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarShowWebEn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarBack.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarDownloadSmall.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionMenuFEn.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarShopPage.bmp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 8 IoCs

evasion

pid	Process
2144	taskkill.exe
1440	taskkill.exe
3152	taskkill.exe
1676	taskkill.exe
2052	taskkill.exe
3484	taskkill.exe
2328	taskkill.exe
1692	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Funshion.scr"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\ScreenSaveActive = "1"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\SearchScopes	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\TypedURLs	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=funshion010_oem_dg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar"	ASBarBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下，你就知道"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr"	ASBarBroker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB86-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionRMVB\shell	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FriendlyName = "AVI/WAV File Source"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSP\shell\open\ddeexec\Topic	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\Application\ = "Funshion"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsp	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}\FriendlyName = "Color Space Converter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ = "IJsObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\ = "open"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8670C736-F614-427B-8ADA-BBADC587194B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionRMVB\DefaultIcon	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\command\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\" \"%1\" /dummy"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fc!\ = "Funshion Task"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8670C736-F614-427b-8ADA-BBADC587194B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\FilterData = 02000000010080000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor\FilterData = 02000000000020000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\83164193-93A3-4ECE-B554-F90E89C431CE.Addr.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\DefaultIcon\ = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe"	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\CLSID\ = "{91878E42-FC03-4785-B513-1F9E613D1027}"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Multi-file Parser"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8AA343-6E63-4663-BE90-6B80F66540A3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{418AFB70-F8B8-11CE-AAC6-0020AF0B99A3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83164193-93A3-4ECE-B554-F90E89C431CE}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\FriendlyName = "MPEG Video Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\FriendlyName = "Line 21 Decoder 2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject\CLSID\ = "{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ = "ISearchHook"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	3484	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeShutdownPrivilege	4584	funshion.exe
Token: SeManageVolumePrivilege	3188	FunshionService.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe
4584	funshion.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1296	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	87
PID 3712 wrote to memory of 1296	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	87
PID 3712 wrote to memory of 1296	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	87
PID 1296 wrote to memory of 2052	1296	cmd.exe	89
PID 1296 wrote to memory of 2052	1296	cmd.exe	89
PID 1296 wrote to memory of 2052	1296	cmd.exe	89
PID 3712 wrote to memory of 1868	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	91
PID 3712 wrote to memory of 1868	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	91
PID 3712 wrote to memory of 1868	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	91
PID 1868 wrote to memory of 3484	1868	cmd.exe	93
PID 1868 wrote to memory of 3484	1868	cmd.exe	93
PID 1868 wrote to memory of 3484	1868	cmd.exe	93
PID 3712 wrote to memory of 744	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	94
PID 3712 wrote to memory of 744	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	94
PID 3712 wrote to memory of 744	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	94
PID 744 wrote to memory of 2328	744	cmd.exe	96
PID 744 wrote to memory of 2328	744	cmd.exe	96
PID 744 wrote to memory of 2328	744	cmd.exe	96
PID 3712 wrote to memory of 1960	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	97
PID 3712 wrote to memory of 1960	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	97
PID 3712 wrote to memory of 1960	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	97
PID 1960 wrote to memory of 1692	1960	cmd.exe	99
PID 1960 wrote to memory of 1692	1960	cmd.exe	99
PID 1960 wrote to memory of 1692	1960	cmd.exe	99
PID 3712 wrote to memory of 3592	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	100
PID 3712 wrote to memory of 3592	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	100
PID 3712 wrote to memory of 3592	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	100
PID 3592 wrote to memory of 2144	3592	cmd.exe	102
PID 3592 wrote to memory of 2144	3592	cmd.exe	102
PID 3592 wrote to memory of 2144	3592	cmd.exe	102
PID 3712 wrote to memory of 4792	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	103
PID 3712 wrote to memory of 4792	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	103
PID 3712 wrote to memory of 4792	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	103
PID 4792 wrote to memory of 1440	4792	cmd.exe	105
PID 4792 wrote to memory of 1440	4792	cmd.exe	105
PID 4792 wrote to memory of 1440	4792	cmd.exe	105
PID 3712 wrote to memory of 2828	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	106
PID 3712 wrote to memory of 2828	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	106
PID 3712 wrote to memory of 2828	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	106
PID 3712 wrote to memory of 5112	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	107
PID 3712 wrote to memory of 5112	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	107
PID 3712 wrote to memory of 5112	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	107
PID 3712 wrote to memory of 4348	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	109
PID 3712 wrote to memory of 4348	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	109
PID 3712 wrote to memory of 4348	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	109
PID 3712 wrote to memory of 2608	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	111
PID 3712 wrote to memory of 2608	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	111
PID 3712 wrote to memory of 2608	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	111
PID 2608 wrote to memory of 3152	2608	cmd.exe	113
PID 2608 wrote to memory of 3152	2608	cmd.exe	113
PID 2608 wrote to memory of 3152	2608	cmd.exe	113
PID 3712 wrote to memory of 2976	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	115
PID 3712 wrote to memory of 2976	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	115
PID 3712 wrote to memory of 2976	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	115
PID 2976 wrote to memory of 4596	2976	regsvr32.exe	116
PID 2976 wrote to memory of 4596	2976	regsvr32.exe	116
PID 2976 wrote to memory of 4596	2976	regsvr32.exe	116
PID 3712 wrote to memory of 1200	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	118
PID 3712 wrote to memory of 1200	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	118
PID 3712 wrote to memory of 1200	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	118
PID 1200 wrote to memory of 1676	1200	cmd.exe	120
PID 1200 wrote to memory of 1676	1200	cmd.exe	120
PID 1200 wrote to memory of 1676	1200	cmd.exe	120
PID 3712 wrote to memory of 4584	3712	f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe	121

C:\Users\Admin\AppData\Local\Temp\f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe
"C:\Users\Admin\AppData\Local\Temp\f034640560565580e9233100f97d3e6a594915bd7d900cff444fd1c2c48c2cc0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Funshion.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FSPServer.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionService.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Updater.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpdate.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpgrade.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\quartz.dll"
  2⤵
  - Modifies registry class
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C rename "C:\Users\Admin\funshion\historyTorrent\*.torrent" *.fsp
  2⤵
  PID:5112
- C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe
  "C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe" "C:\Program Files (x86)\Funshion Online\Funshion\control\\"
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "funshionupgrade.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "funshionupgrade.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3152
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe
    "C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "funshion.scr"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "funshion.scr"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- C:\Program Files (x86)\Funshion Online\Funshion\funshion.exe
  "C:\Program Files (x86)\Funshion Online\Funshion\funshion.exe" startbyinstall
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4584
- - C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe
    "C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe" UISTARTFSPSERVER
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe

Filesize
128KB

MD5
aecf47200f80613e5aeed4285441ade5

SHA1
a1006ab28a7c3c43beadcf72dc148be33ef90fab

SHA256
796c475af15f5f7d179a2a490901617a958e4063781a2443c4c8ce95688e8756

SHA512
c8550608c8a06108cbcf097fb94011d1928bd6439d830ac78aadab4e31d0e50b23b791552553acd3e731399b94cfa8a7947f2505eb48bf095eee62173a45ec0f

Download Submit
C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\conf.xml

Filesize
259B

MD5
879fcee362a01be6ad2cc994fea5e09d

SHA1
974bd6211cb91911c16964c852d746d62da9d684

SHA256
168e3418ab45d3221834d7d1ef71bec2ca435476a8f65d6660c38b298b5cbe34

SHA512
4dabd2643f3280b0778d3edae4512b6d772b06a5e0b81a1c99909455a4ec1345b53acd2f1fcb46726e371329213c3af4018831596b2b6da0eb8f9879631df1c4

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
151B

MD5
843f0b2a4b46b8af455e4361ab715b31

SHA1
d849a67630be991142cc4bc5368a923f3e00536b

SHA256
bf216173c91b01725f3b550db501c51072aaebc980ade79908056b0d68308f9f

SHA512
5365d0e4973b3ea9dea0e59e1202b40a1e7b634ea99924d1a5b64d82c9d33df89056ee2329ffa554f2460aca8c6aa1f10225f43c1f42debf2dc29188dd724924

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
216B

MD5
2a3080f6766d7b204bec1db00ad5b15d

SHA1
b0d3d0908a7f302a399a7f9aa86ea689f793853f

SHA256
3e6799247dfbccf7b0d6a53ea9af29bcd047ead628ec56056f9b411f5fe7805d

SHA512
6ee886932656c8ff35f01f3ba1e28c4e47b47ac1042217ab8dbc0b75141061100041c99931c489c04a37f3e638f3a4b178bc12f4ead0d583bf0b49c131de6d4d

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\Funshion.exe

Filesize
2.4MB

MD5
e8d51b1aefe8abf8515d45ab8a18d268

SHA1
de74f3daf0388b9cf757fa8b8d11211b03ef9499

SHA256
4ffa78135cd56c03caefa98ef66bb16ad46c458a1434dda0cfee4cb94468a43f

SHA512
5975306bfc7ec23117aa59739a0bfcc52e22c7679dc8f2d7b9ac368b72408791a3fc81eed896abf80a36505d28424bf63e1a08b08b0e120044daf7e7d2cb8ee2

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll

Filesize
1.1MB

MD5
e2f76eb0a099a8472196bb922b86353b

SHA1
59f7a982c73277463942ebd4e1ccc6204436cc6d

SHA256
255c95b7dfc1f56d0c745064d07c264cd94ba8415e3be835a7a0dadafb936965

SHA512
578af8e2c68295d3ef010613cd065e4985bb488d4d3507cbb7d9c8c491f2d13ef5ae4941dbe1a02287c813144c9dfdeec7b6c590dd0e4ec626459f4e7257af26

Download Submit
C:\Users\Admin\AppData\Local\Temp\getmacaddress.dll

Filesize
156KB

MD5
860e633786ad08a8013327052695d669

SHA1
67eb0e35b86e677b99ff5947e28c8b55a9d81690

SHA256
d6017709adc7f6bed36c3ad932d5e68c699418c9baade81dca0c145d4661cc46

SHA512
2acde6cccab29aab16d0b6235351b0239eda19ae568553bdb8f80c8fc49ece72deafd1237e08f14c1d4ea3facbade97db8c442ecb500d7d5928a7e920fd3f85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nicdescr.dat

Filesize
1KB

MD5
0fb9927e7a9ca8c5f5af8bb4fd7857df

SHA1
40b512129c1d3de5b11c81300e0cbeb781f06873

SHA256
52348ac96775f546a3d057edf50aaf69e0aeb03edc7972055496c014c31dc738

SHA512
331228608c543b66e04e6d9960b51ed1b26bbaad4d48a9254121618cfca31e2a68d194aa1bde071b1a4e3d03d27174dbc5efcc5a7e0cb5a5064c9cee270609ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw96B4.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw96B4.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw96B4.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw96B4.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw96B4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw96B4.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw96B4.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe

Filesize
124KB

MD5
135aa003b748c1aa76c0610fee3f980e

SHA1
edf79f78c6fb39cf632c9ffd5bb1436016d5852f

SHA256
cbf8551809f88b3602f4a29b2e04920fc8ff4674d38da93d769bbbfe1683241c

SHA512
6d36e0a8fcaa544fd4f8a1656e8c23cadcdb4a83734822bbcfcc0fca97861ebd13d08b36a448065e01948c9bf7df07204fe9f2cf226314ad20469b396a85bbe8

Download Submit
C:\Users\Admin\funshion.ini

Filesize
387B

MD5
84d5441e142b1802c53b3958e6d21fb3

SHA1
006d0238224bc6095e5a65abf8260a6df5ea0376

SHA256
961d07e67ad466782c81befb543bdef95e0eefa698653ce2c2a6c78610948e89

SHA512
a0a3b5005d18c2b3d4f553629dd9172e6d38b5b5ae80a924e6f1afa1840ba31b14470da01b0c40916da9915c1c497f70db2e9a618958443c3bffd069444672cd

Download Submit
C:\Users\Admin\funshion.ini

Filesize
703B

MD5
8033d8ad5d166209b9547f2a8b6bc1b2

SHA1
caf81a974b13076cfeff787688098e9bb39064d9

SHA256
0b61c447ed8f94971336cd4f6f0486c14d8be0c26531f3310af2c3c9871af48f

SHA512
e09a78c76468e452b478639c390c0fd89d7f97d58f590709b8da231eae9a6679f8d02131c3c18563ebdbee5f7c0427be9d2a607b8a74dc177c18399f59e54209

Download Submit
C:\Users\Admin\funshion.ini

Filesize
753B

MD5
b330157665054a4b5ea42a7c2ac60551

SHA1
9e4106a87dafe4cc363b52c35965f64395309889

SHA256
57bce60dd74c8f6bcbe05e38b493f68e359297525b784987a0f3958694745ed6

SHA512
ad81e8c6a27210a68818bc0c330a01f967c6c611b92960a643b470f0a48b19edc0e9a4f0b76090c2948c745fd05bc833904d42e32e5cd4c08de3db87afa058fc

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1020B

MD5
4511411b1075664d986bd3f62d837f71

SHA1
bd213a805563fa3e562457fd2ab96d47cd0f19ac

SHA256
094713d4995c7487763229f812f2b2444b43a4e3f135202aecba6e2c56a82c9a

SHA512
44e2ba9ddaf324943bdf5e1104c093e4c3b237bc4f4204cdd806cd03abb2c9a495e7a8c6571272bf8f1595ce848cc70022666bc331e419ee7bda535dcb6f535a

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1012B

MD5
a326d8bec71cd5448ef264ab621f15bc

SHA1
ddc4ff370697417296ecd251ca5c5607759f2c34

SHA256
14709678b4757cdbe5768010ecaa5589ed6201675739c462b6fc0b81c6f5213b

SHA512
c8ad27b528d387106a58ace9a3424dddf252d129184099fc8bc17d8e23faef6b3353786813001c4627070b9a701aeb5c711256dc6dac7cc7135a0d7a205ba642

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
40988b6d5187f9cf836bb3d04f96b98a

SHA1
5bf9ab49c0ca561a20061a720613e8cc63b89b91

SHA256
867b70379685963db3f45a1e9ae3b752d23949c2e6c79337c528606fb8a5b3ec

SHA512
a7bc143afa72058fb2ee6900cfb6720186cbcac1f91a0f63051f84f4c37ff5236bd88cac59059471a607e8dde7be75332c7d4ee44acada2802ed5ff1811577f6

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
932ed1aa77aac75491e3ea931e10352c

SHA1
2493e22b07f9d46a8e38ba496ce299e470444fc8

SHA256
de6d899e3fe115e33d36ad05ee681856a125b89c67a59d4899e97df0e6326d60

SHA512
c6467cde7f590a93ca6e3cd4414db81897ea39d421d7e940ac1a5411bb35c3c1c2fc574c709c017ba2a8a844c5a458494953073923bfacbc28e9f7be7d3275de

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
b22200494c60a75044fb86f945677c86

SHA1
f7a92a6ba2b3dcbce909b45a102b1b2655649d82

SHA256
32ba63af5c076661f65bc80391a8aa8c51c8096392c27ce3630c73a285df117c

SHA512
3c48f631ff4df743874dbd973be0945b3447bd98516f0dce70c7c24c6493fe540407040d283d2f52d1fae47a16e4db6bae8bfb2f7b8af45be2f7a4a43aa5ebe9

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
f4c15ce827c0e7df8b078f7f84ac2a2d

SHA1
fe5021cf64fa232608e6c4c405d8cd1cb3524a65

SHA256
c5f9ae54e717384b11e4131c6a56bc9605215029d1345083df346468179c5d6d

SHA512
0b680db820526df903151fbcae550b1d790bf44960f99ec7013796d89b0ba4d9627cade0c08e742e5c7fa4324b2b0c3794573b2cb9fbf03e00494dcbe6ac5a32

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
0f75d5330e72e7f9875177e034421ec8

SHA1
746e285a73353ef358c153a32644e703c37df10e

SHA256
c14f2bd79be8374fa2e2cd5879e64be4b4bc283ece178e9cb71b13420220e20f

SHA512
ea99cf71a20936b7e509d2393eca331b59e23c6d0b5376036acc0d36d41852ad3c2b46c81c8c9767284d2187391dd93244e53b49dc08f112f6aec44e4d86fc3b

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
452B

MD5
f18c752afdc1053a9a9d54c2e2354944

SHA1
598edd66c2fdb7121bf5e1ed8816351a55d2a5e6

SHA256
e1490af6e3002d27501f6941f7906e7e23b7d9cc3b06cf46f57eabab760da2b2

SHA512
974abd71c4942e459e8d5ce0af4ed6a0d260c8d78a3023855603b79742722a70554d80819345a3582a96947c76d523e6e2dfd61b893f5bbae3957f674b656f34

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
632B

MD5
355160394d549da70db8bad43d726f33

SHA1
64bf5b22c5852fdc7799c88ee1e8f48066932f92

SHA256
24a20e158f9e2932eec81dbeaae4d9feac3e5835654dcfc00aa1e078a1163eb2

SHA512
e11cdbbd570fac6b4b7dc0c9d4faa20f59b4fe1f2b4a6b535065ca92ca6cab9eef4c8b9acb6ce2bd342ca2001cf8713934d8ff80b46ed8604c54624162ec06ae

Download Submit
memory/3188-780-0x00000000009D0000-0x0000000000A1A000-memory.dmp

Filesize
296KB

Download
memory/3188-783-0x0000000000A30000-0x0000000000A51000-memory.dmp

Filesize
132KB

Download
memory/3188-787-0x00000000023E0000-0x0000000002408000-memory.dmp

Filesize
160KB

Download
memory/3188-814-0x00000000026B0000-0x00000000026E9000-memory.dmp

Filesize
228KB

Download
memory/3712-115-0x0000000002420000-0x0000000002448000-memory.dmp

Filesize
160KB

Download
memory/3712-491-0x0000000003800000-0x0000000003828000-memory.dmp

Filesize
160KB

Download
memory/3712-468-0x0000000003800000-0x000000000380B000-memory.dmp

Filesize
44KB

Download
memory/3712-10-0x0000000002420000-0x000000000242B000-memory.dmp

Filesize
44KB

Download
memory/4584-702-0x0000000005D40000-0x0000000005D5C000-memory.dmp

Filesize
112KB

Download
memory/4584-928-0x00000000071F0000-0x0000000007833000-memory.dmp

Filesize
6.3MB

Download