Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8276a2e07e...18.exe

windows7-x64

10

8276a2e07e...18.exe

windows10-2004-x64

7

$PLUGINSDI...nt.dll

windows7-x64

3

$PLUGINSDI...nt.dll

windows10-2004-x64

3

$PLUGINSDI...md.dll

windows7-x64

3

$PLUGINSDI...md.dll

windows10-2004-x64

3

$PLUGINSDI...os.dll

windows7-x64

3

$PLUGINSDI...os.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$PLUGINSDI...el.dll

windows7-x64

3

$PLUGINSDI...el.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ML.dll

windows7-x64

3

$PLUGINSDI...ML.dll

windows10-2004-x64

3

$SYSDIR/$S...on.scr

windows7-x64

3

$SYSDIR/$S...on.scr

windows10-2004-x64

3

$TEMP/$SYS...on.scr

windows7-x64

3

$TEMP/$SYS...on.scr

windows10-2004-x64

3

$TEMP/Dump.dll

windows7-x64

5

$TEMP/Dump.dll

windows10-2004-x64

5

$TEMP/getm...ss.dll

windows7-x64

3

$TEMP/getm...ss.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe

  • Size

    5.5MB

  • MD5

    8276a2e07efddb5f695912ad26af8ff3

  • SHA1

    bd6683df25655eef77abbe0aef5576bf45272498

  • SHA256

    dc150e97ce37b63c0dea549dc507ae341ac8e9e2f859cd659be137f671423b88

  • SHA512

    6c61fc71212ab1b18d15e966771d4a10d38713d7f85c73d716ccf44166e3e8ea8a5c3d4ad2890f9ddd1720966c5d7fa1b3bbe3959d251183daa4c39b5d6e2f48

  • SSDEEP

    98304:QyjtcE3qmO7AkAerVkZkObDjgSMOdEQLL1yU/Ad5j5DZgENnXNPRJ:VjSE3qmw3AwVkZdDpdnLByU/s5DJNZJ

Score
10/10
adwarediscoveryevasionpersistencestealer

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 7 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 60 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Kills process with taskkill 8 IoCs
    evasion
  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "FSPServer.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "FunshionService.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "Funshion.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "Updater.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1560
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "FunshionUpdate.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3016
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "FunshionUpgrade.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\system32\quartz.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1404
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C rename "C:\Users\Admin\funshion\historyTorrent\*.torrent" *.fsp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3008
    • C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe
      "C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe" "C:\Users\Admin\funshion\control\\"
      2⤵
      • Executes dropped EXE
      PID:2084
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /im "funshionupgrade.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:688
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "funshionupgrade.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:324
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:884
      • C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe
        "C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe" -RegServer
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:2536
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /im "funshion.scr"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2052
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "funshion.scr"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
    • C:\Program Files (x86)\Funshion Online\Funshion\funshion.exe
      "C:\Program Files (x86)\Funshion Online\Funshion\funshion.exe" startbyinstall
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2724
      • C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe
        "C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe" UISTARTFSPSERVER
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe
    Filesize

    128KB

    MD5

    aecf47200f80613e5aeed4285441ade5

    SHA1

    a1006ab28a7c3c43beadcf72dc148be33ef90fab

    SHA256

    796c475af15f5f7d179a2a490901617a958e4063781a2443c4c8ce95688e8756

    SHA512

    c8550608c8a06108cbcf097fb94011d1928bd6439d830ac78aadab4e31d0e50b23b791552553acd3e731399b94cfa8a7947f2505eb48bf095eee62173a45ec0f

    Download Submit

  • C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\conf.xml
    Filesize

    259B

    MD5

    879fcee362a01be6ad2cc994fea5e09d

    SHA1

    974bd6211cb91911c16964c852d746d62da9d684

    SHA256

    168e3418ab45d3221834d7d1ef71bec2ca435476a8f65d6660c38b298b5cbe34

    SHA512

    4dabd2643f3280b0778d3edae4512b6d772b06a5e0b81a1c99909455a4ec1345b53acd2f1fcb46726e371329213c3af4018831596b2b6da0eb8f9879631df1c4

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini
    Filesize

    216B

    MD5

    24f7d41817beb7e940334545218666d3

    SHA1

    b3d15ede5ea8c38edb359ce6c2ac75c6282f0624

    SHA256

    e6ee0eeaad6460fe39fd576f19c3d5fe0c08bf4270dc9aefc92860cde92bb221

    SHA512

    fc36fa5ea407c4d5af9484737a7af45c5c7280ffb8882e0d0d32bc0e9ea7ce5789501e1464c4f77fde861674a86aa2ba3ca87ba547b087a4a7e0388a99d38e1e

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini
    Filesize

    216B

    MD5

    ab6ee7685e291aaea3969c23fc6d2607

    SHA1

    62c9a1af0e13280c295a20f9aa686a719a4c36ad

    SHA256

    c07dfde4ee7b9baead36a4850c8fc7d4488883a8f7bd6955d7a68a90e1974c2b

    SHA512

    a9cca3487040b50a384d9a8c577ca0ef152ee0e063490f74c5b0e5835bd38bc8b8cfb15fa0d93ee24259f429cafcb656799bbb1ec93a7490922a78201fc03437

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini
    Filesize

    216B

    MD5

    e045e64971febde7e4fbc9317bb65724

    SHA1

    b2c19a46979cd8b799a952f745d1ecb2cb89ff17

    SHA256

    b4398368371313ba962cecc278f7a6fddc4227afb21700aa2bf6ca70d0c7f1c1

    SHA512

    8009d286ea60c39509c6458d86ce4bda2a66e981113591a57dd66b6e3e1e63455a06a6b09ce8e8e7c49387ea3423646305f75d4fdd5603e705ba24495395e97e

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini
    Filesize

    151B

    MD5

    c7d1fdfbe622db49be72dba006b49b3f

    SHA1

    8a802d27c382da0af269ddc23171588149db20dc

    SHA256

    b11928638098f48bf7610e038204f95a7c6a7dfe5fa9cb0f4e7e8b1011eed755

    SHA512

    0eaa82443fb8cb9efd43886b2f6a947cf7bce1a925f60965acc0c11441945bffbe9f7a7805fb6f340517a486529d1ad4d3f6229602cfed40082cdc1761c804c6

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini
    Filesize

    216B

    MD5

    8ec55ee262ff5935c7c2ba9a39913a82

    SHA1

    1d4ea97e43c7bba75a540375d986aeaf9064b902

    SHA256

    b1711947308979250a9837f0c523aabd36fc1c8b98ee0937ed0a1a0537b50227

    SHA512

    01f6f8bf19f2b89c570d9489c1752544dc155446f1f637664d3ec8a4ec94d6c8d678978b571e4326d2b65b28ac7196ffcf9ef1b28c1cc83df9fa18e23e44c1fa

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll
    Filesize

    1.1MB

    MD5

    e2f76eb0a099a8472196bb922b86353b

    SHA1

    59f7a982c73277463942ebd4e1ccc6204436cc6d

    SHA256

    255c95b7dfc1f56d0c745064d07c264cd94ba8415e3be835a7a0dadafb936965

    SHA512

    578af8e2c68295d3ef010613cd065e4985bb488d4d3507cbb7d9c8c491f2d13ef5ae4941dbe1a02287c813144c9dfdeec7b6c590dd0e4ec626459f4e7257af26

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionText.bmp
    Filesize

    4KB

    MD5

    fdcc1c466cfd730ecd677036a6c503c5

    SHA1

    c1901e319f2492e143343b26a9ae909e0465bab8

    SHA256

    058730e84e8fe04e215a35b130b035ce39ac8eab8c4c3a191fba8ed2f0575fa7

    SHA512

    18e0c51a7fff9e129806248c589e651b52a4b67b2feb3aaade7ee76f5f08333333d3c1dbe8267f0081f1f1d1a43aaf787c16af82bd5778d4b511d1b4137fe99c

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionTextEn.bmp
    Filesize

    5KB

    MD5

    f090956024d106d478a2ae8581f6d9c5

    SHA1

    662355c6ae0e393f0418918b41fe0aa19c90293d

    SHA256

    2b65b7c086b2902f4dd35ad6cd076704558ee78dffe59a271a6541bd17f50602

    SHA512

    8900ed072690eaa1e07323f63338916b9ba17f5b8e9f831b9760df1b7c4a4f961d91167f543d3c84f65cb237ef74714e93fb55205e12e7f95315d3b7ca415ed7

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\skin\OptionText.bmp
    Filesize

    2KB

    MD5

    e3e39fae4be1c50703e17128f1f22ac8

    SHA1

    1ad1b435d6ac5dd2bb23ab30942175d724021de0

    SHA256

    43f2936076eb9be36f76165baa9daf49e3aed73dd7767625e5e0f4d6a7ea7480

    SHA512

    e8be882340adafae9edf1c6ac7d20f5d13324d7be8dd7041fbe5bcb3532b28203d12c153b67d052cf0f5d40194b6eb565e0de003a925dcaffcc5cab848f3aed3

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\skin\OptionTextEn.bmp
    Filesize

    2KB

    MD5

    d9af4c13cd0752828e5b9507d2aee607

    SHA1

    526c6aa7bbe58f63beea8d00a66d698a9c9fcede

    SHA256

    6ea1e84fb5fcfbf01638f0f9fa7d16e41811af24c54c491d84bc33111961d336

    SHA512

    50c4f65b7306612777d35c5051561bab5e88bb15529d9ebc80da740e5689685a7c4d5c819623ae2487c14607b2df98eaadbace3472ae384cd7873e90f939fe4f

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskText.bmp
    Filesize

    2KB

    MD5

    9b01de00cba5759fde7c635a31ddaf61

    SHA1

    d37be443255f09c941f468ec01d06bd3a7763d03

    SHA256

    460ee0b2e0346a4c92aca7a54e4694c24bb430008bc973f18fb729c5ca34b87e

    SHA512

    a7c4b95dbca6da5137801a3501217def516121530f4771271cb721a602ec26e10710168f9c891ddb6479d53b700fa77d0c4885d9f78e9d46bd26eb456883a72f

    Download Submit

  • C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskTextEn.bmp
    Filesize

    6KB

    MD5

    806e4a26edbfbd645dc2d8ec899550d0

    SHA1

    1dbc607d43088eb457420c5d13ed5ca33d8e52e3

    SHA256

    eed412269d50c895dd4b2cb0327d879e4f9820eb77125389c682787dd1b961ba

    SHA512

    2b3fb7e57fce7174461eada1d06a5c7ba7fce1ec8397723c5d0228df97eb310b578e7b6d1f13527332dcfce5aa4e43e109a6e884b606ca1160d0a21b2fb3b34a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nicdescr.dat
    Filesize

    1KB

    MD5

    0fb9927e7a9ca8c5f5af8bb4fd7857df

    SHA1

    40b512129c1d3de5b11c81300e0cbeb781f06873

    SHA256

    52348ac96775f546a3d057edf50aaf69e0aeb03edc7972055496c014c31dc738

    SHA512

    331228608c543b66e04e6d9960b51ed1b26bbaad4d48a9254121618cfca31e2a68d194aa1bde071b1a4e3d03d27174dbc5efcc5a7e0cb5a5064c9cee270609ab

    Download Submit

  • C:\Users\Admin\funshion.ini
    Filesize

    1KB

    MD5

    6c1868d594cdc92947cea2614d137720

    SHA1

    e5fad48bfc388c5c740413236d7389a0c832e9b1

    SHA256

    0499f4094ed8fe7469c78b7d58a6ee1042beace6a9277811143d29153011402a

    SHA512

    5d3fc8f5b190f598fa8bab283fb969a9d677a7c03bf7c3034d7e723713f80a7590d49b8b62cd0e00b7acf1a7bd0789b7083b1fb77a9080ac1d7e9d3d2a3e2155

    Download Submit

  • C:\Users\Admin\funshion.ini
    Filesize

    387B

    MD5

    f38281c8c49f187c34a3f7a1083fe537

    SHA1

    cbc9207ae48bedbc74c4776e2c7bafd715c910d6

    SHA256

    2aad1a30f28d330206cff40ba9593d51fae8d0b36d736334c905cb4ced89692f

    SHA512

    0985ca038d13624fce6df30a419c1c37caa10b0c7ef9ef9d16eb74d48306a6d5814a0737345abd42dfe043ff292b43968a726fea65fb101ce4bf96514b4e8ab0

    Download Submit

  • C:\Users\Admin\funshion.ini
    Filesize

    868B

    MD5

    b4f9d096bc22e8205708b9c182a2888d

    SHA1

    d145c880d542e1cb3c7caeb91faeec900c1782bf

    SHA256

    c88f256bf11b87dcf5c77d85bdc0c37fc8a1fcbb322cabfebb48f0d54d8077a9

    SHA512

    ed3e778b27d5b45e671030c05be9518b50cbb71925d4641f9b829a59d1ed1086c00ff4cc4a8b4110fb988b29d7f601261541c63cc31ad2b9b217cd42966a07ad

    Download Submit

  • C:\Users\Admin\funshion.ini
    Filesize

    1KB

    MD5

    8458f6198ac521277e736c8e22d6587d

    SHA1

    48a7e8971eb48b3e7cc28ace14fff22ba2cda318

    SHA256

    b28b6d8cee7ca7363588453d465c17a7d58645d649211a215bf8b43cfdd0928a

    SHA512

    5fad73d7e15cebe7cc7f797d03418ad551315a218ec1fa911802c8161be8a90d910f1c22cf0bcbaed41e0d13fe25ca0997396487bbb20ae8b352c3e1c65dfb1c

    Download Submit

  • C:\Users\Admin\funshion.ini
    Filesize

    1KB

    MD5

    d2c27aeb7b14b36cc678d3942e7f34ab

    SHA1

    ee9f9cc153fbb4cfec9016dc7d50d2bf7edde490

    SHA256

    b01cb31b27a8a983278ca6f327b4da9fbb5e19c3936e72fee22dae6f8210745d

    SHA512

    5a9206db2fc3cf9acd9aba5c1a85fbd5ffb68c0aa66b28f816fefd29029386d3864b6746889719a69dc77177b2e7fd88a44faa02933ec738a9ccb91db588b837

    Download Submit

  • C:\Users\Admin\funshion.ini
    Filesize

    1KB

    MD5

    299b0fc4e52a3f7ac6a3f14cb3454c31

    SHA1

    143b13043b9fce9ad5ca981962063292b3305f86

    SHA256

    3917d061a5ce0e4ebfa0cb1ca29d29e19c6541e11f44a44fcc32c55007a2dba9

    SHA512

    fbbff4eb7c13f44de319d4d2dad1fe401345aa3ab1be6147d7a332961f62046a9af26fb5da54d353701b70d313d1d34b266310f6e8168ee46b758ed01d6a1bf7

    Download Submit

  • C:\Users\Admin\funshion.ini
    Filesize

    1KB

    MD5

    2e3efc28199a35eb00fa50b8a75bf467

    SHA1

    6a20a2bba16fa17b50990529fd19c914d192ced1

    SHA256

    a1b014dd67f23c9080b1618259d7d36b826ec2316f240cdc1a38cdf3b8c31718

    SHA512

    5a2578c343b9f9f537db74a639ea465b3baf400d66ca64496b73bb713c587b76edbcd5769f86163a81b8da4caaacfe9c9f8cd92a3c4afadfabab4fac3065cc23

    Download Submit

  • C:\Windows\SysWOW64\funshion.ini
    Filesize

    607B

    MD5

    59c7c39f09d77082384c3ad44f57b2e9

    SHA1

    b378a607936b36ad5da42ff4e826198f63a7ca01

    SHA256

    488b0c8ec8fa0a013583aecf56fe5249fa9e0e0e8f9abf4ec4b0aec4d0277236

    SHA512

    eaf509a2423df90edf00613dcb9e03cff6d57fb1646610005c38507c03b0d71d745208303a41aada09426dd335d72e79f87205a13045d32c1b9bc553f33e83db

    Download Submit

  • \Program Files (x86)\Funshion Online\Funshion\Funshion.exe
    Filesize

    3.0MB

    MD5

    8d37463aabb0e66f36dde0f7a2f59eb6

    SHA1

    19e50c08a588c634fb48f0258a7aefca94960bff

    SHA256

    a06f0eafa70ec01afcc2544411641269bbcbb2a51bbd975755e57b3bb4c7d3c7

    SHA512

    9c09ecf604e732457459d7c5b37beb2b9d8352942faa0ef1a39dda53b9e0a9e4b2fd420f83639ca71b5d93e7a657741d11a55d490f6e9cc95f643c7cff539da2

    Download Submit

  • \Program Files (x86)\Funshion Online\Funshion\Uninstall.exe
    Filesize

    271KB

    MD5

    945a656b3033d095aa658ca66dcd5aa0

    SHA1

    440d2fdc4dd4806e6e49c75c936babea5e3aaee4

    SHA256

    9347ecfacde86ed900ba9b87409fd4e371039b465e0d0affe2729c89c71440ec

    SHA512

    f3df06e9856f34510f5110597a11b081b6948e638ca8f977a520e886e8927c9bae4805c7ea1a3b141aedc91398a4608191853149ed352cc7ee12e76823a6f5ca

    Download Submit

  • \Program Files (x86)\Funshion Online\Funshion\dbghelp.dll
    Filesize

    1020KB

    MD5

    74edbb03de3291fcf2094af1fb363f1d

    SHA1

    16b5d948ed7843576781dc4f2a391607ac0120a4

    SHA256

    dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa

    SHA512

    b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289

    Download Submit

  • \Users\Admin\AppData\Local\Temp\getmacaddress.dll
    Filesize

    156KB

    MD5

    7598ba134ae1b92a18f071f5c3f1a7e6

    SHA1

    559b4f9e36774548fc9a7a9c8c7385f831ed0800

    SHA256

    f6df67a3cfeef9518f9ab8698eea44a2c2943a56d1772b79309706dbdce6baee

    SHA512

    addd953d6f4db0e66bf87fa8af74dfab75912a885d055657be9e204de20a88f38b62565d34e0d255d16e31770a0d6211370877e9aa63bb637247510c16078ebe

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstCE49.tmp\ExecCmd.dll
    Filesize

    4KB

    MD5

    b9380b0bea8854fd9f93cc1fda0dfeac

    SHA1

    edb8d58074e098f7b5f0d158abedc7fc53638618

    SHA256

    1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

    SHA512

    45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstCE49.tmp\ExecDos.dll
    Filesize

    5KB

    MD5

    a7cd6206240484c8436c66afb12bdfbf

    SHA1

    0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

    SHA256

    69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

    SHA512

    b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstCE49.tmp\FindProcDLL.dll
    Filesize

    31KB

    MD5

    83cd62eab980e3d64c131799608c8371

    SHA1

    5b57a6842a154997e31fab573c5754b358f5dd1c

    SHA256

    a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

    SHA512

    91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstCE49.tmp\KillProcDLL.dll
    Filesize

    32KB

    MD5

    83142eac84475f4ca889c73f10d9c179

    SHA1

    dbe43c0de8ef881466bd74861b2e5b17598b5ce8

    SHA256

    ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

    SHA512

    1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstCE49.tmp\NSISdl.dll
    Filesize

    14KB

    MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

    SHA1

    168f3c158913b0367bf79fa413357fbe97018191

    SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

    SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstCE49.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstCE49.tmp\md5dll.dll
    Filesize

    8KB

    MD5

    a7d710e78711d5ab90e4792763241754

    SHA1

    f31cecd926c5d497aba163a17b75975ec34beb13

    SHA256

    9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

    SHA512

    f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\xml2fspdata.exe
    Filesize

    124KB

    MD5

    7ddce55c1df4fd04703656e9b4eafd6e

    SHA1

    cb8ef7bf8426ac2b48434e74ef8dbd4b2f5df0da

    SHA256

    e349c1d94ab06dd75fb6ec1c12ce22d5807207eae562da68de99ed8811be8fdf

    SHA512

    21b479d883db0b4e5271626de713b46acb0d5ac065ed70656e3f31b342301b697ebd4f425c274784a829f53de343424c8723b9dec00ace9cec92298d34a56838

    Download Submit

  • memory/1956-85-0x0000000001D80000-0x0000000001DA8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1956-456-0x0000000001DA0000-0x0000000001DAB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1956-9-0x0000000001D80000-0x0000000001D8B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1956-472-0x0000000001DA0000-0x0000000001DC8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2724-858-0x00000000064B0000-0x0000000006AF2000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/2724-654-0x0000000005870000-0x000000000588C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3028-827-0x0000000001FB0000-0x0000000001FE9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3028-700-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3028-677-0x0000000000390000-0x00000000003DD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/3028-673-0x0000000000280000-0x00000000002A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3028-675-0x0000000000340000-0x000000000038C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3028-662-0x0000000000230000-0x000000000027A000-memory.dmp

    Filesize

    296KB

    Download