dc150e97ce37b63c0dea549dc507ae341ac8e9e2f859cd659be137f671423b88

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Size

5.5MB
MD5

8276a2e07efddb5f695912ad26af8ff3
SHA1

bd6683df25655eef77abbe0aef5576bf45272498
SHA256

dc150e97ce37b63c0dea549dc507ae341ac8e9e2f859cd659be137f671423b88
SHA512

6c61fc71212ab1b18d15e966771d4a10d38713d7f85c73d716ccf44166e3e8ea8a5c3d4ad2890f9ddd1720966c5d7fa1b3bbe3959d251183daa4c39b5d6e2f48
SSDEEP

98304:QyjtcE3qmO7AkAerVkZkObDjgSMOdEQLL1yU/Ad5j5DZgENnXNPRJ:VjSE3qmw3AwVkZdDpdnLByU/s5DJNZJ

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	funshion.exe

Executes dropped EXE 4 IoCs

pid	Process
3500	xml2fspdata.exe
4052	ASBarBroker.exe
3672	funshion.exe
3636	FunshionService.exe

Loads dropped DLL 64 IoCs

pid	Process
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
212	regsvr32.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3672	funshion.exe
3672	funshion.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Funshion = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\" startbywindows tray"	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Funshion = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshion.exe startbywindows tray"	funshion.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}\NoExplorer = "1"	regsvr32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\funshion.ini	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FunShion.ini	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Windows\system32\Funshion.scr	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FunshionService.timestamp	FunshionService.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion Online\Funshion\CrashReport.exe	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskBarTipDownArrow.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnTitleBkgnd.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskTabBtnPopIcon.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\imgCleanFileBtn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnSetting.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerSimpleBarBk.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarMoveDown.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\WebCloseBtn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarBkgndSmall.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarDownArrowRound.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\StatusBarLeft.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\CoreAAC.ax	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\Funshion-install.ico	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateCapCloseBtn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarShopPage.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarThumb.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPauseSmall.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPlay.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetBkgndL.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarPlay.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TextBtnBk.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\list_expend.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\pncrt.dll	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\RadioBtnPt.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\GetMACAddress.dll	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionMenuBtnEn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\OptionSplideBarBkgnd.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnBarCurItem.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarRestore.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\imgTopViewMini.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionNormalBtn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarRefresh.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskListBtnShow.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarDownload.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\WebCloseBtnRgn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\rmoc3260.dll	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\LoginServer.dll	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ListHeaderBkgnd.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarSplid.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerHideBtn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnVolume.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarUpArrowRound.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarShowPlayer.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarShowPlayerEn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskManagerCloseBtn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarDelete.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarShowWebEn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcRightBtmCorner.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarHead.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarBk.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarHeadSmall.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarLeftBk.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateBtmBkgnd.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\FunshionUpgrade.exe	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBufferInfoWndRight.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayListRemove.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayListVerSplidMark.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnBarLScrollBtn.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\Funshion.exe	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayBarVolumeBarBkgndRight.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayInfoBtmBar.bmp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xml2fspdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FunshionService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASBarBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	funshion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
3612	taskkill.exe
640	taskkill.exe
3892	taskkill.exe
3772	taskkill.exe
8	taskkill.exe
3156	taskkill.exe
2540	taskkill.exe
3068	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Funshion.scr"	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\Desktop	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\Desktop\ScreenSaveActive = "1"	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\TypedURLs	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\SearchScopes	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr"	ASBarBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=funshion010_oem_dg"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下，你就知道"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E11E187A-43D3-FCD1-29C4-8F05573F5F94}\InprocServer32\ = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr\\funshionAddr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmvb	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\Topic\ = "FSP"	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\FilterData = 02000000640060000a000000000000003070693300000000000000000100000000000000000000003074793300000000a0010000b00100003170693300000000000000000100000000000000000000003074793300000000a0010000c00100003270693300000000000000000100000000000000000000003074793300000000a0010000d00100003370693300000000000000000100000000000000000000003074793300000000a0010000e00100003470693300000000000000000100000000000000000000003074793300000000a0010000f00100003570693300000000000000000100000000000000000000003074793300000000a0010000000200003670693300000000000000000100000000000000000000003074793300000000a0010000100200003770693300000000000000000100000000000000000000003074793300000000a0010000200200003870693300000000000000000100000000000000000000003074793300000000a0010000300200003970693308000000000000000100000000000000000000003074793300000000a0010000400200007669647300001000800000aa00389b714d4a504700001000800000aa00389b7154564d4a00001000800000aa00389b7157414b4500001000800000aa00389b714346434300001000800000aa00389b71494a504700001000800000aa00389b71506c756d00001000800000aa00389b714456435300001000800000aa00389b714456534400001000800000aa00389b714d44564600001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\E11E187A-43D3-FCD1-29C4-8F05573F5F94.Addr.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionMp4	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FilterData = 02000000000040000200000000000000307069330d0000000000000001000000000000000000000030747933000000006000000070000000317069330d00000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\E11E187A-43D3-FCD1-29C4-8F05573F5F94.Addr\CurVer\ = "E11E187A-43D3-FCD1-29C4-8F05573F5F94.Addr.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}\CLSID = "{51B4ABF3-748F-4E3B-A276-C828330E926A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\ = "open"	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionRMVB\shell\ = "open"	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunshionRMVB\shell\open\command	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\CLSID = "{FEB50740-7BEF-11CE-9BD9-0000E202599C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{418AFB70-F8B8-11CE-AAC6-0020AF0B99A3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}\CLSID = "{48025243-2D39-11CE-875D-00608CB78066}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\LocalServer32	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\DefaultIcon\ = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\funshion.exe"	funshion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion\DefaultIcon\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\",1"	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\Command\ = "\"C:\\Program Files (x86)\\Funshion Online\\Funshion\\Funshion.exe\" \"%1\" /dummy"	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB86-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\Topic	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ddeexec\Topic\ = "FSP"	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\Command	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\FilterData = 02000000020060000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000800000007000000080ea0a67823ad011b79b00aa003767a7000000000000000000000000000000007669647300001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSP\shell\open\ddeexec\Application	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\ = "ASBarBroker"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ = "ISnavHttpProtocol"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A1-7548-11CF-A520-0080C77EF58A}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\FilterData = 0200000000004000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330c000000000000000100000000000000000000003074793300000000800000008000000083eb36e44f52ce119f530020af0ba770a3d51bd54875cf11a5200080c77ef58a00000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB87-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\http	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject.1\CLSID\ = "{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsp	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	8	taskkill.exe
Token: SeShutdownPrivilege	3672	funshion.exe
Token: SeManageVolumePrivilege	3636	FunshionService.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe
3672	funshion.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 960	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	86
PID 3184 wrote to memory of 960	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	86
PID 3184 wrote to memory of 960	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	86
PID 960 wrote to memory of 3156	960	cmd.exe	88
PID 960 wrote to memory of 3156	960	cmd.exe	88
PID 960 wrote to memory of 3156	960	cmd.exe	88
PID 3184 wrote to memory of 3252	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	90
PID 3184 wrote to memory of 3252	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	90
PID 3184 wrote to memory of 3252	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	90
PID 3252 wrote to memory of 2540	3252	cmd.exe	92
PID 3252 wrote to memory of 2540	3252	cmd.exe	92
PID 3252 wrote to memory of 2540	3252	cmd.exe	92
PID 3184 wrote to memory of 3480	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	93
PID 3184 wrote to memory of 3480	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	93
PID 3184 wrote to memory of 3480	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	93
PID 3480 wrote to memory of 3068	3480	cmd.exe	95
PID 3480 wrote to memory of 3068	3480	cmd.exe	95
PID 3480 wrote to memory of 3068	3480	cmd.exe	95
PID 3184 wrote to memory of 3096	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	96
PID 3184 wrote to memory of 3096	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	96
PID 3184 wrote to memory of 3096	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	96
PID 3096 wrote to memory of 3612	3096	cmd.exe	98
PID 3096 wrote to memory of 3612	3096	cmd.exe	98
PID 3096 wrote to memory of 3612	3096	cmd.exe	98
PID 3184 wrote to memory of 4172	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	99
PID 3184 wrote to memory of 4172	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	99
PID 3184 wrote to memory of 4172	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	99
PID 4172 wrote to memory of 640	4172	cmd.exe	101
PID 4172 wrote to memory of 640	4172	cmd.exe	101
PID 4172 wrote to memory of 640	4172	cmd.exe	101
PID 3184 wrote to memory of 2748	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	102
PID 3184 wrote to memory of 2748	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	102
PID 3184 wrote to memory of 2748	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	102
PID 2748 wrote to memory of 3892	2748	cmd.exe	104
PID 2748 wrote to memory of 3892	2748	cmd.exe	104
PID 2748 wrote to memory of 3892	2748	cmd.exe	104
PID 3184 wrote to memory of 1808	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	105
PID 3184 wrote to memory of 1808	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	105
PID 3184 wrote to memory of 1808	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	105
PID 3184 wrote to memory of 4672	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	106
PID 3184 wrote to memory of 4672	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	106
PID 3184 wrote to memory of 4672	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	106
PID 3184 wrote to memory of 3500	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	108
PID 3184 wrote to memory of 3500	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	108
PID 3184 wrote to memory of 3500	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	108
PID 3184 wrote to memory of 3684	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	110
PID 3184 wrote to memory of 3684	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	110
PID 3184 wrote to memory of 3684	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	110
PID 3684 wrote to memory of 3772	3684	cmd.exe	112
PID 3684 wrote to memory of 3772	3684	cmd.exe	112
PID 3684 wrote to memory of 3772	3684	cmd.exe	112
PID 3184 wrote to memory of 212	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	114
PID 3184 wrote to memory of 212	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	114
PID 3184 wrote to memory of 212	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	114
PID 212 wrote to memory of 4052	212	regsvr32.exe	115
PID 212 wrote to memory of 4052	212	regsvr32.exe	115
PID 212 wrote to memory of 4052	212	regsvr32.exe	115
PID 3184 wrote to memory of 3604	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	117
PID 3184 wrote to memory of 3604	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	117
PID 3184 wrote to memory of 3604	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	117
PID 3604 wrote to memory of 8	3604	cmd.exe	119
PID 3604 wrote to memory of 8	3604	cmd.exe	119
PID 3604 wrote to memory of 8	3604	cmd.exe	119
PID 3184 wrote to memory of 3672	3184	8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe	120

C:\Users\Admin\AppData\Local\Temp\8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8276a2e07efddb5f695912ad26af8ff3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FSPServer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionService.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Funshion.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Updater.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpdate.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpgrade.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\quartz.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C rename "C:\Users\Admin\funshion\historyTorrent\*.torrent" *.fsp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4672
- C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe
  "C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe" "C:\Program Files (x86)\Funshion Online\Funshion\control\\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "funshionupgrade.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "funshionupgrade.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3772
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe
    "C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "funshion.scr"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "funshion.scr"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- C:\Program Files (x86)\Funshion Online\Funshion\funshion.exe
  "C:\Program Files (x86)\Funshion Online\Funshion\funshion.exe" startbyinstall
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3672
- - C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe
    "C:\Program Files (x86)\Funshion Online\Funshion\FunshionService.exe" UISTARTFSPSERVER
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe

Filesize
128KB

MD5
aecf47200f80613e5aeed4285441ade5

SHA1
a1006ab28a7c3c43beadcf72dc148be33ef90fab

SHA256
796c475af15f5f7d179a2a490901617a958e4063781a2443c4c8ce95688e8756

SHA512
c8550608c8a06108cbcf097fb94011d1928bd6439d830ac78aadab4e31d0e50b23b791552553acd3e731399b94cfa8a7947f2505eb48bf095eee62173a45ec0f

Download Submit
C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\conf.xml

Filesize
259B

MD5
879fcee362a01be6ad2cc994fea5e09d

SHA1
974bd6211cb91911c16964c852d746d62da9d684

SHA256
168e3418ab45d3221834d7d1ef71bec2ca435476a8f65d6660c38b298b5cbe34

SHA512
4dabd2643f3280b0778d3edae4512b6d772b06a5e0b81a1c99909455a4ec1345b53acd2f1fcb46726e371329213c3af4018831596b2b6da0eb8f9879631df1c4

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
216B

MD5
d89a1c05a154feed33ce83364ba01f33

SHA1
61805ac3200f773bb297cb413414bf9b0b03be7e

SHA256
b4afaa4bd69650259224829f32dd4efd4a87e0d9afcc1bd7915a2ca07a79cfc8

SHA512
a52f3fde1f747e3144342d86311f27df574191340f67a5c92bab1be292cdb3355a12778e24997f349043282e2ba7594ca66461c76071754e048498c337a04d08

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
216B

MD5
da4a4599d4794fb390798362256c3169

SHA1
42cf3a5e4c104de84bc3e4a0ec782fcb66df08b6

SHA256
2b4439e0e781a429212e6a6fef04fef1fd7680a62a734b9062584d56ab513f9e

SHA512
f7d61548eeb5434fd2ab2ed15baa898455562abf06b9b2512e91c88f1c72ee2f3590883019d22a199b95302ffad7dabe34eb7d8b9318c35b81e5297c3d1c659a

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
216B

MD5
5a28a452fce920079f482a0612ca862d

SHA1
bea94b400375005a56036df5a34b5c25698bb6c1

SHA256
672e2d4fc8161501940f8173aedc24e2b99ac7bb43dc405d4c31a9c5722f822e

SHA512
cc12757e8cab613228d785cb143993d3a6af72c4ea39b3df652a8d225e52962311e9b5c87ccd55f8cdbfd5699d286a0a2ff9f3c78772531d969d667405e87d68

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
94B

MD5
884cc6708e82f23fc58063cb67f68d17

SHA1
66075140033fb7ebed1a2121a6cbbed0bf9c9464

SHA256
e63d5e1fa1e6b65a2f46d284050fdd3129ec0358f8de8ab2e4985810a9ffa89c

SHA512
2973e4fac491d0629312998b7f241a3225c7bd6074335349a3a6867983d4dbee46dca2d8c1ee8988e72e741da3fcb06b09646ad0bf73786c190c49604c4c5c6a

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
151B

MD5
1ef0c824e347a43e68de65f557724c4d

SHA1
060f7dc11227ce774e9ee3a6ee746afb11ff2b8e

SHA256
c1b2493de3388b393bf78b0cda38d4c99c9d8bc107cfa7d93e61cb8ce45bf527

SHA512
8f6da1009e2515042e36a66591b8c53a71959ff296851f39da2d20dbe0a1445605f390f2c20f2060cef932f836163cb37e0fc8474803855e6298084feb471b61

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunShion.ini

Filesize
216B

MD5
7809cdfd4a37bd0d2991df33e4988cef

SHA1
583546abd82ca3fe3449854da5106e219a4d57ca

SHA256
9d72dcb373d17274e242e95d810fd432988c680c9354205cbca4c30b61a05d55

SHA512
d6e33d5df55ee97ee222caf108bb1a1d93d1e542ed2d4750e6b3fecd54ebb2b16157494638a9d3de239c8eea56b90479c76bc38d10d089b7ba516d687d9e3f17

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\Funshion.exe

Filesize
3.0MB

MD5
8d37463aabb0e66f36dde0f7a2f59eb6

SHA1
19e50c08a588c634fb48f0258a7aefca94960bff

SHA256
a06f0eafa70ec01afcc2544411641269bbcbb2a51bbd975755e57b3bb4c7d3c7

SHA512
9c09ecf604e732457459d7c5b37beb2b9d8352942faa0ef1a39dda53b9e0a9e4b2fd420f83639ca71b5d93e7a657741d11a55d490f6e9cc95f643c7cff539da2

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll

Filesize
1.1MB

MD5
e2f76eb0a099a8472196bb922b86353b

SHA1
59f7a982c73277463942ebd4e1ccc6204436cc6d

SHA256
255c95b7dfc1f56d0c745064d07c264cd94ba8415e3be835a7a0dadafb936965

SHA512
578af8e2c68295d3ef010613cd065e4985bb488d4d3507cbb7d9c8c491f2d13ef5ae4941dbe1a02287c813144c9dfdeec7b6c590dd0e4ec626459f4e7257af26

Download Submit
C:\Users\Admin\AppData\Local\Temp\getmacaddress.dll

Filesize
156KB

MD5
7598ba134ae1b92a18f071f5c3f1a7e6

SHA1
559b4f9e36774548fc9a7a9c8c7385f831ed0800

SHA256
f6df67a3cfeef9518f9ab8698eea44a2c2943a56d1772b79309706dbdce6baee

SHA512
addd953d6f4db0e66bf87fa8af74dfab75912a885d055657be9e204de20a88f38b62565d34e0d255d16e31770a0d6211370877e9aa63bb637247510c16078ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nicdescr.dat

Filesize
1KB

MD5
0fb9927e7a9ca8c5f5af8bb4fd7857df

SHA1
40b512129c1d3de5b11c81300e0cbeb781f06873

SHA256
52348ac96775f546a3d057edf50aaf69e0aeb03edc7972055496c014c31dc738

SHA512
331228608c543b66e04e6d9960b51ed1b26bbaad4d48a9254121618cfca31e2a68d194aa1bde071b1a4e3d03d27174dbc5efcc5a7e0cb5a5064c9cee270609ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe

Filesize
124KB

MD5
7ddce55c1df4fd04703656e9b4eafd6e

SHA1
cb8ef7bf8426ac2b48434e74ef8dbd4b2f5df0da

SHA256
e349c1d94ab06dd75fb6ec1c12ce22d5807207eae562da68de99ed8811be8fdf

SHA512
21b479d883db0b4e5271626de713b46acb0d5ac065ed70656e3f31b342301b697ebd4f425c274784a829f53de343424c8723b9dec00ace9cec92298d34a56838

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
211d46fdb12f608ec0aa812f53b37b9d

SHA1
fcf70650deefd9f5d2cde985a05b766c6c4c948c

SHA256
958938707258065f318c8c99035909dadd2fe06574d577c69f490616a33479f8

SHA512
b9dc2c4168ecad282a4576f44bc0c61dc4235a5c319fa58c34aa9df1e07f7badf48b66bc9f29354b9123ae8d36179162816c3b685b631407b5ff2bdfbcba6738

Download Submit
C:\Users\Admin\funshion.ini

Filesize
387B

MD5
f38281c8c49f187c34a3f7a1083fe537

SHA1
cbc9207ae48bedbc74c4776e2c7bafd715c910d6

SHA256
2aad1a30f28d330206cff40ba9593d51fae8d0b36d736334c905cb4ced89692f

SHA512
0985ca038d13624fce6df30a419c1c37caa10b0c7ef9ef9d16eb74d48306a6d5814a0737345abd42dfe043ff292b43968a726fea65fb101ce4bf96514b4e8ab0

Download Submit
C:\Users\Admin\funshion.ini

Filesize
512B

MD5
beead899f4cad6e0355adc19909c563d

SHA1
896a5dfc5e1e58d4de1cbbce76464e2e04499bf0

SHA256
91d84382e99f4124b9dd78ea41aef714e6421f6ae13fecb12ae7dc1732fe2728

SHA512
416ac764a1bfd8d58dbd1e22053514d506c7ab58d5b294bcbafa14ce429c0e771e0d467e0ed4e756b1b8b03f394aa75e20f160165616e591496788c0f6f54f1a

Download Submit
C:\Users\Admin\funshion.ini

Filesize
892B

MD5
c41ace983c0dedfb7008fea994531b64

SHA1
00dc818926062825474ea8181b284dd5926ea59b

SHA256
d2e3c414bffabbbea84d40e774881cc565b36922f16a2e4b6c826f040753dc86

SHA512
cfe6308053b3e82c1d364c84a4a94e3b8d01d3f39e8e260069f82970e439ce5fee18e90008b7001b7eefdc84f488e8a2915231e5a88d74020d3ae03336b009fa

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
57ef0d8b22b51245e24cf089333cac37

SHA1
8e22527471301407bcec43004d26abbf883ce973

SHA256
da0113af95bc3b9c0200e9c329ae6c7798948ac05887492e4538c706240e4004

SHA512
0d90200cb6f8f2e490f7ca3e3ee8c9446cde0eaeba14aed82ea532a369c5e6d8ac1614557af1eea6db8372b25f5d32a49e90971770952bc8e7adcf56954270ca

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
f32802f3081d0caf20ad2be07c27d10b

SHA1
8b84e40b6675aea2fc968ed34d98eba6d0f98a4a

SHA256
5f8088829be90fdcc2a7bf0a9d744fb6039bd27fd101fb2f5bac411d8357b83c

SHA512
0858974863c8b1bd12d2d88e4997edbcf0796d8082622c2de5611c36140c1ce617f134abec8903cb81927c935fdade8cc6d02e2da90eb982e69212b5b9628462

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
61e50cb060dbe899fb0f8bdad94ada25

SHA1
fdf424cb6cf9c80f0f9fa32eb428f7c0503fc6ec

SHA256
9f837c492d208cee9fe186eec25c6e3705dd09d4fcb97596aeafd48b6ece058f

SHA512
17b00634f89822efec528d9d4c2ded4e0ffd13f52ec827819d80b88cc82cf823a2970c52b882c2762bffa3b93a592f6e0076648c5714a7c840502316807969d5

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
06a80101a5c445005154f4b33968606b

SHA1
3824d17d739f892b2da3f269e16e99437fcc5e19

SHA256
18b7b5ce48f2e8376d7386d307cc7809bbd8fd24104ab04b2fb4782f0ddab707

SHA512
3a8220fe0e2cf3660d7a0f55d697f0484d26fc40d411d76a807e5cdd342c6a956217446d703286103dd63532027b1a64ef6bbfc5750ac7a60c11cc6f7dd8118f

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
ac1964cec8b33900b453c42e4dd01f6e

SHA1
cbec55b745ec76de235a053b5232f57af30459be

SHA256
f6e15decf35b38678f43387c80ca308ec92700ab30cecb2f7a86c2b00b575e35

SHA512
6a66c8d81480d55ba0a6481279a27b36af8e288f9af77d905a31f289c169013f8236fac79bfc850846fcb91780c3516126e71c2a88cd0b06fa0112106d86a77c

Download Submit
C:\Users\Admin\funshion.ini

Filesize
1KB

MD5
b050a4b443c29f825703ae6df1f3984f

SHA1
0a3c44ed19b439951254596d14ff5a1c732d8ef5

SHA256
f25252d3a1519ba082df5604772870fe9f156f7c240b834660cca712036f12d8

SHA512
2f385355f1bcac5870885de4b5d34cd369b81c891429ee8bcf5d90fbffd9cc59e095be633c4a21293a23a2a6989fdfdc818800a016db30a092d0c8a801475d29

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
632B

MD5
171188c9500d8db28c6d463d74d1a1ed

SHA1
7a8a24257837f3f9f6a3224093a5493b3d82334c

SHA256
dc85efd7f2d8e65b31e5b84f4e077196cfd8a317e0f5a311c825e313663dde58

SHA512
dbec3ca9f00f8ff0e1269410d2ad392c269b407f4ea8ca5eb2dbe11fb5150ef6037508cf300ca6001085aeea5147b23361f1556729c0e30b308fb094d9c9b0f5

Download Submit
memory/3184-115-0x0000000003050000-0x0000000003078000-memory.dmp

Filesize
160KB

Download
memory/3184-506-0x0000000003690000-0x00000000036B8000-memory.dmp

Filesize
160KB

Download
memory/3184-483-0x0000000003690000-0x000000000369B000-memory.dmp

Filesize
44KB

Download
memory/3184-10-0x0000000003050000-0x000000000305B000-memory.dmp

Filesize
44KB

Download
memory/3636-685-0x0000000000AD0000-0x0000000000B1D000-memory.dmp

Filesize
308KB

Download
memory/3636-709-0x0000000002670000-0x00000000026A9000-memory.dmp

Filesize
228KB

Download
memory/3636-684-0x0000000000A80000-0x0000000000ACC000-memory.dmp

Filesize
304KB

Download
memory/3636-691-0x0000000002370000-0x0000000002398000-memory.dmp

Filesize
160KB

Download
memory/3636-680-0x00000000005A0000-0x00000000005EA000-memory.dmp

Filesize
296KB

Download
memory/3636-682-0x0000000000620000-0x0000000000640000-memory.dmp

Filesize
128KB

Download
memory/3672-897-0x0000000007470000-0x0000000007AB2000-memory.dmp

Filesize
6.3MB

Download
memory/3672-676-0x0000000005FA0000-0x0000000005FBC000-memory.dmp

Filesize
112KB

Download