Analysis Overview
SHA256
fd2cb00c607cf751e0d4fccc2aa67daf2a5c9bee30392862e25d0a6cddaa2d04
Threat Level: Shows suspicious behavior
The file 8fa9719792d0704543e239c4546b05fc was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
NSIS installer
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 16:49
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral26
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
91s
Max time network
156s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3452 wrote to memory of 3396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3452 wrote to memory of 3396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3452 wrote to memory of 3396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231222-en
Max time kernel
92s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1312 wrote to memory of 404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1312 wrote to memory of 404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1312 wrote to memory of 404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 404 -ip 404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231222-en
Max time kernel
89s
Max time network
149s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer\ = "funmoods.funmoodsHlpr.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\CLSID | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID\ = "esrv.funmoodsESrvc" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID\ = "funmoodsApp.appCore.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer\ = "funmoods.dskBnd.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "CDskBnd Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ = "IRegmapDisp" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CLSID\ = "{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ = "\"C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe\"" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
| US | 8.8.8.8:53 | 228.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
memory/100-84-0x0000000002520000-0x0000000002532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | ed9ea3b34a331b4835876302bb4fe65c |
| SHA1 | 46db0a477a3cd4d6ba2f94cc9cbb93f28f87e5e8 |
| SHA256 | 25f6f0cc23d0637b9007050d428ac1898f382f4ec4969be86aaf0254a0a73c54 |
| SHA512 | 503d045cdb1e7c833aaaf956c717ad240002d38d08f2e003267c3d4b7a5be9e84f6dfec8b849d60eed7e388693db693caf7f8ea6dcba7499fefc9d410ac48f90 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
| MD5 | fe768a6b82ed2a59c58254eae67b8cf9 |
| SHA1 | 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6 |
| SHA256 | 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570 |
| SHA512 | 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | 10d58fbc734ba8ecc6473211b757c01a |
| SHA1 | 65400d51db01c56bf6c7e493f1d7ce3c9f50bc87 |
| SHA256 | c347dd88829a4a94b2a41f7a73c0f757839ff3bbf63345363bf32cacfaac9166 |
| SHA512 | 5535ae80e924230cc5b30e5fe87bedc6e76d11cea205113fb0b8546cf2f83cc0c03357645961fa4940cae065adcce84e4baf3818b64aeaef3dfe8b51c19020a8 |
C:\Users\Admin\AppData\Local\Temp\nsl3C5E.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll
| MD5 | 7f8be790b6614f46adeafd59761abbeb |
| SHA1 | a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700 |
| SHA256 | b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf |
| SHA512 | 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsw3CEE.tmp
| MD5 | bf4c21a39c500967ea2dd99c495176c3 |
| SHA1 | 24e7fc91a55b6a3c884e134ba3d97eb7539ec7f0 |
| SHA256 | 539cf2e89793500b61474695dc847d41f29154775a3bdd8d4536091fa74e5a5a |
| SHA512 | cddd583514abe01d9b5c28e4920f3bec041a63c4cc9419dde285c92405d6b106cae99110f1b3343df9a801a9fa31c6b87eb72c64a6f0b13395896771ce70c5a8 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsl3CFE.tmp
| MD5 | 7aa65f2f71300139697f934d773cbf00 |
| SHA1 | 268d841b90522acbdce412435b64d46f91020850 |
| SHA256 | 90c7f00c89f6f4e0a4b5c221e71db4ab5e0bbf3d25183d3be5bd4ce56ef52823 |
| SHA512 | 2ba1a6100ead99a1c7310a9f0aec3ee98cc6fe8902342898ca04a9479b42b236ba3585e96e753cb30adec852abc1c6db14b3fa5e1f138e2c29d482f12e45c318 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\krjq06q0.Admin\user.js
| MD5 | b1a00e45248c1e363d42259d08fc71d8 |
| SHA1 | 4afc2ce3e515df8eca455a285e07b33ac5fbabb1 |
| SHA256 | d8821be170dcce3acfe26c15f2331e6783eab146f519b96724b0ebef65bfe8a1 |
| SHA512 | 82f3a5e90db6d31a9131418d78a018fb6a708c434f84ae6c5ebe34d502c9b2b2c5a9d179cc77c5243a3e6827c85191ca2b395ab00043c276c52f369cc490ce68 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll
| MD5 | d5e0f923b3ee640efd6a58ec0c70cbdc |
| SHA1 | 74f62a9acdb9f9dd0580d69450c062ba8870deea |
| SHA256 | 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281 |
| SHA512 | 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsg3D80.tmp
| MD5 | 5547548167ef93424c9dac91e6e2555f |
| SHA1 | 95972dfa24168e9ee3440ebbdd1386fea14c21ed |
| SHA256 | 3091a2d9a21f70e818ec9b355f6b743b11c425cabbf97873ea0b9b870ed91a61 |
| SHA512 | c1041046064314b26cc27c494535e77eed9a0222d3b902498cc937ffbbe6fd52c19315203ae3b6f6c2cca202adab66a954c90aefc2d16906320f4c4cc736c833 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsl3DA0.tmp
| MD5 | 46c5b4bc455996ef740caa22048e01ef |
| SHA1 | 21795bc94be8ee1b4b1971a84045dd9319920a5b |
| SHA256 | d77b80caa644e9c22239a3aa40a2b584cd29af53d8c2e77ad71c3e5f0c232094 |
| SHA512 | 7ea063a87b53a4f884035c01e3e07fc479869f7495a98e6f70e90da1a4529e3d477f012e8df3f0e654ac2abd9b9eb7e6dfdb01b45a6c03600df19657116147be |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsg3DD1.tmp
| MD5 | 6089e15ab03fa5f7b0dfed3207d03166 |
| SHA1 | af22f6f8395b91c573a53b5a63051e6177d669c0 |
| SHA256 | 06e9e89b1f3cd76b70eb187e0f3f0ed28daa51a59a98415f1aba9736cdaca2df |
| SHA512 | c68ae79fce55f84e5874074f2190431a28d25d3cc27e0f4dfffa84fef71d8e81f6fc244aa8166bebb634ce7487a2ba616a1aa2a5e501adfcc2c93f504f52bd1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\krjq06q0.Admin\user.js
| MD5 | 6fc8285f51f266e2b30f7a6afb1eb76d |
| SHA1 | 7d95d5579f1f13ec29bf1e9e81d75f62d193b5a3 |
| SHA256 | bc805bc0555f5fae6f9806db5f6422aeae1c228da2bf46858a91513476165760 |
| SHA512 | 638a45e3e5b8ba952af27e766047a7555bdd658c104de7f0d31d86b318ebddcec95b5b19b779f8b2bf3ac4730b1a119b386e7aa76ef57af4afbb597515ab9f2c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\krjq06q0.Admin\user.js
| MD5 | 4d957165f55fec98cedf199bf344557f |
| SHA1 | da30aa9cfabe5d5edefb1d3aad69ad0684288c5a |
| SHA256 | 061909588a851102653c6903c33f0e09c99164ddc37b99629733346de1fa61fc |
| SHA512 | fc37bdcc1ac937ba6ae5191b21b306038c72f34b94c799a3083b87868a3a638632b9cb98b232cb69e7522ac6df0cfd94ffc69be2b585d67ce67379ba4f63faed |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\user.js
| MD5 | 6e93a5952ef5579d31203bafe6089aa4 |
| SHA1 | 1e86a0a4a6393466f4b0a0b402f38be512cf04ef |
| SHA256 | f90505243b7640d6590e03f0c18f82f2cca42a1ee993b7a2c5175f5d9d0c8bca |
| SHA512 | 488459a7794178f078b37ac8b6ad99e9e8401f01cf7300a57b5d0d872dc9926c3e37c174e60f7b57314203bcf9ae0bad7229e6a3d77ad874d6d2f36fc0b6e3c3 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsh3E77.tmp
| MD5 | 391c4f7cfd3669ae210b44dcdb0df64b |
| SHA1 | 029319c37e8f4524533a0405f482af043be758b2 |
| SHA256 | aeec8f0493d8fa5608211dae64465b6a03ab7f0118b7fddf2f33d432430088a2 |
| SHA512 | 717588413246045ea7e468f13918d594eda26639c0ccdf76adf18fe451d24944943529216641cb189177184d06302a67e4eedbabb7ecc16ab557f7779b006d16 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\user.js
| MD5 | 0a0a5b086b65b131f260011c84bd1037 |
| SHA1 | 94a92df778535560ad058e11f34bbb84da2cf89c |
| SHA256 | 8c50864cba327f0360f759ff7a908b8d6125b7a431df89c094c3c13bcf3a40eb |
| SHA512 | 0ae8aca95828ae9c76486a9cdf9d6770b48556d918b136ea82a9af0ec0b277c00a91f3a9df6be48175df6cd87a2f01bc69fabc61125e3d6a70174759bdf26f67 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsb3EA9.tmp
| MD5 | 4505410d7d3065c7b0fb6966d8d2206e |
| SHA1 | dbb5933508b4bcc1349c4c2b9a0189f4c2a53057 |
| SHA256 | 7dbae04715f91ad0b73fec9759968fe2c66fa4a62879aab5da5fab84ef5d18be |
| SHA512 | dd7b96809a7f0587d323619762f56eca633c7d3c784060024e4d794a0dbafbd9a10671976c17e7bb2d4f614ba6ff0ebd5dc9ea1d5846de02092446963c6063ef |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\user.js
| MD5 | 8df0b2b021b98407f3cb061244c27d51 |
| SHA1 | e49bd0def4b45a7c4eae5dcf9512d69f393e42bb |
| SHA256 | ae6b938ff0fe8fa964393c9c992c9ac31e541e973d00c8c5dc496d6b591d75e4 |
| SHA512 | be27985120cfc36fc9657ec8802763b0eb4efea17659685b740be7f063955f3a29b415a40226903b113052aeb5d9547a36248f180f41bb7b4101837041370e0f |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsw3E87.tmp
| MD5 | 5249059a5de61a7a405e4057d5401099 |
| SHA1 | bdf9330457e7e4e65d9b266bb99799a526d7e6e7 |
| SHA256 | 89936b147f33103ba833fa62f3be2ce322c03976f90f2e588fe97558952361da |
| SHA512 | f771c0b6265f4556d094ac295409e4d23c3f725f34ff533341f54d133686f69c113b61344ef96ce734c8443f69ec618191456e8acaafdc1fe347455ddd78ca99 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsh3E76.tmp
| MD5 | 8367a10b2b73fe60cb07c8f6601a4484 |
| SHA1 | 2473d6b772acddb39ffd909554dc616efea177b8 |
| SHA256 | f3648d1aa461be0946ae9562f6eb5e98ca466798d143cdb04349aadd4b846860 |
| SHA512 | f84782a018c237c866a6016bbc5a1a0689c97596c4ae0603a49694af66a90952332948b9c6190ce38c61add56015d8f011cfcfbf0a7f51c898e007e8eb1f1eff |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll
| MD5 | 12be59f427297e54fef41f9bb32d4233 |
| SHA1 | 0088967a4ed52f491976136c95d43e0e1b06cc31 |
| SHA256 | e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb |
| SHA512 | 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsr3D70.tmp
| MD5 | 5834cc02177bf041e2b7d588cf80ec03 |
| SHA1 | 1519d63bb47f3981fccfda29ff7168a65a1f08fd |
| SHA256 | 56015f6cb7bf38078e5bfa23e32cff582d136bd5823f8a740f86345c0271f157 |
| SHA512 | 7e40b078936ae924c2fe83c2922f72813a9f620defe3ad24bf37519c60d2e10c106b58bb6e4d59a472b2f988b6b87d6a07e80c4fbd10c007db2d44baab306cea |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\krjq06q0.Admin\user.js
| MD5 | 2bbed7c9521174d68eb82751901184d3 |
| SHA1 | 5adc5a58175f2cf899695e3c162b31f1dfa04524 |
| SHA256 | 0eebe6ecb1c7f74a5175dd6aef7ea4a605741a54104f26b08f29ed0b763ae7db |
| SHA512 | 0feec3cc87c72b66b5dd53ee42e812b4a392ce7a26c47d31a06554e777271c7075bb4870a1435fde647a4fa7c1418d1eef8f7bbaf2d133fb43a2b7a7631bf471 |
C:\Users\Admin\AppData\Local\Temp\nsl3C5E.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsv3C4E.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | be035c4c63a2d00f32bdc0a3c36bb71f |
| SHA1 | cd7b0ff3a23a29ad2b9627a92072c9c35f22a8c1 |
| SHA256 | b3329c3609aa02d588473e14a5db78965286849f84a50bf8aa7f4645324ad4ed |
| SHA512 | 0bbfcc597656fc90ff168f28e0627c5a9a5724f9396001342b5451ff0203d7cf1201c8a411443be6cee6fcbdfeae9af01280bbbb47120f2c8f7ac90de8f295de |
memory/100-1600-0x0000000003A50000-0x0000000003A62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp3A0C.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
140s
Max time network
159s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4340 wrote to memory of 2980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4340 wrote to memory of 2980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4340 wrote to memory of 2980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2980 -ip 2980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 600
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe
"C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.uptodown.net | udp |
| US | 172.67.162.128:80 | img.uptodown.net | tcp |
| US | 172.67.162.128:443 | img.uptodown.net | tcp |
| US | 8.8.8.8:53 | 128.162.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nss668B.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
memory/3660-21-0x0000000004850000-0x0000000004862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nss668B.tmp\nsRandom.dll
| MD5 | ab467b8dfaa660a0f0e5b26e28af5735 |
| SHA1 | 596abd2c31eaff3479edf2069db1c155b59ce74d |
| SHA256 | db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73 |
| SHA512 | 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301 |
memory/3660-29-0x0000000004850000-0x0000000004862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nss668B.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nss668B.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
memory/3660-46-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3660-47-0x0000000004850000-0x0000000004862000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 228
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
137s
Max time network
164s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3300 wrote to memory of 3260 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3300 wrote to memory of 3260 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3300 wrote to memory of 3260 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3260 -ip 3260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlDay = "19757" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\smplGrp = "none" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsni = "1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID\ = "esrv.funmoodsESrvc" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlRef | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\dfltLng\dfltLng | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\ = "escorTlbr 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\bh\\funmoods.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID\ = "f" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2212-79-0x0000000001D90000-0x0000000001DA2000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | ddcada8c66d56df6e4ef2bbedf2bb865 |
| SHA1 | 059a7f8bb8ed2e99d5153d26ecf986e91c24df19 |
| SHA256 | abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872 |
| SHA512 | 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
| MD5 | fe768a6b82ed2a59c58254eae67b8cf9 |
| SHA1 | 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6 |
| SHA256 | 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570 |
| SHA512 | 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
| MD5 | ffba0384096f7a6c2189009b3c54c8db |
| SHA1 | e1e883b9345bd74b0c7e158751c60b0ee2139677 |
| SHA256 | 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b |
| SHA512 | 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll
| MD5 | 7f8be790b6614f46adeafd59761abbeb |
| SHA1 | a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700 |
| SHA256 | b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf |
| SHA512 | 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll
| MD5 | d5a9ec59fbf50e576b1d3b60ccfb7117 |
| SHA1 | cc22b0aa6f4b5367865b75f3c0afa788c7f97d8e |
| SHA256 | ba6870cd06e5700f918c30ee92391d8a77c99b3fda06372c42b35983ee88253c |
| SHA512 | 60b4965d7f4ff6df4aedda7ec87a074e1d2c13860a3dea325eb551191e643ea9cbed4efe13c3ea2358a3b896c010b773c1c76ac52be81c0a171796fe988be086 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.Admin\user.js
| MD5 | b88032a816b8a2ac49826ad6f0e4fb32 |
| SHA1 | 85c28a84173847f7955d421c887ca4fd5a36a360 |
| SHA256 | 8e9c43b265496c9453dd8f75621a9faee872b0e86bc3e19e8e309e065c191108 |
| SHA512 | 8d9ebb429afd8587998642bbba323696d7b8d98826f92ead8317eb94122b882672a579720a099a762c3f353bd58af9034b7a3a7d7ea186233016076f70767076 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.Admin\user.js
| MD5 | 0665b0a270c72f210062d7816a4686c3 |
| SHA1 | 4b6911dbdd775c0a2941a416a3237a1dcee38b95 |
| SHA256 | 78a934eac1d4508237a92934e09fe39134545f756ff0aae52479a493c71a255e |
| SHA512 | ad49fe10141431df84e7d51ae025d4d273f9a5d1928e9efb4ce5c44046f620b4cb46a74d566ac35c372bbbfd2f4ee1dabc2c4152175e9c04d658eeb178b4d776 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe
| MD5 | 673e6109fbc2405238429562ae058f37 |
| SHA1 | 293a96724fc0e772706f108895db321b58051524 |
| SHA256 | 4dae85611b9fd18f44c36f330762ca7dae3842604999d6a5edd3d416b4ab0841 |
| SHA512 | 0d1db02c84d2a7502af966886889a63467fdc310c25076cd1629064f9dc5bda63248ea2cb34757f9e93e341cd89833979c8bdfffab2d09c722c3a20cd244f4c0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.Admin\user.js
| MD5 | 3d648d91454261e83b79b418fa8ccf71 |
| SHA1 | 8cc88b7bf2eb2cbaca291dec2ffe9ca509c5a8a0 |
| SHA256 | 7733e199ffa7a05948c2f6bbad0d9e9bbba765960f11543ee87ed85ca0a52788 |
| SHA512 | 91f9fa3bd38fd1e124b932d1eb3aba64d709848b9f8796772b17e9140fe463a9c9e2feed8e2f4e923584be4e80c8a0adb7e8e03ece19c5e6e4e3b286979aaf03 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsoDA2.tmp
| MD5 | 42c599905cb26b21981e3085ba6310e9 |
| SHA1 | f7d8301c7420939afd6b20be0633c9cd0c11bb68 |
| SHA256 | 0ea3dd99d7cb70c5a449c578df44f3df807cc234dcd04cd1b5006d13eaaaab48 |
| SHA512 | 47529049b5e08e00728b55de1bbdaaf7d372b3b4516f4fadf9360bc3b82a95945802a7fae3e4c992b2870b2b9061b507fc3e474e544a300b9491023dbf48643c |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nstDC3.tmp
| MD5 | 4d6739be48c365ec037964c281bd7202 |
| SHA1 | f519a956fcfce647a398fb37233db02804bdc5db |
| SHA256 | 3bf1c7137aa4e1ddab7c3589b44db85d867b55aa67117414af736e178d957582 |
| SHA512 | a1561708a674c0179a0d3d8cdfb8c27f3c29e875de4bf120b9cc2fa1d77cb7b3efd96a03008d2c2dc75a87e42b64eac29540a9176b15a062587716949806c95f |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsdDB2.tmp
| MD5 | c5dba0155ef089948079529c59ec6b2e |
| SHA1 | 5588077f8b1295d66b9fa6748b8262e184442750 |
| SHA256 | 2992d32c04b9b57c1a08e1d8be8d41188d766ad13d51401af2ff7433d4586ab2 |
| SHA512 | 4122bdac63b41d82cf48b45df733bf9c94b2416f2100a192675cc0f877f66d08bd0009820a2547488e3349a45562dd3f3460e69b1c7cd592b5345fd314edbe1a |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyDE3.tmp
| MD5 | 416c2b1c9d8e1107df39cf8cdb65e52b |
| SHA1 | 88c7b567a71fd6700897ff7925f3c09be22e1ff7 |
| SHA256 | 3053718156d4578018b7b1ff5168f10574f4d9dd1fe0d704169e140fb67c5222 |
| SHA512 | 8dc4a3b89a4baf7402acbb8124f39a86d0142675bdca94141276c1aee32be61fe99ebf61e1ca21c99a59027ccf4e7841850c4f19fa331a2a185f50087ffe6d4e |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsoDF4.tmp
| MD5 | 8933b248524da1a755484a966ab80c77 |
| SHA1 | 999b75a2bd3ce54c929432247b4741faf1e30181 |
| SHA256 | f45a0d3abc64cc7db4345c4e38ebdd757706414a572187af3a553fc400d77e95 |
| SHA512 | 2f1b4fa6ad9c646f2373ff3e3871d790902bbe82259ac1b6bd159a6c6ed325429ebadb744ea0753b27337eff207b67ccb01e2774a6d0e7aadcf389c3ca512d25 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsdE04.tmp
| MD5 | cb53e23f7ccfc7b997ca357297da32c3 |
| SHA1 | 3cd56719eab4980aa38c634bb14d3775f9f7096d |
| SHA256 | 0da35233307557927ed6ea37966ebd8ae5c7678f1e01893e7afcac64187c6765 |
| SHA512 | 01bfae3b30efda86e0d722322c0dfd6772c11c7453af3f3f9b1e4a3766dc81816cf4a7e9caad55ebca82bfc1ced6470bd48ef8e950432e51e691c799358d6f05 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.Admin\user.js
| MD5 | 0d7889a328bf4c6b506dd87507ae693e |
| SHA1 | 21928a20080bb3bdef6457f0ffa1def8f35a14a0 |
| SHA256 | 1164c9ded36dbae9752329f8833729cb6b9ee0177abb8d00d1efeede0baf8ff4 |
| SHA512 | 2342d33faee44e84698e543d85798cd724123d7291e46d7df5f2bbf497353b2d8b7f8dabab515602177d4ff7892c19f1ebae099698e1dd046bb1da90b8b60dce |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsoE49.tmp
| MD5 | 66a608489aec480a41af8146c868e9b8 |
| SHA1 | 008a5bcc7aeeb722d9114d4e61704fa67911e2cf |
| SHA256 | 122d89c44eece524ef368c7ef7b296792268493a53b07410bd7a905d2ca3ed61 |
| SHA512 | 3122686236ec0fb44231be725e2397ccbfc13c48949533f68e0eef757db23b55ed4395b630a14121df5ea6f8da6fedfbdb13c9abc1a5edb0ba393789d49e8658 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsoE48.tmp
| MD5 | f2cdc6187f372c9e3b6f3740609569d9 |
| SHA1 | 01efdb4fb28b04498e8167f91dc5820f241a0bbe |
| SHA256 | a0c6c307aa94d7ee35ab3d02f4b3ae9602237fc10011bbe0625f857678aef6a6 |
| SHA512 | 529fdfb4703b6c9c605167c21cdc6856e2bbda8b4e025d8abd9ccac076f9097bf2b03b6da10fd4e6ce2e369085d6a67ba0064fb8d6997e0d62a9653ebf2b3e19 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsoE47.tmp
| MD5 | da875d46993eb5bac8a7250697b6a678 |
| SHA1 | 023033a6b482cd9cbe685ee226eef6c3fd8234a2 |
| SHA256 | 53d011a2b604137d92211a9f6cb9f19e9587d71153e18f352f6426c7f23cc9fb |
| SHA512 | ef3ae26bdf0101df96e0b3d12ff9a92c6b5d07dee8860f235438fd9f3603df15a2cfd21166b4007db74e0edcd02c7fa4addd189b8d5bc589a0525fa799edf756 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyE36.tmp
| MD5 | 924936a17a7b360003c28d5a338f5fb4 |
| SHA1 | 142ae95e57255284dfec9a6762aa99805987c6c9 |
| SHA256 | d805e65d11658fd64ab5988bdc2b5c1c93d613179659ef1348865ea3ad8154ab |
| SHA512 | 483e9c6af4851dd61e922791cf4f72c10a062f81be06d6dbebf6b32f79f83b36168c4ded529b9564dca3af9d20477db32b1bcb12864478dd0c4b3c0aa40ef3d3 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyE35.tmp
| MD5 | c357f207642f912eb2137382f6a5c4d9 |
| SHA1 | d9e690088578041107d1c945639d1d907085c1f6 |
| SHA256 | 70a1f136522b2aa72ba60732e51c4211a5eacc626e0d8bfe4052559d4e79431c |
| SHA512 | 9720b28f09fef6b0b4c3d9061889c3c1721bd51d3216c3ae05198ee69b8e40a67205474532fa53af457e4da75dc45d7089b3ff5f1ffc99fa13affb9cc24dc81c |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsdE59.tmp
| MD5 | 1a452ff5abab215b00041c93da037afc |
| SHA1 | ae985c2178632e4c62a8aeefa9e440df14ceb0de |
| SHA256 | fee85bae70be223d9e4bcfa32d9f05b54d0909baf8c7db370ec09ac8fc56e701 |
| SHA512 | 2ad6ba4d2af133e6ebde57611f97f265792262f57574f3f63487ba1be45fb00ac0b57495b81e7f5deb91422d7a8e259fc184753bbd4e31be9c4513c1ebe2de89 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyE8D.tmp
| MD5 | ed43b8af18756dc5242137fb380fa3f5 |
| SHA1 | 62ea9ac9314c2322662dcba67256c9b1cad49921 |
| SHA256 | 227903779aebd939af2ad207f431d48722a39e2154871fadb8b6202e3cd16e6b |
| SHA512 | af924902c56bea91b635fedf7d6f3a1e1828a1b0b6a529e9006b692506f396d7ffbaad98276ce18172939689c38cacd1a377e796a38b040ec497a5a90ddb606b |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsiE7C.tmp
| MD5 | 5ce5618dc362aca372071a57229c4d62 |
| SHA1 | 5500136f7e155b52a235dbfb9263c6b70b81f18c |
| SHA256 | 62e55e7c1a10809209ccaad459bc6a5bcdf3e7e92273d7560aa9a6c175925df8 |
| SHA512 | 72e9c9a2e8539eb3ba398561eff1b4d1e9192b53438beaae30f8980d2e8b64a88740a000bf71d08bef187027913988d6beee712542e79aa31c47447fd4a1bb49 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nstE6C.tmp
| MD5 | 35628ede209cb872b28ea0570aeaea2c |
| SHA1 | ac4d68acaefa83c7e7dc4cc151ef6fee5df0216a |
| SHA256 | 2232d7b110b17efecf94aafaf4e10bca60117b819db5dd343df27a05372fade9 |
| SHA512 | 473f8206f15aae71635a6251bb6807013e2fde2a271afcffe7502210a3b8d31f0eb011f66be6dbfb9bf7f3bae8c7df1b24ccab9efbe05aaf90c8636689b62454 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nstE6B.tmp
| MD5 | 0a12d2996f2c1ec870e5aeb2aca5b409 |
| SHA1 | 846752e4be6b87b0c7168cf15c0e0550b0505f6d |
| SHA256 | f304de992ada07851bb6727019c1174d768fb6054ffc28d151d8dcd0451d6704 |
| SHA512 | 9bd5eb63bf6a3e6875b2445bf559962415c553f0345a3378fd881cac69433acce22e98f16e820a0da99949f07a24243345b621c751349bfd5eb29f6a26b8d792 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsdE5A.tmp
| MD5 | ed5b5c51da2791db2fa048c60887e772 |
| SHA1 | 5f6c5877f49bf652cb65bc6bc38969d096fe7177 |
| SHA256 | ba62b4fc70e419721dfd2e2cebc1837faf48d78fecb276fed60236631c1d576e |
| SHA512 | 1479b96dc5a5c4e97f2e388431e4fc53b4f53d2644aebaf43f6deb3513f5c852f5f7f5d72c07bf101cc8505ca32b8750026af43f3c1e7592a9104e06bdc90281 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsoE9E.tmp
| MD5 | ddfc4d09b05e827fecde799e4e1d9291 |
| SHA1 | 298cf7d1282a2b1f6a9c116169c52de29f409ba2 |
| SHA256 | a9fbe749d11232c41bf95fa3b46eb005b2a9360252c8abce2dac85352cb48059 |
| SHA512 | f7b1e88c725ef248109ba3268466d6bd77d4c0d6feb5d7fc1b1cab094153bfe0541186421a77a4b3b2ee7db35af7333e29c26078d2789fbb0dd41d29d030a63a |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsoE9F.tmp
| MD5 | c242a2fd1345a608770b7df891c34213 |
| SHA1 | 03d7ac086170ebf38c0231661eb4c64ee7486a20 |
| SHA256 | 6430e9b7fd5899741ed4ab93fa8d3a25c563420d583331395296699aea230585 |
| SHA512 | 56c2be41a2a231925603936fb8f1f0f82bf6663587f84020161abb40d3b9af8d31109d04cbacc2c86e3cd8c964026cfc3dc11e7e063f2ee9b115f8fb2d3aa1c5 |
memory/2212-1584-0x0000000002C00000-0x0000000002C12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsoADB.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
140s
Max time network
156s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2656 wrote to memory of 4608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2656 wrote to memory of 4608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2656 wrote to memory of 4608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231129-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 224
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2556 wrote to memory of 5028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2556 wrote to memory of 5028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2556 wrote to memory of 5028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5028 -ip 5028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231129-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 224
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
118s
Max time network
129s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe
"C:\Users\Admin\AppData\Local\Temp\8fa9719792d0704543e239c4546b05fc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | img.uptodown.net | udp |
| US | 172.67.162.128:80 | img.uptodown.net | tcp |
| US | 172.67.162.128:443 | img.uptodown.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsyC03.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
\Users\Admin\AppData\Local\Temp\nsyC03.tmp\nsRandom.dll
| MD5 | ab467b8dfaa660a0f0e5b26e28af5735 |
| SHA1 | 596abd2c31eaff3479edf2069db1c155b59ce74d |
| SHA256 | db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73 |
| SHA512 | 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301 |
\Users\Admin\AppData\Local\Temp\nsyC03.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
memory/2232-28-0x0000000001DD0000-0x0000000001DE2000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsyC03.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
memory/2232-50-0x0000000001DD0000-0x0000000001DE2000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4468 wrote to memory of 3152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4468 wrote to memory of 3152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4468 wrote to memory of 3152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3152 -ip 3152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231222-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3472 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3472 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3472 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1428 -ip 1428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4944 wrote to memory of 1260 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4944 wrote to memory of 1260 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4944 wrote to memory of 1260 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1260 -ip 1260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 228
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 228
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 224
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2520 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2520 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2520 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2520 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2520 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2520 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsc65DF.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsc65DF.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsc65DF.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nsc65DF.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlpp4n1x.Admin\user.js
| MD5 | b1c9d23c622a51406665dc62c01e98e2 |
| SHA1 | 6d96252d410c62d20ec32f39a872b2edf9e33a69 |
| SHA256 | 2cc2adbd5a33dd2d2cb2b9d24d671a3ddb930501dc63e386e438c1e7edbb31fa |
| SHA512 | e17d26f914f84ee4644a202337291ef0ff97e8bbc8a68a762233bf98e711b57248785ad7dbf40c6aed91b02ba0bd64c68b7584a935369283b46eaca940051e08 |
C:\Users\Admin\AppData\Local\Temp\nsn670C.tmp
| MD5 | 180fd0af453438d2b82e5d360f9ececf |
| SHA1 | 3ccefd73decfef7ba9eca3746e2f009d43ddd5d3 |
| SHA256 | d1ca34d5cc1f42be9c989c1debb2c3fe65a9b2d4e6a400b47f3350de49b4999f |
| SHA512 | 9e80baeba4976dab6a19a56ae4f2aa54846c1494d34cee6f24e0bd2752ccb6b76881ee149364cd14f1a2437fc4a60aca6f060e913bb2dedcc5acd2dbd7a3952f |
C:\Users\Admin\AppData\Local\Temp\nsi673C.tmp
| MD5 | 718e52a1d6be1cc8509b395a8d6a592a |
| SHA1 | 91f8f416d21852cad8e70243c9bdfb764b9ece6c |
| SHA256 | 7e25cea8f96b5fa6e4fb2476df599d5c4e6864d7215f36f6cb14b2e444861b28 |
| SHA512 | 744286444d3dd90844c66fe5bba10d7718b9a062d200b9707a4d5dbb46bf6974ba137172841a9ebc72683f591e5cf9ed04b533012d20ca7fcde0c8dd204da984 |
C:\Users\Admin\AppData\Local\Temp\nsi678B.tmp
| MD5 | fd6c8feefdc8bfa22cc4ed7e001a1207 |
| SHA1 | d7ae2eaf83bd5bc887316e9f0d7cdc28730ebb0f |
| SHA256 | b2403423d8192df692e3303e97e702e5b25833a3fc49b6fcab781e2d285d5586 |
| SHA512 | 3fa13055bf3187ef811e10fb34b41e4f755e0c1d22c9bf07650bf08707a9d8e7aa01c9971e110e2f12712ab666ba712b27c7be6473805c1ebeef562a21cf3eb6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlpp4n1x.Admin\user.js
| MD5 | 5c5d55e1443ef14f519d144431e218ff |
| SHA1 | 7558b477709271bfa455be2142c0128bb5d2d126 |
| SHA256 | 9e8ca55b0f36e2cd9322c77d2a0b0cf6e10b16bcf5d2652bbbf0afda3f6c051c |
| SHA512 | 3d151a4eec17341737f0238b94422328a78284a936fd0ce7344797271ed8c0698ddca4ebfae06f8477fc285f8dec800a983411e46b78ba4df28ffda93e189cdb |
C:\Users\Admin\AppData\Local\Temp\nsy67EB.tmp
| MD5 | 56a1503a804744597d77c4a355c70854 |
| SHA1 | 17ece3d0b331f208bb419e973ece1b32cdcf97ec |
| SHA256 | c95700f0497469b4dd61bbb4ce6d0169ac8b86bc2297e17e884c5a44e4f89506 |
| SHA512 | e824d8e49c10bb092c8c9fa94c85fc9352b0df2ec0f826b3163f25566946f9cbb1901965cf2580ebcfedb06e7d70a39614f7cbb369dc74413faaa4eab6fb1b64 |
C:\Users\Admin\AppData\Local\Temp\nsd680B.tmp
| MD5 | 1c8929492492a4a6a546d90e36452614 |
| SHA1 | ff178d11dc8c4b4613541dcc275c4e617ffc6e8a |
| SHA256 | af9e13c1ecf82469cb02765da7ca884d96f5f7d8bc7e7f9df81f8060c23bfabb |
| SHA512 | c8a0cf29ab884377f8cd186b15cdbf486f45d2593aa9250264e7535af36763e3263aca7233ecc4a2c618c15f550856018ccfc539461a4e16d04d1c1f429cfc6a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlpp4n1x.Admin\user.js
| MD5 | cb57a9d4fa8359b3f1a9286270076d58 |
| SHA1 | 8ec708f52ec24002eb95d01019a14d2feb99d20d |
| SHA256 | 33e71a70b9840e32de0e0370181f40aed64e5cd51328f4c79bca3384b2425e0f |
| SHA512 | ae21c426490e53f203cd2161db758ab4e3d805c0e7304066613f4e27490e2bcb86f062eaf8ad5576a2de59d259e4ab46d818222038ea7821b0c4ae2682c1c252 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlpp4n1x.Admin\user.js
| MD5 | 9df8912833d848bba5868b4f6553a278 |
| SHA1 | 4cc3161616de3f119bdc3903a9ddf91012dedc87 |
| SHA256 | 71f5ae1f999ac82d7a534f89ed9dceeda047c71d73b2f2b4673792ef16909107 |
| SHA512 | 6bdc593cecce2d4f01ed07b205122e4643e82f4409b7e2a9b3b0a14b8b68283df6747ed08284391e9f0f134032478deef9ab826cdb07c175e5b7969d3252e349 |
C:\Users\Admin\AppData\Local\Temp\nso68EB.tmp
| MD5 | 2d306fb7be8000158ff6be23611b808a |
| SHA1 | 2ab36b9240191c41b1edb540b59b160c5e30be3b |
| SHA256 | 8d710396991fd7bafa4f13f7c1bf148d09b7254dcf0e1d2d246ccde3da506880 |
| SHA512 | eced556e0c340b70a2fec67c174390e959a48df90664b73f6c0c6056b84e7f0647823e73ac9099883c3bc797b790df12e5133d6ff7631e1f72597c1b7ce073bf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\user.js
| MD5 | 4d6dff940b7281903cab136ee933bd12 |
| SHA1 | 8e29bd0ea6f36deb72e56ef049171fd8196cef02 |
| SHA256 | 97dcef51fcff72bade73984593e54b357116d39e8645dcd061c4615588a2dcb4 |
| SHA512 | 29f9ac54dacb9463ae8bb5f9bf795f4ddaefcdc8969485fa9f5134f497a424bc1e5a8ff6833d37f4799dcb024ead27e2f39b08ca0df3eb1598cdde9240be89e1 |
C:\Users\Admin\AppData\Local\Temp\nsd6998.tmp
| MD5 | 8cc6452e850a8e1d0339bf2618177e75 |
| SHA1 | c6bdd9b8a86b3171ff622b6625bccd419677ff31 |
| SHA256 | 2c6a66169f4e91de638900a80c295c0ae0ae3c7976e6ff8bb449707a78e3a45d |
| SHA512 | abf38fc2281240c17723b41ca144bc83d4955fa4795febf70edf6819ec47eaad58dd93036f75d4624195e222f5c10dd0e5f7406bc3aed6926776ac7ea8b5b342 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\user.js
| MD5 | 823d0e37e8380caad4df2b7194748ae5 |
| SHA1 | c8b68e67fb0ce12c3bf762aa12ca3e8b64354d69 |
| SHA256 | 6d093ed1cd986fb0de259a8fd3b7636145804f2d881a7bcdda354b59e2e054f3 |
| SHA512 | 5cd1bb066011bb7103969b1df2d05dfc2c16e2f97e1dd11f601ebb443f1c17abe666294b5ff19e195f59edf82128b645b664c2f15b2020376ee920d88559afb0 |
C:\Users\Admin\AppData\Local\Temp\nsj69BB.tmp
| MD5 | c9f6532768b8ca55799f110a3bdbaf8d |
| SHA1 | b94f312720b55e63e1896998fb6332c3a3547436 |
| SHA256 | 6f6d9975e2547fbcc45f2975693f03d20fdb4e2f939e60a66bdc5a969fab6f77 |
| SHA512 | 910b67f863e383efb14c300c76f0bdfbdac3237967c5ce3500c82ddbfb1ac3071dcfb8cdc238468377835ffd347536f3c5239330d0b70d93d60f7c653eae1342 |
C:\Users\Admin\AppData\Local\Temp\nso69DC.tmp
| MD5 | 11dbaf06acb6b146c476005a969bfdeb |
| SHA1 | 72d15eb58cf394723198b5e14a9fd2c8629bf516 |
| SHA256 | a95d22b584c1f23519ef2b3e9ad4a9c50d81f9249737ef717625125b28588c1a |
| SHA512 | 9b4f13d0e5f189c5e4ec955f438096843cfbc1942087c9d010ff42382741a3f4b8adafa3df0b25dd190ee29af5aada69218625873999e5b6f3e694edd03d62bf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\user.js
| MD5 | 27802ab75f5e987ea5d9cf13bd57dab5 |
| SHA1 | 00325cdcaba60d5e9ad16cefabec08de0675c984 |
| SHA256 | 4b129fe7e22573a89c6ef9ecfc33ec75d4feaca47a27dcf0cc86f72fc2eb1691 |
| SHA512 | cafb6e5605c1a59561e607649c23068d9b3303cff6a6c4f99eedd05487c5dd8b4c5b43fe473318dcae4199984c59e0671256e8ec9157789d559287bf22f629e2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\user.js
| MD5 | 0e108918b85c38c905422635bfa12943 |
| SHA1 | 660b35431674cff7c4e0ba8122506675013763f5 |
| SHA256 | 6512ee79eb3556739c0635808ab7d65b7594d1baaee6b85352b83196a69fd806 |
| SHA512 | 45c5f1847fdeb80308835da4381c8aa6788eb78d51710c63e1c58915b330319d295af35a91619f78392c2825bb6ce4c7e334ad33a554b4baf1a1beab36822f72 |
C:\Users\Admin\AppData\Local\Temp\nst6A4D.tmp
| MD5 | aa0339921924526249500ab4eb6a1990 |
| SHA1 | 569fcd45d59bbbb7db89097a57a8f0656fe407da |
| SHA256 | d68c9f1b1c48416c17010a953849c27e7a79694df4be81674946b41c0d11c5a8 |
| SHA512 | 0d67a07c69441e0856439fa576d7559d446c3b6d6b2e0165d85e01441b9e3d50ae45475de486575584061d403cc16ca73f3efb3439d9d8c53a8b19952de4b3f6 |
C:\Users\Admin\AppData\Local\Temp\nsj6A5E.tmp
| MD5 | 30dbc329cdaa4e740e238b940e75c3c0 |
| SHA1 | 64b71912a7d6f4cfc05fde8944f0c29327418d3f |
| SHA256 | 209b38c8ce14f31db12074182829fa2949223b8e10ac4f447fcfe97efbc26068 |
| SHA512 | d18c7232829e693256b0d3942111dbe1dcd1fd6c03cf04d9687df4f5290f9755ae71e18c6bd34cdbee3ab63cf7f6120615103b5f54a98a22330bf726486d5194 |
C:\Users\Admin\AppData\Local\Temp\nso6A7E.tmp
| MD5 | a29437f9a54b038545c0a4f508f577e3 |
| SHA1 | a2a08ca33997a838254d794149227f4976b01b88 |
| SHA256 | c5dd85e676ca02cb1ce5b95dd02b7146e8b18fc56df5d9713cc91654d037b678 |
| SHA512 | ba0e3a6a7dab51268f6ca0fab1df4ae824c655af8625ab7a46f254bb05ed57a2f4fdf1ccdbbb58afa8842ce9c33fdecd19ba628d774d34e72b65deaf78f77269 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2144 wrote to memory of 3348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2144 wrote to memory of 3348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2144 wrote to memory of 3348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3348 -ip 3348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 624
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 228
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231129-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 236
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
93s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 432 wrote to memory of 4732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 432 wrote to memory of 4732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 432 wrote to memory of 4732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4732 -ip 4732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 53.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3120 wrote to memory of 1472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3120 wrote to memory of 1472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3120 wrote to memory of 1472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1472 -ip 1472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231129-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsd7DE.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nsd7DE.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsd7DE.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nsd7DE.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\user.js
| MD5 | 4334157ad7d88e632243b799d5140615 |
| SHA1 | bbedeca300da3dc17ca1d91131dae7c845364056 |
| SHA256 | 343282b37f7f4322f68212f46f34d68f4d5e4ecde7ca5853876a11c9ebe3343e |
| SHA512 | 0021ad96ff2e18b3accaff5025e94c04c45378bc37e4f7ae262034ccbcf90e310e6312ee0f67ed4f963381601077fc6d9bc2212c6d0d64f1b119557a84db11a3 |
C:\Users\Admin\AppData\Local\Temp\nst88E.tmp
| MD5 | 9eb0eb41b49d58ede28de452d27fca02 |
| SHA1 | 2cdf8748b76f09f4847fbf88ac04ba4aae3cd09d |
| SHA256 | 7bc588765a400eaf24ff8ed5d7eedefb15530a3b4627f84d7063c505d906013b |
| SHA512 | 7adea8958d7ac3f2c893771240b69cb89b421cb873bddb088f05a16f331df1f4843f10933d043a96c1ebd928d978788d4724d1647ffa68aa458b4811db556043 |
C:\Users\Admin\AppData\Local\Temp\nsi89E.tmp
| MD5 | f98c691f211671767c7903223a1d6b85 |
| SHA1 | 9fb11afc626480978d618beefe50d7861ef3d4d4 |
| SHA256 | 8b33e7f48e6c277bb6756971a37a31596d2994d493496fe2111c70ea6be7f25f |
| SHA512 | 4125a514a7de4008ac2a2b23a77a5ffa32f9f74805c9b174806e52cccec5ec540b1484fd76d36f3b3adbfa1e0fdb8d1c7bab09eecb4ec968c9f954dbeaf92d87 |
C:\Users\Admin\AppData\Local\Temp\nso8BF.tmp
| MD5 | 1cec8ff3235fd6ac532e19037bb2c0ef |
| SHA1 | 11ade71dd27409df9526bccf4eb37247ec1b2fce |
| SHA256 | c1a2a2e23a366313aadab46eca61784f5f8c7d381d00860e6b10ef44b09544f4 |
| SHA512 | 32f411503002f96d94cd1a6bae2b6d0b162be07650857d95cb3bc85b088e7a6be802e615fa0611a3c709a604be3af215be3e315d11423b42afb95e81ff92e9ec |
C:\Users\Admin\AppData\Local\Temp\nst8E0.tmp
| MD5 | 755a9d1824ac1541e12a5360f8134f9c |
| SHA1 | 6d7a156b3eef692994d26db63a923434a8b7f3a6 |
| SHA256 | e675b4b28b1984647cf05639c8ff2df9669a52b916e681414d41776a867dd8b4 |
| SHA512 | 9c62ffa640f348f56e62dba7ec178183dc1ab6ee6f3414de90ec33a2e479a74bb729af2d359d9c04888f462bf8307a9cc92eaceb54be6ead981f2b070fefa777 |
C:\Users\Admin\AppData\Local\Temp\nsi8F0.tmp
| MD5 | 88811edf8672e2705fb0e11df8c0c164 |
| SHA1 | 31ccb974879c422a96606354d32c5f0a10ef1e77 |
| SHA256 | decfc0ffe02980a1b4995648e59eeb72fba04b7ceda82ad16393f9a76ed2f797 |
| SHA512 | ca04521eed6d4de335abb0a69ff3718f4e21e2491fa8e9e6ef84c796546ba17bf36295645288685c5b69995fee1dd18ccd5e5225590340754c6010149175cb79 |
C:\Users\Admin\AppData\Local\Temp\nso911.tmp
| MD5 | 22d7353ea9118e85cfeec0d341cc4f28 |
| SHA1 | 2eddc36a457f80d04cfd029b87b8e5755a8383c0 |
| SHA256 | a68b7aeed582ac0025002ac3087322087820792ed4f2946fe66e096fb2f77aa9 |
| SHA512 | 18c1b46fe11fd14e9c14fadab26646a7ccaefe72090c6bf8b5850f5b60505c08051aaaceeafa85fd2f0afbfb173c04f41d20b1504e9983a731a950e7f5fcf0b0 |
C:\Users\Admin\AppData\Local\Temp\nsd921.tmp
| MD5 | 1feeeeff7a189fb24b2ed2ebec203234 |
| SHA1 | 35d8958cb9db3d47008dae0677793677008bcc86 |
| SHA256 | a403c871fd9bff63f13c478e3e68f534842ff0f44b863519aa38577da95e5229 |
| SHA512 | f182ce10f2598aa6ae2005b21c64d3157a268e62eba2a87da2035bfea2c3d5774059bc88a375740fe58789afea9cedb71832d0771e6fc2b6c07064b4610f06aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\user.js
| MD5 | 696d0df31cc5ece78623d32a05997a4a |
| SHA1 | 58f40fbf47c61e552db8715be09a030d7052bcd7 |
| SHA256 | 748d4cd7b7ed9178e26acbe7ef4d47a6a3356523cbbaf168a8b2551165f26bbf |
| SHA512 | 2caa53e8305592c8da4358ea1b5a1f9064083d26201712418e2df253f059394ab139f9f11b607dc53b44d86b145e0b6d8898f0646b3d3afbd0d83908913845ef |
C:\Users\Admin\AppData\Local\Temp\nso962.tmp
| MD5 | f7ccfecdabf7c994884fa40ee9928ab4 |
| SHA1 | e71598817a75af9dd660ee66ccdbc10c46c17397 |
| SHA256 | 7536d33370906b212c21f7ec9956a27c1eb8a1a02af8fc2950eedd87127f5b42 |
| SHA512 | df83e8946a6e407f09f9e5560a51bf715eec5a1cedb7c53b364f2a16ada7a70e382976b5d26b42a1d954d327e8c0ece57a82de74ef84f27cc0cc3264c496f37c |
C:\Users\Admin\AppData\Local\Temp\nsd9C1.tmp
| MD5 | d66b7c36887a3a1f869cd8b637cc43b6 |
| SHA1 | 2e7ad1e83bbe8ae41a119efcaaede2bc82e9d8db |
| SHA256 | d7516cb11c81e5ef2e0c7cffa7175c3a7f36f945e788a27024fdc79443fdda45 |
| SHA512 | 155ba55e437c52f3f53d27750fb8365f3489c08a00a8a842610d9d2687aaa067add493273caf5b49fe4bff39eca917eb3f4b4bcb58537119b3ce82e3ed40ceb8 |
C:\Users\Admin\AppData\Local\Temp\nsd9C2.tmp
| MD5 | 6d6ceaa3b759c67e2a3df7f03502790c |
| SHA1 | d2fcb5722fc94dd8bb03a7dbf383e778c52570bc |
| SHA256 | 88e9452df1cb01b7383e20bea98c1fc4402de0bceab799dea021632cb2b8147a |
| SHA512 | 569d8104c34cceb9e354d1f27c161f5377d1d8cbdad01bcb15c8ba4cae5fbdc2e214e0581c75ccc2667d2e9507dbd2c1344c147c8626102631c03e97c5c2244b |
C:\Users\Admin\AppData\Local\Temp\nst9D3.tmp
| MD5 | 753e040a2cd174a9b0384835966e9b4a |
| SHA1 | af5ebe3795f3142f1342ba96baf2d25e82c7d8b1 |
| SHA256 | c1f11382b48063d08865e3f6b607ef563015d4e795526ed75d6b9536c143a2b4 |
| SHA512 | 710e0b8a67450783a43a7df9a3f151ff90d65548c1f3d54bcb17ad28d85d20f13f822adffe0dbf04befda081c3dee9a0e61290c3c8127bc13c314874a3f6caa6 |
C:\Users\Admin\AppData\Local\Temp\nst9D5.tmp
| MD5 | 8cf8d21c5231ab97e59a7a8cfada4e15 |
| SHA1 | b1f286cc12991c4d91c83840a8d872ee962943c9 |
| SHA256 | e217c04c0abb6822e23527994c843ae98ebc39b0212cf6cb7e66ae833a79de54 |
| SHA512 | e2974b57b7e265c200317d4f124532cce57210012e519316babd6736c5caaa355d6b70bce0ec161b6364de55abdaccb962d6830dfb65fa1b893e267f2f5bf56d |
C:\Users\Admin\AppData\Local\Temp\nsi9E5.tmp
| MD5 | 095aced55997d16a64d8e8ed9b409685 |
| SHA1 | d6a123bab87054f678f72f0d548edd1fc9b0a8bb |
| SHA256 | ae964d05e67fb8315072a3d7c2c85ef5874911bc2d97b99133be0825530d60c5 |
| SHA512 | 596bd3bdaaa1517a57525902c8cc366a5f1da7d46a7e5779215172fefd15dec6d8dfd7453c76155bc9ce2d13b918e0408d2d7f422ac472b4bda7a1da8f842200 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\user.js
| MD5 | 846e35e4173c95ab9bd64c7a86330719 |
| SHA1 | 2a3ee9900fe67ec18d84ffce892c92962f22b69c |
| SHA256 | 5659d391be8aebb4d03df9b7bcce1eaa23503011c66c20add8bb0b31fef6e152 |
| SHA512 | ee52133ed67f0a09663d93374d28f3cdb41b9d80121c54b3ec2f1211935fc0a4f1a9e8d473b220ea7393bfc9cd22ef16b02639c6d0086906b2c5c629137efa8f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\user.js
| MD5 | f207df3ed104e047043ad40137bd2464 |
| SHA1 | 4833c30bd317750e2be8414eb3392f2827841219 |
| SHA256 | 47f1807337aad9eece91642dd88194fbe6f48e2f3f319ad2c19be84b98ebfb28 |
| SHA512 | 581f45a842fa4586d302cef4c2d1aeaeeb0a0a82877f255dba2df27b67e86b850048f5a225f822aa96d4ec86168f5875813d8443a23cef1b5263440700502531 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\user.js
| MD5 | 5f8d45256e4109595182f99b792c9624 |
| SHA1 | e7eb829852f8d12c546d183d960c7228d7b2ec83 |
| SHA256 | 5f73d2ba93aaf62cd516803dbe388eaf95dedb312202335a96a167226a811599 |
| SHA512 | b351e8e6d0f5984f5b904e29e18a34e697c6580b9d6192f6ebc46a9f8b352f397d5b7c50806707e7f856671bf9b04ef36c6eb883659fed9fb4b06165ecf1820e |
C:\Users\Admin\AppData\Local\Temp\nstA2A.tmp
| MD5 | 005c6a04e62dac8119b07da481b2bcd1 |
| SHA1 | 09c5ce1664cbc1eaea25e789ff0e1d2d6e9e6021 |
| SHA256 | 078e3b207ff862510c73500c45492673085d371943efe43209c03c656c65f3a7 |
| SHA512 | 951283b085048569669c7a1fe873491c3c76ffd6e76b05c1d3a4e91087986ff24f0b7660d4220c41149c962c49cd841845f109fabd7c87c0e836670c369c5d6a |
C:\Users\Admin\AppData\Local\Temp\nsiA3A.tmp
| MD5 | dfa2f7292eacbabf79e5bfd7e796c4f6 |
| SHA1 | d369891bcabf20cbc7c72ea77279ff7a4d53ebb9 |
| SHA256 | 2165041c264eb2cc1487c7e4bc1d1dcd27e3a72db6add3029470873fed120469 |
| SHA512 | 2b8af8ff1daa38803dbec1f370a9eb69a415a7b2e26a7e8d32705cdcc1100145770392290979ad6e744d52a033bc2d47ff7fe1a6a01d96e91e8e7bb6064f7fc5 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2780 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2780 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2780 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2780 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2780 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2780 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2780 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 228
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win10v2004-20231222-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5096 wrote to memory of 1752 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5096 wrote to memory of 1752 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5096 wrote to memory of 1752 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-02-04 16:49
Reported
2024-02-04 16:52
Platform
win7-20231215-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 228