Malware Analysis Report

2025-01-18 21:29

Sample ID 240321-xnrstafd86
Target dc600d29ce64dc8a5a9bf45abe4ce276
SHA256 78f79e2867747864fa6438dd488e3cd50bbebef1eeff09a6deacb73c0504b931
Tags
upx adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

78f79e2867747864fa6438dd488e3cd50bbebef1eeff09a6deacb73c0504b931

Threat Level: Shows suspicious behavior

The file dc600d29ce64dc8a5a9bf45abe4ce276 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware discovery spyware stealer

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 19:00

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240215-en

Max time kernel

118s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc600d29ce64dc8a5a9bf45abe4ce276.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc600d29ce64dc8a5a9bf45abe4ce276.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc600d29ce64dc8a5a9bf45abe4ce276.exe

"C:\Users\Admin\AppData\Local\Temp\dc600d29ce64dc8a5a9bf45abe4ce276.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 img.uptodown.net udp
US 151.101.3.52:80 img.uptodown.net tcp

Files

\Users\Admin\AppData\Local\Temp\nsd9B2.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

\Users\Admin\AppData\Local\Temp\nsd9B2.tmp\nsRandom.dll

MD5 ab467b8dfaa660a0f0e5b26e28af5735
SHA1 596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256 db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA512 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

\Users\Admin\AppData\Local\Temp\nsd9B2.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/2616-21-0x0000000000710000-0x0000000000722000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd9B2.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

memory/2616-35-0x0000000000710000-0x0000000000722000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240220-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3252 wrote to memory of 4456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3252 wrote to memory of 4456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3252 wrote to memory of 4456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 128.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win7-20240221-en

Max time kernel

120s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2464 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2464 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1652 -ip 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1896 -ip 1896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 47.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

166s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1696 wrote to memory of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1696 wrote to memory of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win10v2004-20240319-en

Max time kernel

142s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 4480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 632 wrote to memory of 4480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 632 wrote to memory of 4480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4480 -ip 4480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=2256,i,16750283575152780128,2524258836761969159,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 13.105.221.16:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win7-20240221-en

Max time kernel

118s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 228

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 224

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 224

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer\ = "funmoods.funmoodsHlpr.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib\ = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\ = "funmoodsCmn 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsEng.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ThreadingModel = "apartment" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsni = "1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID\ = "funmoodsApp.appCore.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\ = "escorTlbr 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2156 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2156 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2156 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2156 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2156 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2156 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2156 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 1860 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 1860 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 1860 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 1860 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.228:80 reports.montiera.com tcp
US 8.8.8.8:53 r.funmoods.com udp

Files

\Users\Admin\AppData\Local\Temp\nsy317D.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nsy317D.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsy317D.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nsy317D.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

\Users\Admin\AppData\Local\Temp\nsy317D.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

\Users\Admin\AppData\Local\Temp\nsy317D.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2156-79-0x00000000003D0000-0x00000000003E2000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy317D.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

\Users\Admin\AppData\Local\Temp\nsy317D.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

\Users\Admin\AppData\Local\Temp\nsy317D.tmp\chrmPref.dll

MD5 6845d147b88de1f005d9c6ebb6596574
SHA1 64523302e2b1e2ee7a31580d2acac852db3c7e45
SHA256 c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e
SHA512 cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

MD5 ddcada8c66d56df6e4ef2bbedf2bb865
SHA1 059a7f8bb8ed2e99d5153d26ecf986e91c24df19
SHA256 abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872
SHA512 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

MD5 fe768a6b82ed2a59c58254eae67b8cf9
SHA1 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6
SHA256 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570
SHA512 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.Admin\user.js

MD5 932afceecca0f561b4e0f29491e3b257
SHA1 53c1b432b9da63c06059159d40131c5957888ea0
SHA256 85698e970c70dc74c7347178968580b98732db236b8ccb899e35fb2a5a3eb597
SHA512 99f6939a6c152f77c568c563ac39b55c2c173ebc761b2f088a29fdf57040b2b096b32ad6cfcba9d20d641ab29d1b287eece772b2176b0cf47d9f5927aaec002d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.Admin\user.js

MD5 4b3e5da7063f6a041143af6699151edf
SHA1 16d3051cbf8b5a0126f7d54960ff00e02e09f0e8
SHA256 77b5d6e459667a12cc68b414e923ee634b98db9f0278b380c271b07a412c7a0c
SHA512 e443e70d2d75a4548297138b8246f118aff1c61cc5c03848033d138def835f43360c2d93522e7267e714a33165a2cf807629be1317562bc52680f51c505dbb79

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.Admin\user.js

MD5 714c2665395055d8ac1dd19811f94e43
SHA1 a10d97ced2fa7d159e926b1e6b25166b6e88d00a
SHA256 6d180913bae817a79bb5a392d6eda8ee9b25261db39176da6d2743a0cef85971
SHA512 1877af22b9198fd74791d08611a9e628970ebbc514b5bd48194aa85b82ea79477205e2a8e53b291a0141880be3780c00a71b665202ce1462c9fc2da81f40e1f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\user.js

MD5 61c3005c21c597ea81ce78b4f7fa1eeb
SHA1 1cb48b7a44f23445ca5c6ddfdea68cefe56b8fd8
SHA256 fd5c2bd234e0ff632b3bad6b309235add9271b7c37935948e156065a0cd3e2e0
SHA512 1144716d67eafe3e2f8395cd065a13468dc0ac6f1eba32e95e6650336cd755eb3baa8d4818b7828b29ab306679096d5fef39434fdf8b474a277e47f2580c9f34

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe

MD5 673e6109fbc2405238429562ae058f37
SHA1 293a96724fc0e772706f108895db321b58051524
SHA256 4dae85611b9fd18f44c36f330762ca7dae3842604999d6a5edd3d416b4ab0841
SHA512 0d1db02c84d2a7502af966886889a63467fdc310c25076cd1629064f9dc5bda63248ea2cb34757f9e93e341cd89833979c8bdfffab2d09c722c3a20cd244f4c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\user.js

MD5 e98eb686000e345817b7ab51d2e42cb5
SHA1 d3145bafcb225ed595c78590906f9c242bbd0c3e
SHA256 3603ce01251306d9af3d4409b1768529f9db24880a0a3ed8b69f7a64a618bf49
SHA512 8b2a2e886c2cdc9e41df2063ef4d4179cf79e32445e9c51ead682a6dd7d72b063b8a312127de719cd4b2f13ebd89b2743cb8b6594fe72ac4c497fb138743aaef

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd3647.tmp

MD5 52d2fdb879d78cb97033ac563fcc94cd
SHA1 7aedc3511c73c806219ea3dc987398fdba8082f7
SHA256 4b5788abaa5f5e4d92b5ecd2e4818b8998eb6f0f687b2f2130d29b8954b4cf2d
SHA512 c145427df37b0d63df7e961fe5ad07b6f910a769f3029ea13ea0b763070db05458969a30b75905162822ceb166f1f2b89fba1e82029a803b4ac25304c469d6b6

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst3659.tmp

MD5 db63eee0e5495e78120e7fc8e8a6ca66
SHA1 937a9bfd3b02a410815f3778c2b05fbee8c03d92
SHA256 9f9d3463d5b608ce2a9fb5c772e2d77b6a27e896d4107d33c3fc3914fbc705da
SHA512 d47f8bc8c7ed9c5fbce31ba3a1477c5af86b96be7a352afc987bf75be1f4e50ceba5d20eedfbfcb20668d07b8f9391b130669aed2746824516ebd5e9a98a4fe0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\user.js

MD5 02ea6b845dbacf4f48bdd82ed7f6b269
SHA1 61e4db5a673c9ddf58f20f1e9e3ca92d5a2e2027
SHA256 04ae59d4582d1e129bbf498b843ff2f4621398833b524ff3c349fad77b4b2da1
SHA512 17eaaf02be26c970ace4b22ddb543fd581405ad24002b44946b60420c7d28967ff29a1e28665c91256ada3289af8bd79d5331e00cb514c17ace18e14dfbc74b3

memory/2156-1584-0x0000000002C10000-0x0000000002C22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy317D.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 1176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5064 wrote to memory of 1176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5064 wrote to memory of 1176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1176 -ip 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 128.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 228

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240215-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 224

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy50CF.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nsy50CF.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsy50CF.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

\Users\Admin\AppData\Local\Temp\nsy50CF.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nse51DC.tmp

MD5 5890d87d3fee24cbd60a9a963d41d826
SHA1 f8d485cc85b1bc589b314063edaac4ea2b4ca1cd
SHA256 b8e71bd47ba040a7684082fe2e9b3af93bea955b5d9445e003cc4fda8ba20c07
SHA512 cd02712ac9e92801cd21f2114027bfb672d89539c4507c438c291292004d4f88c965f155cabc906421cee989c172854e4a6276ee6716183f8562c1471b19199b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.Admin\user.js

MD5 2bf5fe73daebd52b3599f43a559029e4
SHA1 7593afd016ecf334f135af606c2c1c14b205defd
SHA256 b2c6c47c90b26e3720d82f65274bfabaf97794fdd164ce64a8ac352a87a3cffe
SHA512 2afa5da422a82bdbacc68839f79022f62ffb2bf4812ae39d490a530e4e2be593c92ff9c3a5213a067a8b077ad271f471898f935323e4f388559ea82a19ed2a57

C:\Users\Admin\AppData\Local\Temp\nsj51FC.tmp

MD5 0d482c98f4cb98eee81ed469615ae1f9
SHA1 110c39d8c0614ed1125686bf6cb39d9fff932206
SHA256 9f89196a1f2e193d2eebe68134b5abd83c0d26568bd37a1fea87027566faee75
SHA512 4dbcd87348ff4365331c9740520fe6dc067cc5fa160243b257d9469e3836ec04239c4a0721ee084d44a6e0d092851f4a07512bce0eb2481d8a661c3407f271ab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.Admin\user.js

MD5 50895db1213d4a201ad61288f4106868
SHA1 426509b82130dd62bf4910eaf69cba3883a6b1da
SHA256 c869df0ff6ac5f0663d64ec41771caa4464d80b6778067695a9075bb7d70d61d
SHA512 7bce8c7aae025bfb9832d6abfb60e6958e8b0faa7a3bd9948e20ab29bbf2c11814d656d020693209ac4fa9e231dc32fe4a99f8fac87ed22c5a2c17ac5bff52a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.Admin\user.js

MD5 351080079fb74f3e35e5624b3992ee6e
SHA1 a24d62d2d23c9ec36ff5063983cb5f368127f815
SHA256 92ccebc3adb72f87e4d0bf4b49eba5b26c805aaa231e1a866ad5719116e32e90
SHA512 3f248de5e2915f84275c981a398639eb37af8d887dc291d6189d3c7426f4ab31bc6b8a1871b5cd3f7dbde0971930ce7e37e50c7926b979076350d9299d90c096

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\user.js

MD5 3529d51f4670bf0b078eb09e7b530876
SHA1 32f6274bcb9d11d7df6d4c2d7f3007075785e3e2
SHA256 4ef6805c5a9beaef2614e5acac412bc19e30e840b3599e8cfdde2709a1531c46
SHA512 151988342696c5283d6615c1f32d8a58ede80ccb8f1f6788a9c66b4674c1a9eb573a753dde7d9bd613faecd143025cab19ade3babfc56178cd1f85f60d5a9e4c

C:\Users\Admin\AppData\Local\Temp\nso5449.tmp

MD5 0215e9d3a4e17116ec9ef7181bf756a5
SHA1 ca04292b9585192167218007b6b35d87eaf1cba1
SHA256 28a15e20ebbf380d5cfa75c6d9957058f3cf2e51517f89c45fba89a7762ae8e5
SHA512 3ca55a9ed0bd097acbbbea024ac56f1768851426cc5ab3c57aa2a7f72de582d00d2ade528d0032f278d5038b6d31b408e27102a8e8f5ab96b2a6ff518a7bb965

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\user.js

MD5 e04534701c1d1325f869c1d2a6fc8bb0
SHA1 dea581a8369f1d062acb583aedbe301ed3e64ec8
SHA256 07541251cc0a6179258d75f1bf1e2cd5e1250230327d84b57d5312caafeedfa9
SHA512 a374e441d09d5a3e375086c3d381ff9912c271add570bbc70e20afd5828300bdb7ea4b4eaeef7ba1c15fab7dbc699f86d2cc8633ca0e67c728d4558dadbf04c4

C:\Users\Admin\AppData\Local\Temp\nst546B.tmp

MD5 eb21d65bb1f459bb8f517b997a32eebe
SHA1 a83f753127edffa3681bec0ce6efa921925c6e63
SHA256 06412fade94dee8601a0fa786f38f804a3485bedc22a6a6a309ed1e7734b3b16
SHA512 c2c6adf41d42eb7abcec5a935a63016a85cce4df1c27eb766cab3ba87bb4552f576af2e33fc1fca39b3b6358be40fec00c4bd445d418fc52d1b093b7226551b7

C:\Users\Admin\AppData\Local\Temp\nso549E.tmp

MD5 7b62e68e4e8e47a7a47d1a6faa74e5d7
SHA1 1b333843e376c5258dcf366fc6ab832afd833927
SHA256 0fb377bc116b04255e1de8b519e91710a8b02b758c1a24710670fbe2a0c551d5
SHA512 c28b78e07c8d368ddb4dd7a487800ea4e57ecb79d752a1a6ed2e4f99e975191213041be65931a8787a3c4db1e1e5e69025c88519455471d4cebcad22fc0aa53f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\user.js

MD5 b7398861330100724c6476e3df77f3de
SHA1 5b8f4f20143adedd4956f6ce052fb205fd29ef38
SHA256 12cc04f2f40f96a97f449d3685f425eca1759033ea091e5277ec54301dd4bdbe
SHA512 b038c924f705567ecb81fdf5f1837c0cee1cfad48a54a0886be09615cf06eb8d5b5750e1d79a2f13515d393ff55d1c0fc0e7bd2ecc6ae519708ab3caf8fb1cf5

C:\Users\Admin\AppData\Local\Temp\nsj54CE.tmp

MD5 ab723d82158cb49f8c45fda4667fe7d9
SHA1 2dab4f30b78425f70c84e820865a98af370aa887
SHA256 f607aec829cbf27fda196b7f5543f3c0e3866a69cba8b6098b5185f0769b4787
SHA512 2dc49bccd02e6e64ab47e19df8076d925e0ff837e321fe6b16604a6d1793bc5660767406a440942ccd30825479f0c8d7bae781dcddb5938cf05aeddea9cade29

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\user.js

MD5 6b82730556ebbc6d5109da4170c810b1
SHA1 7f1e731c2128ddb103066e498b89b59cfb80b334
SHA256 f42586fcef936b6128a3919b63688741eeec199cc8aa4868c0c2c92d6ff30f6b
SHA512 70d389d85fdbb518aa5f5ed6c5f94cc761da83db2662656971cb41e1ec17e5c92c75d44b845e530c391ec82cf9d27f3aac3ee6ed05487265bf54bfdf69712914

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsw3DD5.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nsw3DD5.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsw3DD5.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nsw3DD5.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nsm3E84.tmp

MD5 c6619e83361cd8ac7000d949c3a7d6fa
SHA1 3ed0379d1c4fe45b7b60cd1a1f06bc3823df6d19
SHA256 443f3fa3f3532861a96a30b6ebd83fcc2b4d5b1e9b4e26ed962de393e7bced96
SHA512 4745c5eea59d99ca51449143dfce6f49a765d118135bab72fc78fc85827d75479dc98ee0458d8463a82471f1be5ee9a702859ec0dfddae4d4101515c8911ef87

C:\Users\Admin\AppData\Local\Temp\nsh3EB5.tmp

MD5 c391c2b73489a9e5bc0a7dbe75b54b78
SHA1 a2ef1252cf9259691fefddfb882cb62f70422078
SHA256 1710a543d25e6853bc3682990c1a78237c8c6fc9f1fe91d40537ff6f15353ec9
SHA512 993c2d50f0fa7e3f877d2e6e249094db26968e815f7e7e1dfebf211ec659295bf0c8733b84add3b668e9f0dc869a89c8527bbb48b1da6d99fe26ec6d6c89e971

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xtlddrxx.Admin\user.js

MD5 62f173e6b5fa014cb8b119f00cc92ed3
SHA1 463e62d6a1793f61dde2e506413036d5e5001bea
SHA256 b127f8bbe53c7801836d7be4a2cbb19e30b69cd7fe78f821c620e37834a7bd02
SHA512 9d65d3ec9237b96312b62eeaf0f11df5e219466903f2eeb3c67c2e9bef73e38533b3addd564d1e6d979cc75e4983a2822458e902888154fb80a76cb9cacd97aa

C:\Users\Admin\AppData\Local\Temp\nsr3EA4.tmp

MD5 988a639c6489ff1e7d1fa237f86a74c5
SHA1 bbf84325c42e7038cf08fd7305e10d227ade1f61
SHA256 8f2e0bde782a998aa6b018579b6f4ec79c2adaebca269c8128e20b7f0e3e2038
SHA512 1280700031dbfa506504b19661b24f668821e3057d8813e1979e88051da148cc273c81c1f9738c63951d31c5c557f308fbb0afa228d0bc8994aa754e256d5ad7

C:\Users\Admin\AppData\Local\Temp\nsw3F15.tmp

MD5 bd49c248f6ae0692735488a44edbc4d8
SHA1 a24c40d42ddc5521a3814f5e720bf7505c1c3f3b
SHA256 5c8b284b2b398026e755755c364c5b806f9e913623d4182ad0ff7494753b6e00
SHA512 10827e5aa299554388510951c4054267be8e4571615b69e350dfe5534700c3baa20f6017936f5e55edb56d667ca7214428166c8909adc53a10f350b8c561b6dd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xtlddrxx.Admin\user.js

MD5 ba87baad26f200d40f64e43dee137433
SHA1 de9aff4b883b3bff360ffebbfa19cf0f757772c1
SHA256 37ce5566caa1ea20abf939d7e3079882c34237b540b08da5b54e40125bf3454b
SHA512 420e1179d7cc139f4a847ec4506b5baada5ac1e101d7524eb176c36b273f717b93f15e0b159c2ab111d359a1adb43f5e100a048940d5076e518b0153446bfc02

C:\Users\Admin\AppData\Local\Temp\nsx3F67.tmp

MD5 3723a745b67e1b7f65baf5720f493acd
SHA1 ecab05e9024cbc6682583acd546516af61fe4299
SHA256 5529ed0c862d05a9d42bcb6a4bf4784f84081b871794222b81a74aa6c226ee49
SHA512 ca29cb9969ba8d2a9b8f93c23dfb8a91a950216cefec1af1160a9f651e036c80a1887756c3bc97d9d123d1c416b4f6cc757f7f002131fca33f65b147681240a5

C:\Users\Admin\AppData\Local\Temp\nsc3F87.tmp

MD5 dc577e61df1e98d3d26e5f6cce8bb3e7
SHA1 52813b8350c60cad25d47426dba46c7b7045bc77
SHA256 eb113874886c35afd69cae707fd4900e963f4cf4eb401ffc9afb4ea821907a45
SHA512 4e48d39555a7c31eb02499462192b063c6770bee7368f3a5f548367836836b2d167392c5d2e36832c83a5b7e2afb8f931c209d0e8a04a0e5522ff5c3eea6befc

C:\Users\Admin\AppData\Local\Temp\nsh3FA7.tmp

MD5 17ca453ce621ca5b8e6d6265e6b80767
SHA1 3f2621bde53bcd25ddb5144531bc9f15ecaed151
SHA256 b69f3d9a46ccc4b11cc9e797f3936b92843aeb4a155f1411f7db9c16d9fb85ed
SHA512 b1ebcf513bc80a785c96517648ba9a5291ffa10a96dc887f966887dccfb2712cd3305ef9c086b3880cc258ad2743304c5502772a3df90fd8f1f800def355bc2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xtlddrxx.Admin\user.js

MD5 1821ada3c382869386aa17bef9c0e303
SHA1 483c63df0d0b26348cadee348d8c3fcaa5d00769
SHA256 32712193e8bd79910b9791ff0ed6c0f7cc1ccea6ae5d57a37a79beb10a264cbb
SHA512 2c2665e26c40b8fdfec4ac0ed0d90227c2ab834df6d97361d5655f870d3c3a2d9940212e0a78b17a161dde752fae4af4514f3488eb23bcadb7df9e07449e0d4d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\user.js

MD5 b368cacea9ece1505a52d0433be3f33a
SHA1 80a181947a6e9e5766fd204c17c09068fabafb4a
SHA256 b52eba19422c5cf4357bc264401c02f34253193fec759da8336d486c921c7c64
SHA512 0d1f4d09331b57905ff91d6807fb398cceff03db5d2a02dbc22b776a4f53e3e2a796fc1125bd92638dad4a79ae42817dc68ef249c133092d6877729ed89476bb

C:\Users\Admin\AppData\Local\Temp\nsc402A.tmp

MD5 d751bc444026664e1b6df9de418d6d16
SHA1 a8a7f31c370d402264221484891d612cb4fed54b
SHA256 880d1993d001641986cc07de59a16a5adad29d0ce4ef4f74bc3c7dad3b2bd369
SHA512 5c0451163a25df4624f1f0ba7d8e58902251a97a2a125fa7fb634c64c81a4b36e1454b98c065fe2d21eb170d31bc3d5b33e27206ebc412f8b33d92880acb5133

C:\Users\Admin\AppData\Local\Temp\nsc402B.tmp

MD5 1a3b93ca7ce9f8c129b9d06d9649c320
SHA1 d47dfbdec40c0aa81ce8c2c205f3daaf771781e6
SHA256 2fad777a79b52e18b0f5f66629674f2ed4c091fd2246af767fb045b391eb2ef1
SHA512 6aae2435e41349b39a422cde7e0940602726b332a8acc70ffae41d124d0b214be16bfd1251d5c5caf2db7362c9b0b83fd9575cb03eccb9f40432fbd9db9cc893

C:\Users\Admin\AppData\Local\Temp\nss403D.tmp

MD5 376c197c319c553b71b66b4da6b62fc8
SHA1 0dd6db0ed242301291706b130f4d6c9df1bd2673
SHA256 6685ddd41f68fbd4615fbe809cdafe0ba0a9f54ba72a9a3a641d2a2881dc40a0
SHA512 299d19bc9fe9c0ffdfc4cb8c2354eee1b71303fd3ccb2b5bd31dac34bd7718ccaee4f8c2c32d2f37b527e2c382b3b234a37e2ce966f13cb98bfdbfc5659bbb8e

C:\Users\Admin\AppData\Local\Temp\nss403C.tmp

MD5 dd7adb5de49fb9044f1285648685f76c
SHA1 9a14182660614e0a323cf927a98fcb9a68df89cd
SHA256 270e56074f509bb9ea720d16fbfbcfc34515ec8abee62abbdcdd52a87275d3de
SHA512 42f7f53ef22f3fcc36912116aedfa72bd5da12d35e8944109198a464fa8cc9fd3b34b3409de22710913f46ea13db8346d9327cb22744e126c3d5d3592a48ecc1

C:\Users\Admin\AppData\Local\Temp\nsh404D.tmp

MD5 740c921f8df0d19a3726b47c01c2d5da
SHA1 12702fb70db25431a0d23bacc76d35648a0541dc
SHA256 408a2a073048a8f52e2ce551e81575d6baefd25596be7682d6da6a32f2568a8f
SHA512 cff9cae9675f4ea6b293943e0ec4733e4237128641b9afdf78f57cf5844c3975155eb57df8ce2d6e0de3df5c139054be4309abbd3b4d3f58d98a983964b3f7c8

C:\Users\Admin\AppData\Local\Temp\nsx405E.tmp

MD5 8329df7152678e2728d280ca62892ca1
SHA1 c66c97d188d44d0db336e3f1480a106025092821
SHA256 739e156533c7db4d17cb35167f972abc09bf2e6a668ba69aeb500d5ddc73f140
SHA512 89a1efab2f05461e1c20d6b06a362d8c92f21f31bc8db28a604ebb00761066ddabb8351c5c76e0981d57c45b89a9304cec05769b076024b4c43cdc452755274d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\user.js

MD5 2dd30232b6438bc12a6b7689d5d5c270
SHA1 cd8e0d4828b78397d13fc1d7ee88b061cbddb426
SHA256 db7a46dd31d133ca42b60b893fefe39366d936cd12f9774d2e92c947be1dfb8a
SHA512 ba8fae53304112a26ff695104574f2b4f6563e84b37376aacfd5e2499da4b1d0fe40d3c2fb0ab09e9891b3a9e731973c070db807d06662fe504c9ec1768cab5c

C:\Users\Admin\AppData\Local\Temp\nsc407F.tmp

MD5 42e2423b41e7eb76f3cd40940a09de10
SHA1 c15733f1bffc01252dbd91b09ea53601dda012d3
SHA256 496f23be5af0c625ee0eb4723da59048a9d7ce254a31a9d54e3ddd2e196da818
SHA512 b2dbf59355dd271668955b267230961486ea0483d4ef7e9ae47d294b576a9086851488ab74c21e3ef7732bca66ddabeb7a05e078b30f64614a33874f8652afe8

C:\Users\Admin\AppData\Local\Temp\nss4090.tmp

MD5 63f4368e6a509bcdd77d3ad4fe694557
SHA1 dd08ef3c0a2c37b772f356e13ca63aa4d3b8bf7b
SHA256 74b27b953401d09393ab7d31bc4766eb0cff14a8b3312d59777c80ab9c12a409
SHA512 b3bcd70a52a5a9735e7bb87a6dfb2555cbdda330be7ccca086f8e9cc5a0e8abbdd177d5490af66129be343e2aef5f9f01f1066c58cf3cd95c9a099a59b4d6aea

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win10v2004-20240226-en

Max time kernel

165s

Max time network

193s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 228

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win10v2004-20231215-en

Max time kernel

94s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 4996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 4996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 4996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc600d29ce64dc8a5a9bf45abe4ce276.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\dc600d29ce64dc8a5a9bf45abe4ce276.exe

"C:\Users\Admin\AppData\Local\Temp\dc600d29ce64dc8a5a9bf45abe4ce276.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 172.217.168.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 img.uptodown.net udp
US 151.101.3.52:80 img.uptodown.net tcp
US 8.8.8.8:53 52.3.101.151.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsx2518.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

C:\Users\Admin\AppData\Local\Temp\nsx2518.tmp\nsRandom.dll

MD5 ab467b8dfaa660a0f0e5b26e28af5735
SHA1 596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256 db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA512 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

memory/4616-21-0x0000000003230000-0x0000000003242000-memory.dmp

memory/4616-22-0x0000000003230000-0x0000000003242000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsx2518.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsx2518.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

memory/4616-40-0x0000000003230000-0x0000000003242000-memory.dmp

memory/4616-41-0x0000000003230000-0x0000000003242000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 3180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1468 wrote to memory of 3180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1468 wrote to memory of 3180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 35.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 236

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4776 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4776 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4776 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 47.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win10v2004-20240226-en

Max time kernel

113s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 4516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4836 wrote to memory of 4516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4836 wrote to memory of 4516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win7-20240319-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 228

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 4692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 4692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 4692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4692 -ip 4692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3728 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.251.36.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:03

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1264 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1264 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 49.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 57.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-21 19:00

Reported

2024-03-21 19:02

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\Programmable C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CLSID C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ = "\"C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe\"" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\ = "escrtAx Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\dfltLng C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID\ = "funmoodsApp.appCore.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsEng.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ = "escort" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsApp.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ = "appCore Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 1684 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 1684 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 1684 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 1684 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 1684 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 4012 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 4012 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 4012 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.228:80 reports.montiera.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 228.230.16.69.in-addr.arpa udp
US 8.8.8.8:53 r.funmoods.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/1684-84-0x0000000002320000-0x0000000002332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\chrmPref.dll

MD5 6845d147b88de1f005d9c6ebb6596574
SHA1 64523302e2b1e2ee7a31580d2acac852db3c7e45
SHA256 c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e
SHA512 cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

MD5 ddcada8c66d56df6e4ef2bbedf2bb865
SHA1 059a7f8bb8ed2e99d5153d26ecf986e91c24df19
SHA256 abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872
SHA512 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

MD5 d765d3e38dda7742ef23a791a6e54514
SHA1 af58a47b9f3038091fcb9584d48fddad84758a72
SHA256 28885e0613a7420787b6f7cb8b260f0b0e7e74762c364cb05a18ade71ffc75b3
SHA512 afd39f2f7cd19470ac289bba385056072e0eb2a7c5bb4c75d713995641ffeec12efe2f3ea1631c96dd1d6f55bf4fdee6c3a9371c0f44b50ff35949fd6051bda2

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

MD5 18eae2ae2f5513ccdaf18040235f7c2c
SHA1 6315f0528adf9c57e096c4f1c0d542cb12a2470b
SHA256 cb11544370ecd37e998d587a018600ae2259f114d723415827d759f330091bf8
SHA512 e473e6f59a6670ccbaec2246e6d4afe732b3b679ca89d0c9074aee728b9f1ea970e0eb12ea96c4fe2064afabee8bb45521a2f38f0a037ae7346488d876a7c9d9

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

MD5 ef26697cd549f303cdeb5ed69000c3f9
SHA1 93c82c7ecf17b910ce838a01c4cdab7df0eaeb22
SHA256 54343f0d939da7b117dbbba82b568537bb169d765f51e1d33d40e95231c17391
SHA512 8ff6a30d5c0148e0b9af9b50309952e7a78abd019378ca6fb979e42ebd9f4b7c025f29a946725f5688d9675b3c23be37b86eb2cdd9cd3d0fec807e0dfcf48340

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll

MD5 7f8be790b6614f46adeafd59761abbeb
SHA1 a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700
SHA256 b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf
SHA512 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

MD5 ffba0384096f7a6c2189009b3c54c8db
SHA1 e1e883b9345bd74b0c7e158751c60b0ee2139677
SHA256 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b
SHA512 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsb6287.tmp

MD5 b36deb37bade2355d05f0cad0cc0f161
SHA1 15f5285337ca8eaf126e8fbd4450b21e1b2e7d02
SHA256 ea31863db51f5b603406fa4c49f4a764e3c3fd95cbfe540584001d664f539a1d
SHA512 a8f132a6811782718b0e3168b5f76d536df4aa532813add78f84b9f857b7f72d03c964dd7c6da2e8a3c8ed2c62e0c4e8befe6a351d6f80d910f1d189ce652dc0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.Admin\user.js

MD5 0d7889a328bf4c6b506dd87507ae693e
SHA1 21928a20080bb3bdef6457f0ffa1def8f35a14a0
SHA256 1164c9ded36dbae9752329f8833729cb6b9ee0177abb8d00d1efeede0baf8ff4
SHA512 2342d33faee44e84698e543d85798cd724123d7291e46d7df5f2bbf497353b2d8b7f8dabab515602177d4ff7892c19f1ebae099698e1dd046bb1da90b8b60dce

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsg62A7.tmp

MD5 1230ce39aded9636d809ab8ce4c1fab4
SHA1 738f389bb09af2e0005740c8cf47ff8f25716d5f
SHA256 84579710e1e4e7762d344c86dd73545b7a9ada2a1d86ae0e20683c338c127426
SHA512 23846ae735f911c2911097e5e6098e4c797e55988caf25502f431acfa2824e760621edbbf37f4238531bce9610747462efaaacd77022a0fbac4e26281f4c0717

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.Admin\user.js

MD5 50768573daf5dfdd05b5c04ded392f52
SHA1 7a30da3b78c01f1199525f67af0b71fa0eb77577
SHA256 4a55bae1b041c50fc76c9495f4db55d76c14a1891430b1fc4882a947ca2aada1
SHA512 1d733277a0c4b883f02f22b128e57da6ef4c1c9fc049fd46bdc5a38ecae8bad691b795663b2f4b628b08d59a91a4e093b2de300e1aa28fdfef64e065e41b8cda

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll

MD5 12be59f427297e54fef41f9bb32d4233
SHA1 0088967a4ed52f491976136c95d43e0e1b06cc31
SHA256 e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb
SHA512 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsb6328.tmp

MD5 f1d195d8047f8948b9a40f38ae493ebf
SHA1 29a58fbd2da58a00c9ab8d7728bcf1bff518ea55
SHA256 aaf1d639e81f5973fa41b73a364f200b25c4d2c0d7b0b8f5099e919aa5ec1ad4
SHA512 3670f36d4e909df0bfbc8cb54dc64282c4e0d105791b594f68b69e7fd3007dda80861fc498a9defb9d70b0824e7aa49647d4b7bc8943d6863b3214d68479b15a

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsr6387.tmp

MD5 f357a6363458ac80dcf21e9e1afcd3fa
SHA1 114ea55fa88d788e6e9f10e33d7c9baa71869b25
SHA256 d817b4bd2be6197e88406fd0d028888ec0d6edad528700b5d5746d2bace63d62
SHA512 c8b322e7ca1583de96845fe448c942371c6624963c5b376c4eb928acb67e3edb0847e4d267e9e20a4a506108c995ad2aebe4dec8b9a8fc95fa282b8c8498ae1d

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll

MD5 d5e0f923b3ee640efd6a58ec0c70cbdc
SHA1 74f62a9acdb9f9dd0580d69450c062ba8870deea
SHA256 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281
SHA512 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsw63A7.tmp

MD5 10937dea14305807ef24f2a60b7f08c1
SHA1 e7595c42a929c26296c2b9239ff937c1f18ef24f
SHA256 b5fa141c87f716c77ca8be63d493769ecf3ae80a436af2ef996b7a02a70b9ae1
SHA512 a7e8939d82a5aa1b56400951d20eb1edb37a94341e19ec0f2f4500b26b8e261b58b65f3a4b6e2caec41a7d6a97d01f6292a6e76a102fdd629aa25ed0b74de012

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.Admin\user.js

MD5 a0c87f35b1fe068d549694aaa3552f2d
SHA1 d8b216b0a43603e9b759be05390398b742b810df
SHA256 0e2ffa7497caa4a7717f34a368446b9f333dd5c83630f26180136e4f3cae69b6
SHA512 f89e38a3ccb0ff8f20963a06bb8372963d9df099e109e0f7a7900ca2f56e41ebb0b8db78cf085fde2be59399f509b4ef8763636c3d638abf4d6562268d1a2da6

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsm6466.tmp

MD5 957c79e5877a7b1995a5f0f0394162e2
SHA1 b9b1eca5c0dbef11ca044f8d830946ff39fcf1cf
SHA256 da0ee429f12465481d62714b711c4e70dd9bd72b7364808278bbd7ff98986acc
SHA512 c0200544027c9c53491130ca336bb7bcd19cba2d284ef8d2cde01c8d0c88fab3f493ec6dc8114aedd819b1d11c6bd5e87295c20490c3254f2734619049c7b72a

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsw64E6.tmp

MD5 f2bbd00e003d762d6d86946b7cf20a88
SHA1 f027f703b646ce0f62a44eaccf7fe66ad1540b3a
SHA256 c33dc8e82da7091ee869f872d05d5a9a2c14e94f9c68000d612b285317edb2a4
SHA512 5494740dff79b1853f6f7d45e2fe0896e62abf65d6ddf7c6242de0078892e4abe69b5936a775c5f8b7f00f429ee3fbb36bc5c83b9d10c3abfbe220bc6e2878fa

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsw64E7.tmp

MD5 4180b80efb681b07a5527a14258d353c
SHA1 0357a000a2d7cf822d473074c603d1f0f4dde6e0
SHA256 92e0bcfda9729fbf7dba786145a1a6a9c8b01d2dbb7302df0b2670518509b2b4
SHA512 4fe475a3278307e2bc4d5107cf53180d65d7000957ce65a7690010cdfa45450c3aeb4ce4af81f21b7cf0e7eca94c7821aece93ad6baea61db7d8056ab61a8ca2

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsm64F8.tmp

MD5 a6a1f69e15dda3bf6a928dadb8b5467e
SHA1 0c6f038e71ba66fec28e585cc37e22be8a69552f
SHA256 2cc4491acde5544ebeaaa75950ccc998eb9cdf596768fa973bb8f0266cb1565e
SHA512 f884a9c4edc81430861c0016645f93bb8a7d316b1f7d44f003bffd1e7f4bdc26b3d94e0c4c98c5e82282474702161ae5c1c16b3239100b5e89f777a3896b816a

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsm64F9.tmp

MD5 8f392251784065f34adfb218f4a9bdb8
SHA1 38b8979c74d2143784484b655d394d8301909af8
SHA256 b3d7bdae97df0af1d40c4c778dca42b72fd130e479735460053019d1cffd255e
SHA512 388f9e2b1d358121329928c1a0f9b47adfd42caa76abb3f73c9c5bf2d7db9fa16ee4c549aba5be6a612d0ab30d6c7791287f772f11b9b9654ddb57fa989f7917

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\user.js

MD5 321b597452be4fd5a3296b996df1c6de
SHA1 6b18dbf7772b64882959d72d87648b3a2bc9dbda
SHA256 b5cc22f66a0b29230773cbdeecc14c627504af26375d4cc7e0a02cd99d6b8264
SHA512 70af676ff13e0b7d2bca555163b72086a3cb6eece26f27c086ce9ca1d81216b8c60f886903b3d99e13e9a031cdc306282bf4ae302836112b69d9f92d830896e8

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsh652B.tmp

MD5 c5c88ea229a6dfb9c4213d405e3377c0
SHA1 994a67e1f99631da4e810a452d6301671bc36ef3
SHA256 c11de981926f97b5f91e50942bc9169835a9ddebc29404309804680dc3f0778b
SHA512 86f27125e7d294e9b9f146c29315dd68700e0961d83a84229599cbbdccc2768ffe0634e9459333ec81c1c25bf6c3b2ef019e1230c5de02cf7ee943dff43bbc1a

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsx66C3.tmp

MD5 e2a0bb46d5eb41f9cfe831dea4c75b69
SHA1 4fa2133fdeae4130ce6e948aaa1d28ecc3843900
SHA256 3c322b3a63df8df6b79aa1898289a0cd979cee0b35f58f1081aa98153a5d3374
SHA512 f587fb8ea0a00dc9d88d2d58822af12c9253abe7f11d92b04acba53439a720c3c229e91d1abdf16ea2dfd36a96b9512114987ce566fa1c905e30fe65a883e914

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi6753.tmp

MD5 acf241827582b2fb973917816ae09b44
SHA1 4a14a2938f1daaef64237a6a28c61f24054c810f
SHA256 9df26e71ee2a06c8221b1b1fbd2e9cd1213a21a5817ab1e6953563d88f1d796b
SHA512 b1c8cdaae179c307900e0ef96974fc0e08e99bc345a9253b026ba6c03ca9a90972c925c50fc81873a0a1b92a4c9f348f103f99aa3652db38900fcdea3b1126b7

memory/1684-1600-0x0000000003B50000-0x0000000003B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss5A75.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977