Analysis Overview
SHA256
f0761bbd8b23f2655d10fb022a62de8472cf286e09eb3ed3835e27cd64165f69
Threat Level: Shows suspicious behavior
The file f0353cd200892eaa0f4d0399070a8cf7_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Reads user/profile data of web browsers
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 03:32
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4240 wrote to memory of 4024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4240 wrote to memory of 4024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4240 wrote to memory of 4024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
114s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1256 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1256 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1256 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 116 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 116 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 116 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 224
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 228
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
113s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4704 wrote to memory of 2088 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4704 wrote to memory of 2088 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4704 wrote to memory of 2088 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2088 -ip 2088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 224
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsy4D85.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nsy4D85.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsy4D85.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nsy4D85.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nsy4EBF.tmp
| MD5 | aa942cbf080fbb2237e6897523515ce5 |
| SHA1 | 4a432578611a39f2626a0967b89febcd4c629892 |
| SHA256 | 42fe6aede59d0b4629f96288d1ab22008aca8576815f9d70fdb91810e2fed48c |
| SHA512 | ca4265c36c946f1e8c7abbff7535e3db2885c57209d7d32562e0fe399a2b17dfe95aa47956f87bb181ffe7cb71481861dbbf8423aacbd0faba354eebea78d3db |
C:\Users\Admin\AppData\Local\Temp\nst4EEF.tmp
| MD5 | d1a8efdc5eb580c324faa44258942d18 |
| SHA1 | 3be068b6699d6e17d4a6df3f0623eca4a9ed44f6 |
| SHA256 | 5ba8cfb98c3a9abe75c5160b6c63dda96174d73cee1899d11e9e47fd05af56e9 |
| SHA512 | 720b4311f2b0cbec678ea64ed774e31f095c9b21accb3b11d4054993199f5ba26926300c4403da04dba7887c9db2632829bcbfa86d5666961c7b40892662f9c2 |
C:\Users\Admin\AppData\Local\Temp\nso4F6E.tmp
| MD5 | d9b45dea6583ab35601fc41363d39c29 |
| SHA1 | f8de32558b731bf21a1ede51d2e37e0daab6711e |
| SHA256 | 9794992882c09065d0b7bee379481d06de6089feb3f4268adeeef50e9dfcf4c1 |
| SHA512 | e30c8bfcffebfe8f5ebc74f1e3372339b10be7df40a06b0affecdda81388cc9aaa66a8961bcf7d527683c246603e8adc5941508080b1d8595eeba037642cf185 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.Admin\user.js
| MD5 | e9068de0794af251c21cb5c4bca81583 |
| SHA1 | 0143b12da97567e55c86a1da48ddb37f07dc357c |
| SHA256 | b7f0ab58ff5e9428f085e17e86287af2f51898a811ae2e3afc97b5bd7aadf79c |
| SHA512 | b73cce2c1905bac262df2eb56dd581368149e1e42d60ce55f6914f5b497452d339b61a99e00cc09b4d1c73a875598592bfdce1fec090f4aed46493b7ba7b43aa |
C:\Users\Admin\AppData\Local\Temp\nsi4FEC.tmp
| MD5 | 9226cb3bed3aeaf2937a55dbd4672b72 |
| SHA1 | 2da1edf34e07dd9d47bc6f068d426bb199716e5c |
| SHA256 | 32c26c2fe3e181dc9ae07734d136d00786bd1aa6f569db8ab258c1d3d20becfe |
| SHA512 | 985649139d9340482757d32e54a7680540b16c6e948568de8b6d297bbcfde0d18197815436f0d9db5c87ac81b65c413e1074e453c78d0b815eea39a0258b53ed |
C:\Users\Admin\AppData\Local\Temp\nsi503C.tmp
| MD5 | a6859a93f72eb55bcc38fb9c27acde93 |
| SHA1 | d008936a4859c60878614f254cd3cbaac7cc33f8 |
| SHA256 | c20aa1395186df8cedf9a1848d8548a9bf5f2d10b2507d8719ed954fffb951c4 |
| SHA512 | 72ff69c27a8a0c891f79eb981090e8dcc18c0e66ee9d9aa9d9030a4553ac5f9d33f64b85eaedb2026c93383c38eefa75703dfc3d75d827891fe824b75117c361 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.Admin\user.js
| MD5 | b569c96b4c90097daa61360d2cd571a0 |
| SHA1 | f101eaf9bb2e563bed000cec0a19d1cd649b992c |
| SHA256 | 7d21802c508cd5d6bbfbc22cf276c719b6a8e06713ce0a5c8e8a8bed463344e5 |
| SHA512 | 2e9b41022b263bbb5c5537cb303dcf15f683d3403989d61dad731b8b216dd57d3c57a3c2eebb834d4cbc57ac123670fc0fe48bd1a68aa5a5e506cab5d37bd840 |
C:\Users\Admin\AppData\Local\Temp\nso50FB.tmp
| MD5 | 3e7283d479780ef4cd4daf8a4468a1b4 |
| SHA1 | e82584865f7b53878f77775c9a56ad68e298e57b |
| SHA256 | 34cb6ecff29321ab45b7cf3cba2d2ba7c3e513379fcfaebdb39524aa3c8800da |
| SHA512 | 93a8fb8cfa1d9832c3d95f4b9898697d80ed43b13fe54153a7072c1a4f82bbdeb203be3727d35d12b10a131fb1fc230cbe8bebb8423e0b5c31ddbf4b27183f79 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.Admin\user.js
| MD5 | f2c31a59d9bcf1ab400ce48db1746602 |
| SHA1 | caf09f54d3a288e3c87af877b8497ef9b0bae9ae |
| SHA256 | 2e74d9ded0d4d2d81230f75a3b4a78524e8e09e0b45bd5837e8fde35ef05027f |
| SHA512 | fbcc76942b2d0e05cd0d619be96748c72dc5a5ccac4c13530326d7dfe56af59fadb5651e67bab2483aa18c41b2eac30265093c69c63a8e28694e0d12be565341 |
C:\Users\Admin\AppData\Local\Temp\nsy5226.tmp
| MD5 | d66b7c36887a3a1f869cd8b637cc43b6 |
| SHA1 | 2e7ad1e83bbe8ae41a119efcaaede2bc82e9d8db |
| SHA256 | d7516cb11c81e5ef2e0c7cffa7175c3a7f36f945e788a27024fdc79443fdda45 |
| SHA512 | 155ba55e437c52f3f53d27750fb8365f3489c08a00a8a842610d9d2687aaa067add493273caf5b49fe4bff39eca917eb3f4b4bcb58537119b3ce82e3ed40ceb8 |
C:\Users\Admin\AppData\Local\Temp\nso5237.tmp
| MD5 | d610765c0873582fc2805d5e68cba50b |
| SHA1 | b6b565b75e5c73c4acd8173b3313f2588d60bca5 |
| SHA256 | addb8748b2694cbcda63d37999ac2071e6d896145f058c47244687afe9df3dc1 |
| SHA512 | c680097c6efadc30f4ff1e77da0a35ff755be9a1e3ab9ceb985813a82caec4ae5457faf73439fb858959565dcf8f8a453feea527f7790dfd156a2c9be2318dbd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\user.js
| MD5 | ec972210f94f9b0770a2c33b02fe2629 |
| SHA1 | a317f5d3782100736fe6eee52dbbc4db94d97b35 |
| SHA256 | 41e3a5e1e3822c63b57fcace85a04c1138d11cf2aa39596631f27d4a06cb9750 |
| SHA512 | 127d9c368049551b53b78c29265d06ccd1bf60091d96c59c14fb7cd4402c2dff948c2b1b096961571d56e4f3f4afe575d4fe068a9c556ebc13d048d2a1decf39 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\user.js
| MD5 | 75682e9a6e948c7a05eb4b3bc1b0b94b |
| SHA1 | 1cc8861b0c92758abc2bd6700fbd6893bb8ab6f9 |
| SHA256 | 5dbcd5a23912d54050274a13f3c270a8281e9a2f8a1ff8a380c7da531026c30c |
| SHA512 | 10c8d56087d6ac129135520b2d290f161da7c4c375825e6eeec27186b0ce2870b605a36c6079f739f0cc7675b79d0bfd3e473961d637441e502821936fca28a0 |
C:\Users\Admin\AppData\Local\Temp\nso528B.tmp
| MD5 | eed7f7d934d401badfefbcc44589c2e5 |
| SHA1 | 6ed2c7b2fdc01c3be6c836f0fe0ee3d354f88f27 |
| SHA256 | 9fc452400bc0ffbc91cea6881e179181ad18313e4dd656c99b719b1cdafe103a |
| SHA512 | 466ec8063e2888f274b7ef94c222dfcc087dc243623a5e20588f0d8bbd258403c8d8ad87228578ae8103e2139653198db9e165ab4c4bad9679abbe3b13c9b51f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\user.js
| MD5 | 357f3331a2a2e6d23a7a6a9249dccf55 |
| SHA1 | fce1628a3e8b2c0908c8f983247d53022b7fb9a5 |
| SHA256 | a2ff08efa082eaf6b8acf9b50784bafd95827fff4001d2683f99d19545ec089b |
| SHA512 | 614ce81674ccc2caccdea8492f2c1d56fde3a22d4e354ca4860ad3e00cae8c463bc9bb87e7a0f376a7fe159f70f4e03dc0b99f89366bb4c2cfc963008264d3b8 |
C:\Users\Admin\AppData\Local\Temp\nso52DB.tmp
| MD5 | 429a6adee70dfaadeadd59197f1ad245 |
| SHA1 | b17c969aadaffaac1e7d4abac28c5d3086ad72d7 |
| SHA256 | 4644bbbafa39e3ac211076ea2ecb2e8cd0c5cfdd6aad76ec6584c5754094df1f |
| SHA512 | 4aab0583bb9f4820af3e0589fcc34aa8fbc4e089ad4ffe4a9295c129f396efa4be178e6963bd548001326bd9bbb0095a03ec20066f8f1cf00a6b050f5fa9c76c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\user.js
| MD5 | aa24eccdf2d0095409d179579a22d093 |
| SHA1 | 7c5cb69bc4f4b1aaea01bc441e6a0c3116497fdc |
| SHA256 | 670b2320a24ea792afc0e681ade52adcc2419a51d22b4a7b7e1347092e74bf9f |
| SHA512 | 96e1ac51507142f86333465ace9b9935c526f533d4be0b1efb0125e8be974d44a8043e2c8c2a72c019d0b83a9d899d9a9ddf24ebf61ff4e4d2ba02005adfec3b |
C:\Users\Admin\AppData\Local\Temp\nsi535A.tmp
| MD5 | 703195256fc5df35251cd8732df146b6 |
| SHA1 | d9ae2fa1ef1a2d3f384949d70fcbf5621a22cda3 |
| SHA256 | 0ab26b09b64e8203983f451c304066fb3ba323aa55fb77aa2d5d3bbb92c334ab |
| SHA512 | 2976764d6b66eb9c49e7ba0a13f554993aae148c97fa5e55fbd5295849f815b4abfbc550e4ca606f88261e6910f776fec05377be372d10a14dfbd8f06d236118 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:33
Platform
win10v2004-20240412-en
Max time kernel
0s
Max time network
8s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1316 wrote to memory of 1760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1316 wrote to memory of 1760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1316 wrote to memory of 1760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1160 wrote to memory of 4060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1160 wrote to memory of 4060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1160 wrote to memory of 4060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4060 -ip 4060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20231129-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ = "escort" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CLSID\ = "{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID\ = "funmoods.dskBnd" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsApp.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsEng.dll\\2" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f\ = "escrtAx Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlRef | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsTlbr.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CLSID\ = "{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\aflt = "orgnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ = "IxpEmphszr" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nst4E2.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nst4E2.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nst4E2.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nst4E2.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nst4E2.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
\Users\Admin\AppData\Local\Temp\nst4E2.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2392-79-0x0000000001CA0000-0x0000000001CB2000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst4E2.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
\Users\Admin\AppData\Local\Temp\nst4E2.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
\Users\Admin\AppData\Local\Temp\nst4E2.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | ddcada8c66d56df6e4ef2bbedf2bb865 |
| SHA1 | 059a7f8bb8ed2e99d5153d26ecf986e91c24df19 |
| SHA256 | abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872 |
| SHA512 | 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
| MD5 | fe768a6b82ed2a59c58254eae67b8cf9 |
| SHA1 | 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6 |
| SHA256 | 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570 |
| SHA512 | 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll
| MD5 | 7f8be790b6614f46adeafd59761abbeb |
| SHA1 | a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700 |
| SHA256 | b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf |
| SHA512 | 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
| MD5 | ffba0384096f7a6c2189009b3c54c8db |
| SHA1 | e1e883b9345bd74b0c7e158751c60b0ee2139677 |
| SHA256 | 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b |
| SHA512 | 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\user.js
| MD5 | 21a74a256a09f99ec2362100d0a96293 |
| SHA1 | d57b78d373a7ebae480cfa73e92c7f23433981e7 |
| SHA256 | ad7537beac8b8310495d08697098857d179ad7c29cc915d00bdfaa2fe959e9f9 |
| SHA512 | 0fdb02416fa8dfa21be543645e058ba0df27c8e7434a703bfce802e3a116d9d79dff9ea2ab1a46f86dce7caa6c0ab31ac4de483a4dde6e2478123c4e8f094006 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst756.tmp
| MD5 | 216ea5db2ffd062911cb52eeb456d2d4 |
| SHA1 | 512cb066c6128df45575471b1cd51305847ad2eb |
| SHA256 | d33b8f78ce613cc0b6a20678430a04723761ccfaf5260a305992c5ef651d5a4e |
| SHA512 | 5a8fcbb259f6bf6ee95b70c114fee538e0b66281bc30cc3aeb41bbaa4d75bd6d7276354206cf4e6457ae50c9da1fb4da13bf07fb12a168b730b9c6601f895268 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\user.js
| MD5 | b77dfa303f22906e24cdb3026a83e623 |
| SHA1 | 89cc0f7d7e7b4f2b6d7d9aaa5f7af03a4f45ad21 |
| SHA256 | 6ce24f75052c48fd5620283e128694a3200047324b481be1a782c2055585270f |
| SHA512 | 0a1907b5ccf4fe80c6ac030c9f6dbe44e7e7ecf78d5a7c54f674995ac304fed792168d9ce7f6e6c8e6d3c484f6362d347339e830b029072a94f8c739428f622b |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi766.tmp
| MD5 | 889eceae5ed951c8b69b5305ceea490b |
| SHA1 | 22e546831d401dbad07006b0c0aa019eb7055253 |
| SHA256 | e4be666d7966a98fb1ddeac516c72fa7ef5a51dd4b41b2e85eb3dc4dba2c33b4 |
| SHA512 | 5fe0336e188fed844b9cd0fefb326e10011367d579f7e40ae69effd599e09ddd6c8a2a2f7c16aa7562ca4e78b34c156a315be402366d8e6b40586b2417b27d6c |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe
| MD5 | 673e6109fbc2405238429562ae058f37 |
| SHA1 | 293a96724fc0e772706f108895db321b58051524 |
| SHA256 | 4dae85611b9fd18f44c36f330762ca7dae3842604999d6a5edd3d416b4ab0841 |
| SHA512 | 0d1db02c84d2a7502af966886889a63467fdc310c25076cd1629064f9dc5bda63248ea2cb34757f9e93e341cd89833979c8bdfffab2d09c722c3a20cd244f4c0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\user.js
| MD5 | 07c604571242e5ac79cff7142a7c0d37 |
| SHA1 | 509d56bca33328f8c4623bf08c6f156e3a13ba05 |
| SHA256 | f04461f783c51d7dd270dc71e733801b748351b0e91a566629f0e949da0306ec |
| SHA512 | c2fb692b45ec0600d02ee53e0d8f3c571800036c49ff85b65ea3209385c4e3ab292266c438c3ac5d028d9b7e6b482af64e1398dae80c79cca8bf52b10fa3a36a |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso7D9.tmp
| MD5 | 387a87b4d42783749cb218b16e8bebf7 |
| SHA1 | d86149068254d2dfe70ee9d20aaef08e5041152a |
| SHA256 | 173f31c49033a9cf18df4fd06b7cc604c01fd254300f3c2e2ab954a8ac7728e4 |
| SHA512 | 04ba0c17388f5d1a36a0641c0e98639a2b00f5b094357d78984022df0114179823f3f55a7dbd4cf329b5106ba0d8f0146d1ce1f740c24e54641a219e59bb66e8 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd7E9.tmp
| MD5 | 0a296967c7820c1f6e60780ba0107198 |
| SHA1 | ba58e8b6acefeb57c293b996bab970f3430a05e3 |
| SHA256 | 67ff36ecde189fd4128b9c8c1bc0d0c270c0dfa677b0f5c249400c3a92763dbe |
| SHA512 | 9689e8759bc79e532d35bfd78573ce117837be119aa57cb550da5c07e352712922ba11788ba655dc544f9ba6a332da4d5b534fac02307e11b83aac62077cab86 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst7FA.tmp
| MD5 | 3d9c026dcd76c58f5adfc3a80cd2d07b |
| SHA1 | 2994c9c77bdeacf67845d533fbe963cf8eb41fc4 |
| SHA256 | 07289bdea3c1d1b09114dd8aba4493a2bdc45c7afeba72e3188a0f3a331fecdd |
| SHA512 | 781bf6fa04b9c1b9cc3299f58f88b2b8f81b796e433829204882ef1d585946d571bc1e3edd8b507ddd09b7d8400fef69e8c4b165cd0afef27aa1e65f4c51697d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\user.js
| MD5 | 911f1ebd61a4a474bffe0ef02bfc8e57 |
| SHA1 | f69b21bb432c2e1910d4dae5795c51e672dbf650 |
| SHA256 | 2fb7c2d90557af09f4780f0ba7626fc787302cb1df227fcd5a8353b2d7d7c70e |
| SHA512 | 9a5a1f765f2f013cdde2f6eab6ba20b94644a028b750d9a767a11347dac2d81fa23cfbc6040628c36e637ebac8d62ecceb0fd496dba34ed68d93db7388352845 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi80A.tmp
| MD5 | 0e2d7227aa63dcc4bd1494c7c93a4087 |
| SHA1 | db6ad24f0015bc77361d4d87f3f0895f14620399 |
| SHA256 | 0d97cc83844817ad80484848284d7f89d146943a352e917e4cdeed4781893075 |
| SHA512 | b5929ee43d54443824b25d68d0d58fbabb0e1e529952ed10f785fe804a19028ec1104843af7e427041c6c8076bf43bf9f1679338e1afe75ec2e9abeba70fddb9 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsy8B9.tmp
| MD5 | c357f207642f912eb2137382f6a5c4d9 |
| SHA1 | d9e690088578041107d1c945639d1d907085c1f6 |
| SHA256 | 70a1f136522b2aa72ba60732e51c4211a5eacc626e0d8bfe4052559d4e79431c |
| SHA512 | 9720b28f09fef6b0b4c3d9061889c3c1721bd51d3216c3ae05198ee69b8e40a67205474532fa53af457e4da75dc45d7089b3ff5f1ffc99fa13affb9cc24dc81c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\user.js
| MD5 | baba0b8e0cf3a218d50ad9da3bd07173 |
| SHA1 | 857246cdaacb815023de50f3155e7c49fe85be33 |
| SHA256 | 507588a4f396c6d47775391228bb62fc161112016af9cbdfbcbe5b0cc37730ab |
| SHA512 | d7b5b1a1a593321b2827a8d85f22a0d59a6266b44dcd1d588da0ad3b955650b8da42dd0a9b426f665b16dad9e4f5a5e8cbe3fa8c9bf54c5c43e7cb7055440052 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso8CC.tmp
| MD5 | 733db5fbdc2b11cd56999188e3db3b53 |
| SHA1 | 77c02382f3ffa9e915b12ba4bab9d4b5e5e1080c |
| SHA256 | fb5090a24122fcc764f77eb9af56957b454aea001ef2989c7d6ba01a91c52f4d |
| SHA512 | d6098eb8780b11decda4bb1a3a5b179173ba6d3bbd3e077d48a964a4ba1ba7da2b0caaf5b9db23d6b52e640fcd9064cdb73df8cf00b09d5ff88ef4fbf043ffdc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\user.js
| MD5 | 96796c31853435feecb8b226337e3fb9 |
| SHA1 | 884bea7d603667635835c837eedaf6f80dfeec69 |
| SHA256 | 60e312f05c73e02a7365871ec3185207d5379d5a36a0e0fc0aac3f9cfdc51d90 |
| SHA512 | 3b6bed5d633a5967109acccbdfddef4738444e884c1952a2d9cae51f8d2238f237cb8094c11d5a2671e09801163d3b86431a71ea66bbd7bea206f58231eae9c8 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst8ED.tmp
| MD5 | 175a1518ee8f8c0e064e52ae34631cef |
| SHA1 | 23cf4bd2a5c5b17fe928f618c178c37ce749fb2e |
| SHA256 | 912e53f9ca58c67a33cf356c99491b925a54848563d3a17af07c74bac24896b3 |
| SHA512 | 305b49fb99f1f42bb8da0d592ed1974025ca061fc3490ba0c89cd19d248becbdaca137f0aa3669b89095e0696f6cb4a53d891ceddf088cc443a939f77e9c22cd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\user.js
| MD5 | f97a91f41d92e90782096b7639423bd0 |
| SHA1 | 1d068c5205b24d4c643e052e1ce685b3522cfd5c |
| SHA256 | be1c1de202daa09d194a3c04dbaaabe299fccc6d16977b8c5cf2f8e03226cc83 |
| SHA512 | 6aae4473220b2d3c4c27b7a8df295437cb8ac5cbadec0724698403516846b37fcdf1e9fec856bd36c5d318c32a725a05786e7a4747b431939e51434ba862618f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\user.js
| MD5 | eb8e34c57800313faccdaf5b98969384 |
| SHA1 | 552c214c911595d6cd73348666115e078d6841b2 |
| SHA256 | f39db1f2361bce97576ee8f4955401b2a74cf6905e07da24417fbba86d5293f2 |
| SHA512 | d8352d67a4d39ecc786e8583a921cb3271eebb37ddb2f5ec8aba7fc78c970db35dbf4fe464a9adea9b83a09552beba0babd710af2b7cb076ab01800757bed4df |
memory/2392-1584-0x0000000003B90000-0x0000000003BA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst4E2.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 236
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 228
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
113s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2692 wrote to memory of 404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2692 wrote to memory of 404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2692 wrote to memory of 404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 404 -ip 404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20231129-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 224
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2612 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2812 -ip 2812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
124s
Max time network
130s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4788 wrote to memory of 2108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4788 wrote to memory of 2108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4788 wrote to memory of 2108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2108 -ip 2108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 600
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3940,i,4410927054363474912,1110143490611443301,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3140 wrote to memory of 3780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3140 wrote to memory of 3780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3140 wrote to memory of 3780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3780 -ip 3780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 600
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.16.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
125s
Max time network
130s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2436 wrote to memory of 4124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2436 wrote to memory of 4124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2436 wrote to memory of 4124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4124 -ip 4124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 576
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4280,i,8757378233529949334,7852422992079505686,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 228
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
91s
Max time network
113s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ProgID\ = "funmoods.funmoodsHlpr.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ = "IxpEmphszr" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer\ = "funmoods.dskBnd.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CLSID\ = "{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsEng.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\ = "esrv 1.0 Type Library" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\smplGrp = "none" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlDay = "19828" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ = "escorTlbr" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer\ = "funmoods.funmoodsHlpr.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ = "escortEng" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\bh\\funmoods.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\ = "escortApp 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS\ = "0" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ = "escortIEPane Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ThreadingModel = "apartment" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsEng.dll\\2" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
| US | 8.8.8.8:53 | 228.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
memory/3184-84-0x0000000002520000-0x0000000002532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | ddcada8c66d56df6e4ef2bbedf2bb865 |
| SHA1 | 059a7f8bb8ed2e99d5153d26ecf986e91c24df19 |
| SHA256 | abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872 |
| SHA512 | 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
| MD5 | fe768a6b82ed2a59c58254eae67b8cf9 |
| SHA1 | 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6 |
| SHA256 | 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570 |
| SHA512 | 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll
| MD5 | 7f8be790b6614f46adeafd59761abbeb |
| SHA1 | a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700 |
| SHA256 | b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf |
| SHA512 | 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
| MD5 | ffba0384096f7a6c2189009b3c54c8db |
| SHA1 | e1e883b9345bd74b0c7e158751c60b0ee2139677 |
| SHA256 | 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b |
| SHA512 | 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uph0b5yp.Admin\user.js
| MD5 | 2bbed7c9521174d68eb82751901184d3 |
| SHA1 | 5adc5a58175f2cf899695e3c162b31f1dfa04524 |
| SHA256 | 0eebe6ecb1c7f74a5175dd6aef7ea4a605741a54104f26b08f29ed0b763ae7db |
| SHA512 | 0feec3cc87c72b66b5dd53ee42e812b4a392ce7a26c47d31a06554e777271c7075bb4870a1435fde647a4fa7c1418d1eef8f7bbaf2d133fb43a2b7a7631bf471 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nss4E14.tmp
| MD5 | 80e96af5ae4f7a4004a5fdc65c5981d5 |
| SHA1 | b57a5f8c556c030582e63f7b43afc149804f38b4 |
| SHA256 | 2bba78cb02389ace366056650a794843b63609006ba02ddb52f1667645ddd1fe |
| SHA512 | f12365391dcdc2e7a39103446bfaba0dc35bdbe1aa07bff82443b6d152259c94818aee13e92b4a1d5b01bb4ceb27ca51cd80357777cc017ac26b5e7f5bb81af2 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi4E25.tmp
| MD5 | 2c8365191c9efe69edb6debdf5456212 |
| SHA1 | 47349abb52f1579684671c270febf8c84e1826f9 |
| SHA256 | b70be354f0530b7a06daf3844b3b3e426d74e8669439dc25f74d3ca350622b61 |
| SHA512 | 559dade987c8b58c3d90b73dab63ab75cc99100b6125bef0daffdcbd6daf45b1839723e3b09c2a5ed376c8f534e0c8bac7534fee7e7d366197e8a4427df70861 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uph0b5yp.Admin\user.js
| MD5 | 325decd149bb8d556a0d661639d4f785 |
| SHA1 | 658b10666b98d4b2f6fa901d5ef2ed8bfb0b73a1 |
| SHA256 | 5fa58f319e15438a9fc18157c5999addd1ad55c9dbcabd59b68e053628b2f30c |
| SHA512 | e9ac16b0d9e7ed29dcfee498d6432d8e09883c330063b51505e30591baec85b4d3ec535e1fe26bae129b58cde2e42f16b5456880272ae7284c98cbe00ec341d4 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll
| MD5 | 12be59f427297e54fef41f9bb32d4233 |
| SHA1 | 0088967a4ed52f491976136c95d43e0e1b06cc31 |
| SHA256 | e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb |
| SHA512 | 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll
| MD5 | d5e0f923b3ee640efd6a58ec0c70cbdc |
| SHA1 | 74f62a9acdb9f9dd0580d69450c062ba8870deea |
| SHA256 | 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281 |
| SHA512 | 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uph0b5yp.Admin\user.js
| MD5 | 84aee25757ece8cda3dfee56baa740c5 |
| SHA1 | ee0f71a5dadbbb9df61d3488e70efe35a2411a65 |
| SHA256 | dca06bc44c4913c50f3e65b9a1dd396de35a7c82e2f4d18239ab3d3c607e988e |
| SHA512 | 448bc3c178283fac5ff174c7216b8ea2b1f4d3c154a211ffdd0ea17f38ff065eafc6fe7b2b0853bc86b13de621332e73fbaec605f5c7dccc0af379f51fecdf46 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsy4F24.tmp
| MD5 | b146ad91d730fb8a4de7be7765d1d3b2 |
| SHA1 | 852c7e399cbfda256571b2359c7522731160413a |
| SHA256 | 604bfbc23a2f489d94f8cabc0ba6ba048fdf46378684dd60c971c0af202c1609 |
| SHA512 | 3f475e06476799cb9ee88894b3b3f42a6cd85961508c4bb313a76ff70b1b15f06c37b3cc510a531ac97dfbefb8c3c485df42b7391df1cf0900fe296151e2e9dc |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst4F54.tmp
| MD5 | 763106669d5771e344830329c1e0233e |
| SHA1 | 7edbd3d73da473755c3fcabba905e7ca0e591cb9 |
| SHA256 | b0514170123e71bf8af1a6760e228c2eda2e4f86e5b60178a41d74fa66462e54 |
| SHA512 | 74978757116df635c051841016e4aa37aa83f3de2e5be6f0b9c687dd437317aa778c97fcc2685025739bcd4305a4e628576425373d1c83867bbd7501b758f4ad |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso4F84.tmp
| MD5 | f06759fc5abe81225d8b5d1f71c74ae4 |
| SHA1 | 811e8cd943b896c626831d192573cd32c7602979 |
| SHA256 | 66c85918cc56ccb2b2985ce062f5198369ccb219ea0b8912f061ea489c5b2e10 |
| SHA512 | 2c256fc2891eebecb521eab77c27d451f27ebbb32946c51ceea726803731bc01ed310cc60d50f5c9f3c53e2c9576dd995843212454e730231d068cb1f0ec6a2d |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi4FB3.tmp
| MD5 | b9ff2f50f3872a1c64102427cbc1c640 |
| SHA1 | d2329a640f8d3eef37cc203931b0d9100675d532 |
| SHA256 | d1181f5dff60882054c13c933e1c83826a8530ca1b1c9e62cac7b3ca24d0d674 |
| SHA512 | 8d85d06f77c10f20a0f4f76a366f66fbabe43d3dc2993c5700b28413557cc9e7d94b02a152aafaf82ef5952fb82a2c0cea95241162c95a473aea3ab145d4bbc3 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso4FD4.tmp
| MD5 | 7900cf2c72aefa978a32e192cb8faf73 |
| SHA1 | 1d48e637845bced4929f412a41991917bf3c278f |
| SHA256 | 69d86e9df5e3983310a1ab0407a2e36f62557b293d69e2d8c9c3ec3a90204219 |
| SHA512 | da66ca4fc190f0b27a86c8c909efaa25ec2d6bb021bd42f546545634b5bb22c90fc746dae8274923e0e767e0b3acdc3127dcdbaf20c8d4bf0b86dddfd7ce03e7 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd5032.tmp
| MD5 | 56a60e9e748dd4b30559244dbaac4644 |
| SHA1 | ddc74450496d9468f599be56fbebe23211da7524 |
| SHA256 | 6c199d8ddb57d312b1994f24e1192aa6931ce366b4c0384c99584da95e7bb041 |
| SHA512 | 88f259c9c956eeb868b7e8887b415a88a81cc5964e27d494a709c24aadbbd9893bb01573afbfd42238b72b8ba577e2d4b883d5b77a21af6267fe2f673fe4fcc8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\user.js
| MD5 | 174f82ff000434073115621a32e41c81 |
| SHA1 | aacb38046a1e723251d01def7e42c52bd41c61dc |
| SHA256 | d89a2ddbd9e6b93be779c4d91d3b2cf9219ef735a4b873d3fb0cc076e4bd3719 |
| SHA512 | c52e8ef8fb6d8ebf4c953e35199144943d225f8bb2e45a0c19f11a309405eb811e5fe33d9911b018f084fe517c73b2cbd4e190da4e184c734fa2c812c076616b |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso50C5.tmp
| MD5 | cf37171df068765397073e47e0cd53bd |
| SHA1 | c51f1cc1696b66d040b534757470ae01b0612738 |
| SHA256 | 871c1471b7378062e4f227641c5a862d5c3a1b8abe81e1780658ed07d08294b4 |
| SHA512 | 10e61f0e9eab7d4c1a638e28b7159d667252aa849f1f7532b7fb479196e25392b35f1d822d5ff6baaa158199df86869471e9bb39a35bbb5155063010a5f4207c |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst50E5.tmp
| MD5 | 98f19a8ed6dc1ddfcc9f875373321b82 |
| SHA1 | 4c2bffd9a7d4606796915ce55794fd03556a04e1 |
| SHA256 | a6281b607aec7aad794446dfbbfc7b00d0515c96e5fdec5482a5fe7fc92d6bf0 |
| SHA512 | 1875d54c6f8c8b8ac3972c13cd8d7bfee7c12dc06ca9d9c3c826873449eba574407ad5396fb5a75e37d30bccc7b1277b1f13764ce4f1a0f2441b30d2f0a942cd |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst50E6.tmp
| MD5 | 2f18e1662b4577ca5141132c8d04892f |
| SHA1 | 04899e2c9b94b6c74e318086f7f3d34d8d628bde |
| SHA256 | d6e50b28ae3a69c4573aacb23d3bb33115707c19bd0a23043544c54f9d6d9b02 |
| SHA512 | 85ef69098189d7704fa080c5b55911b90c874381504e987e82819af11e6bda122d95b537e847de99cd85233a7e37963c7e9c43877406b12ba691db45496f1ffd |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsj50F7.tmp
| MD5 | 97891bb933f2f6047518d36aa33d5995 |
| SHA1 | 06e702670c8ce2a79e0cefeacb78c3187278ecce |
| SHA256 | 43e7affe91cd3b8a593259a477317d889c90787b07b17f12a7c0180499a2cba0 |
| SHA512 | 51c88ddf40f679607dde9d6d6adb7cf81c19dfe33c832643b32df66debc8313ebd6a0fe202fc28af5d2906ee1915ea04931f4032d348c6f5e450457db5061fc7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\user.js
| MD5 | 85f4ddc7882c3b2e18e42a12fe8c418c |
| SHA1 | f8b262e3edda163416f494dd5908ec71ab6f57e1 |
| SHA256 | 6b64645bf7c8a88286465288e28478d83ad20c2912f9bf7d3d431e09899b543d |
| SHA512 | 3bdae5834fe256ae18a9615293ef084353cfd5c9b28e983e6930adda1c6e9191d51f3b741c33d55344de65b4655f8b9c1cea4ecc92ec989d892b774439ad60db |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso5118.tmp
| MD5 | 8a5e6e026d464ea95cacf8fa77428e66 |
| SHA1 | f6bfbfad05cbd4896c1587472a85fc93466f9a58 |
| SHA256 | a417af0ebb23921c98b7926d8f73476eb41018a7589066535b1cc4a4a9b2e150 |
| SHA512 | eb50609d28d49dae6f323642902f1622f7f87e17a5fcb0197b730e4719fca24228a27ec72f241c5221e751f89ef5af31e780e7f1c8a37d68d8b4f6edf32e187d |
memory/3184-1600-0x0000000003B50000-0x0000000003B62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsg48F1.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 224
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2588 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2588 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2588 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn7540.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsn7540.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsn7540.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nsn7540.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nsd763D.tmp
| MD5 | c7b2d25b6cfdbce11f67c8b76ffae088 |
| SHA1 | 6c68f4f18ed8b79c036a3bc6908bde4d9315efbd |
| SHA256 | 5da0a3e3df1cc82f30c5083281d5ba2bf7cd212a4ae4c1febdb27227a5ef9378 |
| SHA512 | 6e188580e220e162c2593d0f6cfdb284a3fd22aed9196b4997d3b2e65fee431d5647c05f2a0439cf3ad4685a193dbc0f5e5580a4d903b6103a66562eae8219f4 |
C:\Users\Admin\AppData\Local\Temp\nst769D.tmp
| MD5 | d0eb2ea70ee78d7dbc9e68dd975021f3 |
| SHA1 | 3155358705058578fc39f30a6c91419714a32d72 |
| SHA256 | b4699271a7e50d944186330ab9c0297e99968b87346830ae4ac9854f3ae7ea23 |
| SHA512 | 54f5d6a7bf865f774efa739e1cccd5d8577b1389495f35eb278a3f310e2ffd7fe373d2df579af229fa17cb5ba65254c93fa829c0eca5af78e7b3ccca1aa663c1 |
C:\Users\Admin\AppData\Local\Temp\nso767D.tmp
| MD5 | ae04b7f4272db9a690aba3987ef03bb1 |
| SHA1 | 75d9d3b4aec65560307d36ff6595fe0ceb109d45 |
| SHA256 | 41dbe028ebe8ab759528aa8af11372d8ea8b873160002195eba1499f9684c5da |
| SHA512 | aa036a0ba452cb96e892db77f2d2215c0da19a392ef2265918fc59d1976e48a87d84536e69638314cee12d7992d506f0c0470aff8f8064346f18e4b3c80bc559 |
C:\Users\Admin\AppData\Local\Temp\nse76DE.tmp
| MD5 | 7f50365dc2a873e6e9ebd2bb1ae54e23 |
| SHA1 | 65f7d76056da0fb02f245e8631342acc72a262e3 |
| SHA256 | b5e291a3c5f1d52751dac8304547314ae29255d4de56c6f8a6e58256cb4cbdd6 |
| SHA512 | 3c3a56dc799f75d0fcecda3d413efa79f882ec521e667a27c4c6f5ce4a79d5902ce7f29c844f4c0e5e8de22dd66630f598261fb5dfad62854751aa3039191aeb |
C:\Users\Admin\AppData\Local\Temp\nsy76BD.tmp
| MD5 | a02130d3863a1750022432a16c10497b |
| SHA1 | 663e97155b29313880fbbf4e6a941cb79455e856 |
| SHA256 | 11725461ed4b536ac3265151114023c784185b3b6a54b849276b21c8a75025c8 |
| SHA512 | 14f8371fdfb4e814705dc858821dd50873de437f17edd74d7b35ee9ebde03a9d5581cffb150acc3a521a4d910859643b269aa9ec8abfc44857ae56fba464b8c8 |
C:\Users\Admin\AppData\Local\Temp\nst76EE.tmp
| MD5 | b24ef6c086782454be3e1f27cd6f69b2 |
| SHA1 | 51bec35b3b62003fadf0189473d52b2a29ed58d3 |
| SHA256 | 0bfcf343c10680f10fbd9e4f5854a16edf4b11e47b26d83c3f5caa53fbe05ac2 |
| SHA512 | d67e9c0e7cf559a895d90356d5514076e5b2c369704aa89c9ea138615875074e0b296476ced58df92b49972eeb6c80419d76cb4a6c63ac0b8b48de0b0066dbdd |
C:\Users\Admin\AppData\Local\Temp\nsz770F.tmp
| MD5 | 571fa130941a4ec431c86faafb96508c |
| SHA1 | b19c410e0f39b04f2b2fca6ab826d995aa37d584 |
| SHA256 | b68312962d6a897ca19a1028a97c27b94ca86e907b072c2d0d64c4c3de5ca744 |
| SHA512 | d277dc763b7209edf23d158dd61453968b9fef30f703f3f669728331c2dac836c1bced6a08e942dc96a2c0a527f15d6e35907c92d296f2a153e165b463b99e83 |
C:\Users\Admin\AppData\Local\Temp\nse772F.tmp
| MD5 | e115be6456ff9111924e751dbffcaaa6 |
| SHA1 | 76fcdd775a44569962dadeb36466d2d844f39199 |
| SHA256 | 4f1c0abbe96c959c608566eb5ef70d0c40934c60d379e03a7e2777446f94316d |
| SHA512 | 217b48c1da060fed24d84f3f087c5133060261a4ed5e2e0a5906a0c2b30042f501a7d01a0556b2230638b111ec8e0118a215cbf96db0583ec3fd0c85c559e3bd |
C:\Users\Admin\AppData\Local\Temp\nse777E.tmp
| MD5 | 7b77b58877ddc2dfc91528f63165559a |
| SHA1 | 193d5ec8d75bfdaa10b8cfaa2ffb09557d0b67c6 |
| SHA256 | d01ad313b84404edff6d6cdb22000f242bdc6e41c95c80b50787185ad901ec71 |
| SHA512 | f606bf169f25e7466b5bd52eeb9b93f4c60ea964909c68be2e7c45f4d7c50a7536202708cca9a474fddfd8e908d3ed8beba41dd16307bd4babe16ab5439ab5f1 |
C:\Users\Admin\AppData\Local\Temp\nsb7C42.tmp
| MD5 | f8a18df0cd96863e50e253444e075bdc |
| SHA1 | cd6e4cf4d317c8f327680af5e5a5824f20ba7a4d |
| SHA256 | af54b44e41c0846a63ef5902b3d40fbf71db7918391276e37b00b9dcd72b5f50 |
| SHA512 | aba850d6b4b60e5bc169fb96d8de341efcb38768b590dfdb41a301450facbc50b694205e39b86067611592913f6e9eaf35b10285f55b310fe6f1d18af2a9fd68 |
C:\Users\Admin\AppData\Local\Temp\nsw7C72.tmp
| MD5 | d06c1544a137e6327408c6a636361d2a |
| SHA1 | a74daa1617f771e8dfd7b9d97e8bf05cf3a8f81b |
| SHA256 | 795ce39b7b6ef8a037d4beb53c0e3838a2f1de5d998788c033102e75abc1d050 |
| SHA512 | 74125eeb50810942b23a443f32642b1e03df4b5319cb69285e1c4860988bd174c0e2fd0653f98ef39f91757af94e22a49aed5eb55609d8606e211ae17af160ab |
C:\Users\Admin\AppData\Local\Temp\nsq7CA1.tmp
| MD5 | 2fc259c9cf6ae26959a48d243b607814 |
| SHA1 | a60816e6c5831e539ab4eef64d3bec60ba165628 |
| SHA256 | 882da3e68224ac62e90abd2543ca73cbe4a638a5c11fb439bcfb95340c4fe503 |
| SHA512 | a1e7671b344890221a091bef7be03643cadd792b0fcf90c17872aec34ebfd4d68372a8d28f36bafed81e8dd620d33d22c9a3060329a6ddbccee8f77648993194 |
C:\Users\Admin\AppData\Local\Temp\nsg7D4E.tmp
| MD5 | d66b7c36887a3a1f869cd8b637cc43b6 |
| SHA1 | 2e7ad1e83bbe8ae41a119efcaaede2bc82e9d8db |
| SHA256 | d7516cb11c81e5ef2e0c7cffa7175c3a7f36f945e788a27024fdc79443fdda45 |
| SHA512 | 155ba55e437c52f3f53d27750fb8365f3489c08a00a8a842610d9d2687aaa067add493273caf5b49fe4bff39eca917eb3f4b4bcb58537119b3ce82e3ed40ceb8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kcywf6ly.default-release\user.js
| MD5 | 132a5dd4e1cd293d7d46ff073a01ede5 |
| SHA1 | b2cfd2b91c112549931b200072dfc2e20980f661 |
| SHA256 | 1167f4ba6a0879f1103c98d7221fe36c9bf3c7ec7f21263c964990aa402b8065 |
| SHA512 | 68715d564c040f64b2d4e2c1c9ebd7228a9695e56e2b7602963c307d7cd11253b3c52042dad4de6c2a7ca43ad13bd8204b3822a0f59fc3f137bb2ba34c9abcf6 |
C:\Users\Admin\AppData\Local\Temp\nsw7D60.tmp
| MD5 | f4003ecf4a6a64f26a38404355cb1fe0 |
| SHA1 | f3641a25cc6897c8a2205c25c60da69a8db6cf07 |
| SHA256 | f8011e54e9eb816fae9f268dc00fd132ed07e12c936bb256404d8a603a791021 |
| SHA512 | 7427e5106c29e7e871dca43ddc3a13673c33be255f5522c3f5c5133ac62e76e0ccf5927da757fbcab41d5d32f4ac726a4209c2f7956e6ac1b9d996e29ffc747d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kcywf6ly.default-release\user.js
| MD5 | ec6778194fe6a88b50929a29d68a37d5 |
| SHA1 | ec021a6937a07f47e246c0fcac375fbe76f58717 |
| SHA256 | 04c6b66a2345c510dcce097d8f0260a3613a6a8d6da0395843cab953bd0ee5f2 |
| SHA512 | acf1b61669ccd63de2d197f87490c844fa59a4639f991fd32d89ceccad66f023ff744db4003f159276a140b6c5433d828bb569967daff1990b6e30987962658e |
C:\Users\Admin\AppData\Local\Temp\nsb7D83.tmp
| MD5 | e3810bd9e7e688676efd138579775933 |
| SHA1 | 0636397e6c1e54ce0dcd0781467891a738b7e688 |
| SHA256 | a0f3104afb2fa47112009e31ca70efc682a45d8b6f4bd55e42412d94f5e542c0 |
| SHA512 | 911c4dbe4efb8d57a87a4da967e8a7978db7bd290b6fc2f6add0fe5d296a6d9a24bee287c33c89cafde64f624d274d1d64a1beb31d5b007388da107628254e47 |
C:\Users\Admin\AppData\Local\Temp\nsm7DC6.tmp
| MD5 | 98c9b6414f637aeec774933510367288 |
| SHA1 | a86fcea4a5ccc6e569676ee6b207d444a942ca30 |
| SHA256 | 5f29033ff0447f2644f66bac51d56e4a45ec5550a467dcfa7bea5652b51d27cd |
| SHA512 | 4381896d64f8b5d6007069044b8f307a9d678a566a813ce4ddeaed408b9976000223d13cde61c6edb840b8e8b4dcc5705c01bfb05ff12ceb4afdfaa6b2378c38 |
C:\Users\Admin\AppData\Local\Temp\nsm7E16.tmp
| MD5 | e95af528bb0231d6b67151966365a70e |
| SHA1 | 5e83c1c4e9a4e6a045dc99dc39f2419bc8509f91 |
| SHA256 | dda3a0db7bb8a13d47932d6f6d65c04ec963a8cd5a5e92f947e1e657d2a92705 |
| SHA512 | b471cfe4c1545f55f4dfa064dd8ab91ba2ad71c534232f0aa7d1acd32692cd25e65a52a83cf363c01dd1bab2fb614bb24df22e3f82e5b08de4ccba36ab119826 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240319-en
Max time kernel
120s
Max time network
131s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0353cd200892eaa0f4d0399070a8cf7_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f0353cd200892eaa0f4d0399070a8cf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0353cd200892eaa0f4d0399070a8cf7_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.uptodown.net | udp |
| US | 151.101.3.52:80 | gstatic.uptodown.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsd362E.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
\Users\Admin\AppData\Local\Temp\nsd362E.tmp\nsRandom.dll
| MD5 | ab467b8dfaa660a0f0e5b26e28af5735 |
| SHA1 | 596abd2c31eaff3479edf2069db1c155b59ce74d |
| SHA256 | db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73 |
| SHA512 | 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301 |
memory/2056-17-0x00000000006E0000-0x00000000006F2000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd362E.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsd362E.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
memory/2056-35-0x00000000006E0000-0x00000000006F2000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20231129-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 224
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5052 wrote to memory of 4296 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5052 wrote to memory of 4296 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5052 wrote to memory of 4296 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4296 -ip 4296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1460 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1460 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1460 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1460 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1460 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1460 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1460 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-15 03:32
Reported
2024-04-15 03:35
Platform
win7-20240319-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 228