Malware Analysis Report

2024-10-19 10:47

Sample ID 240620-h4hshswajd
Target 03f518342b62cc476b693d6b5b436ae4_JaffaCakes118
SHA256 ec2462bf546bd65fdc086f4722afd3f45f4659a9ac0c56fa707d5ea687730e68
Tags
spyware stealer upx adware discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ec2462bf546bd65fdc086f4722afd3f45f4659a9ac0c56fa707d5ea687730e68

Threat Level: Shows suspicious behavior

The file 03f518342b62cc476b693d6b5b436ae4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer upx adware discovery

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 07:17

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 236

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 2648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4708 wrote to memory of 2648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4708 wrote to memory of 2648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2648 -ip 2648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 600

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 224

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsnF2FC.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nsnF2FC.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsnF2FC.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nsnF2FC.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nssF36C.tmp

MD5 84c6a105b21c548e24b6451723672211
SHA1 45b4472c6f02238bdf3e569195f468134267f60d
SHA256 e6dd101bc0c0110cd5cfeed06e6c8ab0953d263a6c4051ea43688b55f11421e8
SHA512 2b5e4c50ae738eb5068bc267f901a38c5fe16b608b3d61f1ac26d70cabf80a9b73c955d6fbb7cf45ca7d0b154aac7748904ed96b7313f26dd86505d76bdf00b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\user.js

MD5 a0bdd513b48c9cf0902cdfd002196f36
SHA1 c285aa75b1d878b3e89bd158fe361c2474a4985b
SHA256 ab08125d40fc5002a34b86bb17167a25e3d582649504a5a3495a751f2b059ce8
SHA512 9a9e3429d2871e9670d78db0d2bbbfabb2718e8ab0ed945aa659d498c82362400994214e2701dca6b922515968ee808d00cc4aa44feb87326a9f0b9231921442

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\user.js

MD5 3ac1c8221139cdd9230f8667b73eb6d4
SHA1 47c833e140dbb1219a851f3f9ed888d28dff4b33
SHA256 f29db17fd2237ddbc465f7821cf400cc7de667cd4c416bd8601cbd4f331bf272
SHA512 328379c487eda9c908cf1e3e139d3e9b40590810133f1bb24e17918bb94b3c24e9062a7778180838bed237cd2835c5c0a4cfa4044146387e738bd8f6f5310568

C:\Users\Admin\AppData\Local\Temp\nsiF3CE.tmp

MD5 beb03959a34a1f7dfaadd0f2ebd687ce
SHA1 3a3172acd409c6dd8f68b8b4351dabe5936edf57
SHA256 27d2bb5645e69fc7690ced7a2d4c722cf9d8ec995fe7bd07d8141897899247fc
SHA512 6516ff7083ebdfb420941830728a68bfcfac7303aa17925620ae1449950b1d69c3de6b53230b0363ef96b758d5ce596529eee892d9678953cb6c9f9773b07067

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\user.js

MD5 ab98dcbc05863e27597c535e58a69aa7
SHA1 5844a26c005468c7ad4715d12f5eaa7c7997e4bd
SHA256 ad4290ccd1bd885d7d51bf1b8faf13797f4dc31ef0e45e13698e63ce0e0a2dab
SHA512 c5667200bc2f29e7a6dc5ccc0a2caecb44f8299f3ef56e54d6dc2edb6b4dc86731cf38db295bca3b6cc6b9ef837a8491dc04219be39366b3b3ec488c5a7b7439

C:\Users\Admin\AppData\Local\Temp\nsiF420.tmp

MD5 daef14909c4b9abd8243e41fcead6ff8
SHA1 dbfd7b5f16909e408897c50bb47e704a65ab1e9d
SHA256 f2f09bcde383eb99127e964fe63cea6caca0540b7ec20587aea69087be58e7a0
SHA512 58807d5fd99710604a0935e939fe2143478903cd0b2d6b845f85696bd7043dd3f548fb12013fa54a304a7e5de587eada2feafbf906de5ff45a6757208b09e4d1

C:\Users\Admin\AppData\Local\Temp\nsnF440.tmp

MD5 ba0edf378719986165661a535665374f
SHA1 19760e361e55da6c81f162eb7b892cb608d988aa
SHA256 c2af3ef194ee56bfe1b3f6ee85538d38dee6207f9e4c25dfd6e0ed58f0c6f4b0
SHA512 7d996c1315a841e927cc014b23b7552b209e9ed91ef52a3ddee4801a2217fbc2fbca9cc8cce9de9ea29ca9bd072d6d8352a5e12e8d6d3957219ae817f383ec0d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\user.js

MD5 3a48e9c0746eebecb1fd6b78339b2b6a
SHA1 1ca2295078f7e21c66a27deba5fa3a87580907c9
SHA256 e2489d00487d56f660b5d38571f692f20f728cc48cb2a422a2b94863d3b19d14
SHA512 cc17bd5219b2c4157a704ae19027264eff4159a2e50a3d2470021554dbf045d12a3fb53a68d78587f1429850b784ebaf72beaf1af31975ef03f69e2280505011

C:\Users\Admin\AppData\Local\Temp\nsiF4C0.tmp

MD5 d66b7c36887a3a1f869cd8b637cc43b6
SHA1 2e7ad1e83bbe8ae41a119efcaaede2bc82e9d8db
SHA256 d7516cb11c81e5ef2e0c7cffa7175c3a7f36f945e788a27024fdc79443fdda45
SHA512 155ba55e437c52f3f53d27750fb8365f3489c08a00a8a842610d9d2687aaa067add493273caf5b49fe4bff39eca917eb3f4b4bcb58537119b3ce82e3ed40ceb8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\user.js

MD5 19973f6dde6e6ed10dff32e566cd40a5
SHA1 e070abab89fc535a8073c76f7fe3e7863385b134
SHA256 88a875e2352f2f03061e306ee1ea9a076a411c0998f66cb6110c2ba4e9bcb12e
SHA512 e6f42f8b0d5e313cf340b3aff2fbd83b3fe671191b650a0664bb311a7159967b07572710405f61837ece8049735adef6dd2f8daf2354c394ec1ac238954dd4bf

C:\Users\Admin\AppData\Local\Temp\nsyF4D3.tmp

MD5 9977d3425a4556c677885d392f451d3a
SHA1 a90f8930f8b0f2c8e5541be0dcc21b2b14f1a516
SHA256 3661fbc00b62c038c5c25d2471e719ee6322bc243503082be36841fbdb2f669f
SHA512 0f450b2aeca4ebc7be7866573b9e69f0456ee3c3bc709727685b02a45844b1629bca0ff51a5fbced6dd04c5e27ea143399f8ef9a8aec627adf0565d2861a1cb6

C:\Users\Admin\AppData\Local\Temp\nsyF4D4.tmp

MD5 47cbd47c60e8af1b4374c6a352f0f91a
SHA1 b629ccfcfe420a19cdf04caf1655cad0f1668803
SHA256 738e0f7d518eab9042f5296f544ae731a6963ba1dc8796be554279e1c15a44b1
SHA512 99953dbb8d7146016796e0ea65c7f6f306e1d8d2ffbbf1c69e59dc7df7525e8afc78c6b40298747e38682f62518f687c50d7d3ebbe69fe9bde8ad130a97d0229

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\user.js

MD5 ad5e41c9b83c443379bae29df86df772
SHA1 ad4187ffdb50ccfef0d2c97131060650fefb670a
SHA256 e11adba324d2a56c44a54c6814af8077dfe35078d0387b7db5ea0fac1ebc05e9
SHA512 c5599b59bdc3d0f6a3c8ee9b47a0d5d538cbbc154be25255d7d3ed2f876a382c860e8b88bfdc311f69b78e8f555917226fe9edc91b9ffb348c9e9d5999fb9171

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\user.js

MD5 836744fceccf4ba6438b53572ebce43f
SHA1 325366ea6fcf3b3c9b77e312bbf8713df6c7386a
SHA256 fa9b47a79e78e6ced3a9d0d7937c83d1aa668dcb17380d3e2323c57a74d386c9
SHA512 ee5caaf3670fabe00301ef0d993d9dddaca6aceea365daccc753a722a6e3f5fe42afe8de68d3f857d08e290aea11f591b1cbd8c37b889ea8fdfdd3738083c1c4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\user.js

MD5 1cf4841d076be3ad6592a867dadf29c9
SHA1 05076b1693312e6813326e29695e05e8b1028994
SHA256 34e3ca1218ab24caabce6c73bbac56266b52803ad4e190b76785cf3ec5b00886
SHA512 c1cc8f1718391a42669db6b266b7f40bdff3329e3191b300f868f8e4bced29cff5b93b7a669531a561211143728f614f23da9a91dc5391f8008d42699a8bee2e

C:\Users\Admin\AppData\Local\Temp\nsoF53A.tmp

MD5 756a2199461f233e44e2ff84eb3f8449
SHA1 b40a3f926b06c175c8a667d9913e79363330b30e
SHA256 143ef62184392cdd8bf4a7fd2a1a7ca62f2600a94cc7768562e3abd70a5cdd6e
SHA512 35ebe260194078c4068db9a142bdddda97c17395475a2397569e44315f7820eb5a803bcb18d91c6ecb901749cbc388f4e59c428d890c0d26702d290e660dc864

C:\Users\Admin\AppData\Local\Temp\nsoF539.tmp

MD5 ce5e7ee7e40357da1d0a814e552953c3
SHA1 1e9362ba3704ea8fd2a32a19d8fed449b2e520bd
SHA256 b24632839646475bbe84fbfe2f8b0ba036bb9e8d7f9eb556ebbd75d63909d5d7
SHA512 6efed953a70a09bf9980332a0b7c9dba48589acb0dd81a67a993f4e99197521a325d5ab687cafbee2ff7ece9c5e77f4dde52b65ea7f84ce6fdf86894bcdd361e

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

56s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 4416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4564 wrote to memory of 4416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4564 wrote to memory of 4416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4416 -ip 4416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3756 wrote to memory of 4160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3756 wrote to memory of 4160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3756 wrote to memory of 4160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 600

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3320 -ip 3320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240611-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ = "appCore Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrId = "base" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ = "IXmlCnfg" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer\ = "funmoods.dskBnd.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\hrdId = "7da82f55000000000000fad28091dcf5" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\dfltLng\dfltLng C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\dfltLng C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib\ = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer\ = "esrv.funmoodsESrvc.1" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\ = "appCore Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\CLSID\ = "{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrSrchUrl = "http://start.funmoods.com/results.php?f=3&a=orgnl&q=" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\ = "CDskBnd Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2424 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2424 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2424 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2424 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2424 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2424 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2424 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2260 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 2260 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 2260 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 2260 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.228:80 reports.montiera.com tcp
US 8.8.8.8:53 r.funmoods.com udp

Files

\Users\Admin\AppData\Local\Temp\nsd1102.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nsd1102.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsd1102.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nsd1102.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

\Users\Admin\AppData\Local\Temp\nsd1102.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

\Users\Admin\AppData\Local\Temp\nsd1102.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2424-79-0x0000000001F80000-0x0000000001F92000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd1102.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

\Users\Admin\AppData\Local\Temp\nsd1102.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

\Users\Admin\AppData\Local\Temp\nsd1102.tmp\chrmPref.dll

MD5 6845d147b88de1f005d9c6ebb6596574
SHA1 64523302e2b1e2ee7a31580d2acac852db3c7e45
SHA256 c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e
SHA512 cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

MD5 ddcada8c66d56df6e4ef2bbedf2bb865
SHA1 059a7f8bb8ed2e99d5153d26ecf986e91c24df19
SHA256 abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872
SHA512 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

MD5 fe768a6b82ed2a59c58254eae67b8cf9
SHA1 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6
SHA256 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570
SHA512 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b

\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll

MD5 7f8be790b6614f46adeafd59761abbeb
SHA1 a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700
SHA256 b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf
SHA512 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca

\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

MD5 ffba0384096f7a6c2189009b3c54c8db
SHA1 e1e883b9345bd74b0c7e158751c60b0ee2139677
SHA256 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b
SHA512 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc

\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll

MD5 d5a9ec59fbf50e576b1d3b60ccfb7117
SHA1 cc22b0aa6f4b5367865b75f3c0afa788c7f97d8e
SHA256 ba6870cd06e5700f918c30ee92391d8a77c99b3fda06372c42b35983ee88253c
SHA512 60b4965d7f4ff6df4aedda7ec87a074e1d2c13860a3dea325eb551191e643ea9cbed4efe13c3ea2358a3b896c010b773c1c76ac52be81c0a171796fe988be086

\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll

MD5 12be59f427297e54fef41f9bb32d4233
SHA1 0088967a4ed52f491976136c95d43e0e1b06cc31
SHA256 e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb
SHA512 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.Admin\user.js

MD5 2bbed7c9521174d68eb82751901184d3
SHA1 5adc5a58175f2cf899695e3c162b31f1dfa04524
SHA256 0eebe6ecb1c7f74a5175dd6aef7ea4a605741a54104f26b08f29ed0b763ae7db
SHA512 0feec3cc87c72b66b5dd53ee42e812b4a392ce7a26c47d31a06554e777271c7075bb4870a1435fde647a4fa7c1418d1eef8f7bbaf2d133fb43a2b7a7631bf471

\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll

MD5 d5e0f923b3ee640efd6a58ec0c70cbdc
SHA1 74f62a9acdb9f9dd0580d69450c062ba8870deea
SHA256 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281
SHA512 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe

MD5 673e6109fbc2405238429562ae058f37
SHA1 293a96724fc0e772706f108895db321b58051524
SHA256 4dae85611b9fd18f44c36f330762ca7dae3842604999d6a5edd3d416b4ab0841
SHA512 0d1db02c84d2a7502af966886889a63467fdc310c25076cd1629064f9dc5bda63248ea2cb34757f9e93e341cd89833979c8bdfffab2d09c722c3a20cd244f4c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.Admin\user.js

MD5 157f832cbfe7e8cef946ead2c280c131
SHA1 ab58acd7518668fbc28023cf2d679661a9bed967
SHA256 641d5016c2764d298fcdf0fd6294859d477ecd7061493601e1454efd6197b2a8
SHA512 72e5b3002f3d59414709cf229c20c6bc43a77c4e3767c9e0faee338ec71b72717352151be6e6b7fb0c31bbe5b0e379360443dd5d41895e1820a897afe3855db5

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso1406.tmp

MD5 25fd931584a2170912bc15591b3536bf
SHA1 013732ae9a49c11b9e3825ce813e279bf33a0617
SHA256 ddfd5f83c4ebcc27e8d76e0cb5de356466af0d1bb77cc6752cd1b1fa445b6821
SHA512 b835e9b3c1077f6210fd8888e408d81a35db2ba19b18fd908154ae0848ea17bbb79185e1952a828a379eca8d72c5b7ce46b79d0d7fcc4cc2f5ee9412d4175c0a

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst1426.tmp

MD5 0a59f2428253ce9998a2367ddb4de95e
SHA1 3d087119bbb61965a0b5e52bbd52f8621ba75f40
SHA256 dfdaecea05e20a65a8433740020ee97dba0f9a3819bf72167a7bbbff8315aed2
SHA512 d492cda3a25f2919ebed660bab7be574a6779a89eb0556229d05f7d5e15cbd64996c199e180f486c5d71240560fdaba3fc50cab15ecef68a67fd09a07c273dd9

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi1436.tmp

MD5 a3fbfe5e7ccc31803fd4594662ab9df8
SHA1 1e44b5241364ab7c7c5d70a05cde6601e27ad8de
SHA256 6ae76255ddcae73a0813628dbedad83ec7f3584356d6df52558c713a8fdbf03c
SHA512 e4bd2fd48b86445ca09deaad79c03e54fb40e2fd190811c0f379d2c581596f65cae3ccfaa77a096c92fdf4e5a0ff9689ddea5b58cee8e2f4af7670cca698bddf

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsy1447.tmp

MD5 d55d228e7450415a15ea49ad751e5edd
SHA1 228f4fac1f4fa54fa1fd05f6ec4f0b57096eed74
SHA256 d5d204522339e1c046ea17ceb459fd825e5bfd7f7d4f86f83f08b26d3d9f5a42
SHA512 d783b49f86b94b5c8192e1e35851db1a582c081246787c7cfd9fe09345f99a27384b25463afbe89dc3c9927c3f819348d02eadcbb3354ffffb1882ebd30e76c4

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd1467.tmp

MD5 cc6a3a349ccc58e63a64a1cdd66e6529
SHA1 6f43712b394cc31acc1e1b76d5dd383f33b8ff67
SHA256 650085a4ba8ffc5b1a218ee0918132b6c099512bea076c5f1e1a4618379ced3b
SHA512 b297a63347a35c8a32932648dc880636cf3b0a17f83bde6a75735e5e12b1b0d6f96b6055162947847693044370c3396b27d23537b32ccb02c528ad5334c768fd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.Admin\user.js

MD5 195866c8c7be808cd4479f79b2a1ec43
SHA1 520081de12f48e79b159630c3fadede57d6648a5
SHA256 bf24dfa79af726b50f5e04792a30f345a5d96a637b9f4038995a86cd4634cba2
SHA512 46259768eeb1d8884684949c3b9bd455269e4651415660c631c645ee73d87c84270ecb7b574d7355c9a67aa41a710c511e0459495c0081abce3711cfa82f2957

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi14D7.tmp

MD5 b0b184d3533dfb71dad5d119c89bafe9
SHA1 b8185d2f3b2db6e51cab6400464f4eefa94448c4
SHA256 6b73302f4fe9f72dfb8f8e4d66e43ed0abd3e117562ca9f01400d3c484cb4c94
SHA512 6cf0ad59fd2d13d527cba6e44e7f345d31f60eadb3c3ed07e6347a9f9f2a875b0ef541466a5d216fcd1daff6192808b72e194358c7d4ac8baa2e49891e2b259d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\user.js

MD5 084dab28532c3b94c4bc63ca6a849e8b
SHA1 1ac7d6fa7d683b715cb4e6385c18f5d0cf6ce488
SHA256 1cc310f9692e80da2b4be52bc30010e3abb837c4e413e7707ef80a3d1fe40d73
SHA512 9dd626c6f809a71c06f86afdbd848cd47d15b8263335055a169485ea2b3dcfa96d4c0c757e2e969045684ee29e1c7c2215a630b1390481728990ef2997800ba9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\user.js

MD5 21d75937e56deae9c0a5bc7fea54cdcf
SHA1 ea07a56039a4eced6b4236bb88d78b6af63feec8
SHA256 fd93e9cbf16e6f782a8919ca859af41e21b90b58a2dcad4b585634796b8121f2
SHA512 9cd8605d5a43a58166f902a2dc9d95d21e445b98691f38513377f77251ade3ca4bf614f43cd9bfdb1c9319378986570802ed4d36e4e01c16e0d168bba3d2f1f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\user.js

MD5 f7f8f4406260e114815914a509304030
SHA1 f92eb8d80b078f8c39e4250eb33fe3378a461dc3
SHA256 e435664659202a515bc1c2caa67ef2e3e409b50414014aceef9d43f181036be8
SHA512 9fedc5c77ab40308e1806f859b2a412c1e63c7492dd1c61e1f15b900f3c0e2c37a64e08c9ad183fb6b023f693c8e9675bb1c20fc46e558025fecb6414ca45b53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\user.js

MD5 1c7e22b1c2e165d0a7fed0e8ee8b43ca
SHA1 f98c157764f1eca73a96ed7a5b776bb1bf1bea33
SHA256 437faa82fa02f852976fade0b55684d19f2dfee0aa98267c70ccfac6fa5a7642
SHA512 a11593414e7b767cedd4299724f40c1e1ba7b6eafd7a0fcd439a237d19422122213c0ec32f966cd268f29f23e7f044bfa8e26111e77a994c8511096f0f349eb2

memory/2424-1584-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd1102.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4828 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4828 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 224

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 224

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 img.uptodown.net udp
US 151.101.3.52:80 img.uptodown.net tcp

Files

\Users\Admin\AppData\Local\Temp\nsoED1.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

\Users\Admin\AppData\Local\Temp\nsoED1.tmp\nsRandom.dll

MD5 ab467b8dfaa660a0f0e5b26e28af5735
SHA1 596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256 db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA512 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

memory/2368-20-0x00000000027B0000-0x00000000027C2000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoED1.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsoED1.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

memory/2368-35-0x00000000027B0000-0x00000000027C2000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:20

Platform

win7-20240611-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3364 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3364 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 3820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 3820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 3820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 224

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:20

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 656 wrote to memory of 1620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 656 wrote to memory of 1620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 656 wrote to memory of 1620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1620 -ip 1620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\bh\\funmoods.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\ = "appCore Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\ = "escrtSrvc Object" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\afltId = "orgnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CLSID\ = "{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\hrdId = "3d018f94000000000000d64620966489" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CurVer\ = "funmoodsApp.appCore.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\aflt = "orgnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrSrchUrl = "http://start.funmoods.com/results.php?f=3&a=orgnl&q=" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\smplGrp = "none" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\VersionIndependentProgID\ = "escort.escortIEPane" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\data C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\CLSID\ = "{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 3032 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 3032 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 3032 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 3032 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 3032 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 3440 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 3440 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 3440 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.228:80 reports.montiera.com tcp
US 8.8.8.8:53 r.funmoods.com udp
US 8.8.8.8:53 228.230.16.69.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/3032-84-0x00000000023E0000-0x00000000023F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\chrmPref.dll

MD5 6845d147b88de1f005d9c6ebb6596574
SHA1 64523302e2b1e2ee7a31580d2acac852db3c7e45
SHA256 c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e
SHA512 cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

MD5 ddcada8c66d56df6e4ef2bbedf2bb865
SHA1 059a7f8bb8ed2e99d5153d26ecf986e91c24df19
SHA256 abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872
SHA512 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

MD5 fe768a6b82ed2a59c58254eae67b8cf9
SHA1 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6
SHA256 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570
SHA512 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll

MD5 7f8be790b6614f46adeafd59761abbeb
SHA1 a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700
SHA256 b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf
SHA512 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

MD5 ffba0384096f7a6c2189009b3c54c8db
SHA1 e1e883b9345bd74b0c7e158751c60b0ee2139677
SHA256 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b
SHA512 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn4059.tmp

MD5 0758d4d4886797289205fc26551d23d4
SHA1 8214b9b3de2efb450559993ddec96a82c0595464
SHA256 164c1dc9317fefa574fff1103af6b1712c26e8858e963238cf5dd633469a39ee
SHA512 fe78c9c1262b8d58b3c529caf593b1a2135ac6cf4365e78b7bdbc7abc23613c4df1cdf9a40ff2924f9d7aeeda04c1de9e9105003b4b1757ce1092791c8364934

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn405A.tmp

MD5 09dbdef4d0f1e4ef4f7b237040da8a66
SHA1 9586e65c2675d213b64ff8f0b5d70041ff91c8be
SHA256 1842c27e1a7fc4f9ace4f9961912c67df991a6e774dc899623935dacf2dc2fd7
SHA512 d4f4094ce6aac6ce7f2c332df952108c2b7035b1015496093d6800cd5e703c51cee198f25f9d58efeff8ad12f94978ad47206bc67807f26ff45074a86f2a5cc0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4yypthkk.Admin\user.js

MD5 dc7c27f75dc75eea90525b8ef0de11da
SHA1 558b98b4cf08177b652dc6278c2c7274c92c8712
SHA256 b4cd4e32a5a359eee1e294db77e108200749bc44c4e559133c72ec76514e9d1f
SHA512 2c405cebc076318301ba793bbf28021c6bf79213f579ff838a2ce90f04bf81e8742c46589c6f3ce6cf556b2935e740e484032ef49f5c3c254ef2caf2549b11f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4yypthkk.Admin\user.js

MD5 531378636bbdba470aca5deeaa9d5ae0
SHA1 aa6473111b72e2d623120297d3fc4acfe443b6bc
SHA256 229e9734e6b4113c2e85715ec25886debccb1b8f5e66319aebf2a309e20e1032
SHA512 848911934a14db29404305e35c2d9042546fedb23733d27d4e65b7934dda4e63ac464607995a9729052de588c40aee5e58131d026cca40e2b07f3c49386fbbb2

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn40AD.tmp

MD5 a3067dff99b6d62d3f5bd74da93d5d9a
SHA1 d88b9c515e26d4353f89abcdef64a9bf445f1a2a
SHA256 c9607e9b8c0d9cde473e7355a93a13b938f3fdd1e45c38be14c9f96adf63cdc7
SHA512 02b04e96d426f2be9d095389fdc678bb344da0d07d367cb23d7069a1df9b77da568609104c6d4ef9703361d782c280f7ba5086fc44f65a5566bb53c4cd1dbdd8

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn40FF.tmp

MD5 075451b44d437388c363300c7c5066b5
SHA1 6a595d6af758d342acaad030500f43cc46ffe2d6
SHA256 70a32d129304b909a84d41d9f974ab698681aa70a7ebf2dba2e54c258fa9428d
SHA512 f2a0db3c3f27be1252cfb8e71886f4c6d1a2cdbe66a79cdb426cb8db99b9c336fa00deca63f8bb1909e233509ba967e9493d7fdce5860a2d0442147330855c46

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\user.js

MD5 523bede1592acd8bd1c5e94673012f91
SHA1 e3e33e0cacaa2b8e55fe697a17fc428bd241ee93
SHA256 855d9a87bb9870f9fa9b1c14f748100fbcfca86cfb89119cf750f899f0277074
SHA512 229b90b35fb1c5ab02953222683fc9af901405e5f9d78f5e31c514b0588cdd264233dee8143f021e515301418d195f37496f82b68dd1f604ea011df7c9561c75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4yypthkk.Admin\user.js

MD5 2bbed7c9521174d68eb82751901184d3
SHA1 5adc5a58175f2cf899695e3c162b31f1dfa04524
SHA256 0eebe6ecb1c7f74a5175dd6aef7ea4a605741a54104f26b08f29ed0b763ae7db
SHA512 0feec3cc87c72b66b5dd53ee42e812b4a392ce7a26c47d31a06554e777271c7075bb4870a1435fde647a4fa7c1418d1eef8f7bbaf2d133fb43a2b7a7631bf471

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\user.js

MD5 36d71d4d6f1d5e92adf1db7e77936110
SHA1 d3c82e7f0d865a6396a5e6c213a987f392a1446b
SHA256 f04dcb49bac55f02e733ca13179d30e9d7e3e881a35256497690e19b25e02f38
SHA512 0e6a842260cf45b676c9e31950095bb8609a98032bb5b62b4cfd9f525f9d00bb9874fc81bc95c7f4a096f4c87452056761d84834838874bc788672659ac608aa

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll

MD5 12be59f427297e54fef41f9bb32d4233
SHA1 0088967a4ed52f491976136c95d43e0e1b06cc31
SHA256 e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb
SHA512 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\user.js

MD5 e960b74f0689d88d3d243626c71eb289
SHA1 ed493321acf7050a4df418cf46f13ba8fedf07ea
SHA256 270571a667c274ea8fe0a475e57741fafa1dc2890da21b4efeca4bcfbb43540f
SHA512 89beb66e442a9f8a25784ef34efe4cb5f6806a1044ae1e8992963542c98e7095a864deeba2e18bbc153198ec8d2f03e6ca6a1b4d942eb1096cfd16d63e4352e2

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd41B8.tmp

MD5 ff8a1b257ee1278af69b91b537b130dc
SHA1 74827dbee506a6983f3db8c175721d4f285b7e26
SHA256 e3e5a0125f7d196f20106664863a95424e9d7aa5e9dc0338f489a11e0af9fdd1
SHA512 fd94602786cd182c6274af6dad5d38befd11aae2a8362fe9cfed9e5f2ff6c3230612d6d70d20e25b337176b49eb91eea450ac7421840f3e438124e36797a9e4a

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll

MD5 d5e0f923b3ee640efd6a58ec0c70cbdc
SHA1 74f62a9acdb9f9dd0580d69450c062ba8870deea
SHA256 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281
SHA512 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0

memory/3032-1600-0x0000000003B60000-0x0000000003B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:20

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 228

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 224

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 336 wrote to memory of 3120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 336 wrote to memory of 3120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 336 wrote to memory of 3120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 612

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240419-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4496 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4496 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst2222.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nst2222.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nst2222.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

\Users\Admin\AppData\Local\Temp\nst2222.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nsi2286.tmp

MD5 7271c630d76fe24bfc601cff33cf57aa
SHA1 bbd75d10939954b941e961ddc65a170188447fb6
SHA256 817bf925e8f3c9dfece5e8b93830ea514061a19b73eb9b2c2479e0281ee364ce
SHA512 258038719917524c04f2455065480d24e2ff57f0390cd0145fe1d631dff9f34f1a96167a615ffb9ff70387c3d9699fcaac29a531e71ea55a9a8d35d05475f081

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.Admin\user.js

MD5 5bf11ab21587410e09af8c60e5dc3f68
SHA1 2b89c6da5e1e292ecc4fb8022a9cb9274ed31aa2
SHA256 7d96d78547040e33057b28277627221a7cf22c6bbe158ca44a85bba2d7a0f803
SHA512 30a8a910af021c806143bdfd031e50bdf5be9d25497be19179e23b6509d07c0df87e9b0db5619ff233a058a33638ce892983ca0dffa334a700cae242cd60f65a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.Admin\user.js

MD5 07cc08b68bd244e4e75f8ac66c7f8d3e
SHA1 ddde5cbd3698cc42a21721f5217a64f085933c0a
SHA256 6707adbc39be1a879f1a6fe28b6079817a8d26ec61fe3984ef3316b4b5f1841d
SHA512 7d486a084acb39718a3b1cba64d252013e8d009dae56a924873d550057e8edbf3063a2caf3fa290494a85f2c02fbec1869a593fbbc8eac77c69d1263cfd5b5c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\user.js

MD5 d0ccd3c503994fe886e23e0a665432ba
SHA1 f56992656070e9e01c78d2f4345cedc68c00b654
SHA256 5bcbec1d25e852db70ad6136f0cfb4c5d17acfa4b745abc36790064522b0eb71
SHA512 610699de7dfdc66966f36efda78dab847fcc9e84ad227090471166b43145573038cf8926d5245884c4bfe16139e4695993e12864a2ef5d1570ab8503dd9769be

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 img.uptodown.net udp
US 151.101.3.52:80 img.uptodown.net tcp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 52.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsgFC33.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

C:\Users\Admin\AppData\Local\Temp\nsgFC33.tmp\nsRandom.dll

MD5 ab467b8dfaa660a0f0e5b26e28af5735
SHA1 596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256 db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA512 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

C:\Users\Admin\AppData\Local\Temp\nsgFC33.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/2452-29-0x0000000003230000-0x0000000003242000-memory.dmp

memory/2452-28-0x0000000003230000-0x0000000003242000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsgFC33.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

memory/2452-40-0x0000000003230000-0x0000000003242000-memory.dmp

memory/2452-41-0x0000000003230000-0x0000000003242000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 856 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 856 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-20 07:17

Reported

2024-06-20 07:19

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224

Network

N/A

Files

N/A