Analysis Overview
SHA256
ec2462bf546bd65fdc086f4722afd3f45f4659a9ac0c56fa707d5ea687730e68
Threat Level: Shows suspicious behavior
The file 03f518342b62cc476b693d6b5b436ae4_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 07:17
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 236
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4708 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4708 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4708 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2648 -ip 2648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 600
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 224
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240611-en
Max time kernel
140s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsnF2FC.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsnF2FC.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsnF2FC.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nsnF2FC.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nssF36C.tmp
| MD5 | 84c6a105b21c548e24b6451723672211 |
| SHA1 | 45b4472c6f02238bdf3e569195f468134267f60d |
| SHA256 | e6dd101bc0c0110cd5cfeed06e6c8ab0953d263a6c4051ea43688b55f11421e8 |
| SHA512 | 2b5e4c50ae738eb5068bc267f901a38c5fe16b608b3d61f1ac26d70cabf80a9b73c955d6fbb7cf45ca7d0b154aac7748904ed96b7313f26dd86505d76bdf00b9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\user.js
| MD5 | a0bdd513b48c9cf0902cdfd002196f36 |
| SHA1 | c285aa75b1d878b3e89bd158fe361c2474a4985b |
| SHA256 | ab08125d40fc5002a34b86bb17167a25e3d582649504a5a3495a751f2b059ce8 |
| SHA512 | 9a9e3429d2871e9670d78db0d2bbbfabb2718e8ab0ed945aa659d498c82362400994214e2701dca6b922515968ee808d00cc4aa44feb87326a9f0b9231921442 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\user.js
| MD5 | 3ac1c8221139cdd9230f8667b73eb6d4 |
| SHA1 | 47c833e140dbb1219a851f3f9ed888d28dff4b33 |
| SHA256 | f29db17fd2237ddbc465f7821cf400cc7de667cd4c416bd8601cbd4f331bf272 |
| SHA512 | 328379c487eda9c908cf1e3e139d3e9b40590810133f1bb24e17918bb94b3c24e9062a7778180838bed237cd2835c5c0a4cfa4044146387e738bd8f6f5310568 |
C:\Users\Admin\AppData\Local\Temp\nsiF3CE.tmp
| MD5 | beb03959a34a1f7dfaadd0f2ebd687ce |
| SHA1 | 3a3172acd409c6dd8f68b8b4351dabe5936edf57 |
| SHA256 | 27d2bb5645e69fc7690ced7a2d4c722cf9d8ec995fe7bd07d8141897899247fc |
| SHA512 | 6516ff7083ebdfb420941830728a68bfcfac7303aa17925620ae1449950b1d69c3de6b53230b0363ef96b758d5ce596529eee892d9678953cb6c9f9773b07067 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\user.js
| MD5 | ab98dcbc05863e27597c535e58a69aa7 |
| SHA1 | 5844a26c005468c7ad4715d12f5eaa7c7997e4bd |
| SHA256 | ad4290ccd1bd885d7d51bf1b8faf13797f4dc31ef0e45e13698e63ce0e0a2dab |
| SHA512 | c5667200bc2f29e7a6dc5ccc0a2caecb44f8299f3ef56e54d6dc2edb6b4dc86731cf38db295bca3b6cc6b9ef837a8491dc04219be39366b3b3ec488c5a7b7439 |
C:\Users\Admin\AppData\Local\Temp\nsiF420.tmp
| MD5 | daef14909c4b9abd8243e41fcead6ff8 |
| SHA1 | dbfd7b5f16909e408897c50bb47e704a65ab1e9d |
| SHA256 | f2f09bcde383eb99127e964fe63cea6caca0540b7ec20587aea69087be58e7a0 |
| SHA512 | 58807d5fd99710604a0935e939fe2143478903cd0b2d6b845f85696bd7043dd3f548fb12013fa54a304a7e5de587eada2feafbf906de5ff45a6757208b09e4d1 |
C:\Users\Admin\AppData\Local\Temp\nsnF440.tmp
| MD5 | ba0edf378719986165661a535665374f |
| SHA1 | 19760e361e55da6c81f162eb7b892cb608d988aa |
| SHA256 | c2af3ef194ee56bfe1b3f6ee85538d38dee6207f9e4c25dfd6e0ed58f0c6f4b0 |
| SHA512 | 7d996c1315a841e927cc014b23b7552b209e9ed91ef52a3ddee4801a2217fbc2fbca9cc8cce9de9ea29ca9bd072d6d8352a5e12e8d6d3957219ae817f383ec0d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\user.js
| MD5 | 3a48e9c0746eebecb1fd6b78339b2b6a |
| SHA1 | 1ca2295078f7e21c66a27deba5fa3a87580907c9 |
| SHA256 | e2489d00487d56f660b5d38571f692f20f728cc48cb2a422a2b94863d3b19d14 |
| SHA512 | cc17bd5219b2c4157a704ae19027264eff4159a2e50a3d2470021554dbf045d12a3fb53a68d78587f1429850b784ebaf72beaf1af31975ef03f69e2280505011 |
C:\Users\Admin\AppData\Local\Temp\nsiF4C0.tmp
| MD5 | d66b7c36887a3a1f869cd8b637cc43b6 |
| SHA1 | 2e7ad1e83bbe8ae41a119efcaaede2bc82e9d8db |
| SHA256 | d7516cb11c81e5ef2e0c7cffa7175c3a7f36f945e788a27024fdc79443fdda45 |
| SHA512 | 155ba55e437c52f3f53d27750fb8365f3489c08a00a8a842610d9d2687aaa067add493273caf5b49fe4bff39eca917eb3f4b4bcb58537119b3ce82e3ed40ceb8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\user.js
| MD5 | 19973f6dde6e6ed10dff32e566cd40a5 |
| SHA1 | e070abab89fc535a8073c76f7fe3e7863385b134 |
| SHA256 | 88a875e2352f2f03061e306ee1ea9a076a411c0998f66cb6110c2ba4e9bcb12e |
| SHA512 | e6f42f8b0d5e313cf340b3aff2fbd83b3fe671191b650a0664bb311a7159967b07572710405f61837ece8049735adef6dd2f8daf2354c394ec1ac238954dd4bf |
C:\Users\Admin\AppData\Local\Temp\nsyF4D3.tmp
| MD5 | 9977d3425a4556c677885d392f451d3a |
| SHA1 | a90f8930f8b0f2c8e5541be0dcc21b2b14f1a516 |
| SHA256 | 3661fbc00b62c038c5c25d2471e719ee6322bc243503082be36841fbdb2f669f |
| SHA512 | 0f450b2aeca4ebc7be7866573b9e69f0456ee3c3bc709727685b02a45844b1629bca0ff51a5fbced6dd04c5e27ea143399f8ef9a8aec627adf0565d2861a1cb6 |
C:\Users\Admin\AppData\Local\Temp\nsyF4D4.tmp
| MD5 | 47cbd47c60e8af1b4374c6a352f0f91a |
| SHA1 | b629ccfcfe420a19cdf04caf1655cad0f1668803 |
| SHA256 | 738e0f7d518eab9042f5296f544ae731a6963ba1dc8796be554279e1c15a44b1 |
| SHA512 | 99953dbb8d7146016796e0ea65c7f6f306e1d8d2ffbbf1c69e59dc7df7525e8afc78c6b40298747e38682f62518f687c50d7d3ebbe69fe9bde8ad130a97d0229 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\user.js
| MD5 | ad5e41c9b83c443379bae29df86df772 |
| SHA1 | ad4187ffdb50ccfef0d2c97131060650fefb670a |
| SHA256 | e11adba324d2a56c44a54c6814af8077dfe35078d0387b7db5ea0fac1ebc05e9 |
| SHA512 | c5599b59bdc3d0f6a3c8ee9b47a0d5d538cbbc154be25255d7d3ed2f876a382c860e8b88bfdc311f69b78e8f555917226fe9edc91b9ffb348c9e9d5999fb9171 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\user.js
| MD5 | 836744fceccf4ba6438b53572ebce43f |
| SHA1 | 325366ea6fcf3b3c9b77e312bbf8713df6c7386a |
| SHA256 | fa9b47a79e78e6ced3a9d0d7937c83d1aa668dcb17380d3e2323c57a74d386c9 |
| SHA512 | ee5caaf3670fabe00301ef0d993d9dddaca6aceea365daccc753a722a6e3f5fe42afe8de68d3f857d08e290aea11f591b1cbd8c37b889ea8fdfdd3738083c1c4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\user.js
| MD5 | 1cf4841d076be3ad6592a867dadf29c9 |
| SHA1 | 05076b1693312e6813326e29695e05e8b1028994 |
| SHA256 | 34e3ca1218ab24caabce6c73bbac56266b52803ad4e190b76785cf3ec5b00886 |
| SHA512 | c1cc8f1718391a42669db6b266b7f40bdff3329e3191b300f868f8e4bced29cff5b93b7a669531a561211143728f614f23da9a91dc5391f8008d42699a8bee2e |
C:\Users\Admin\AppData\Local\Temp\nsoF53A.tmp
| MD5 | 756a2199461f233e44e2ff84eb3f8449 |
| SHA1 | b40a3f926b06c175c8a667d9913e79363330b30e |
| SHA256 | 143ef62184392cdd8bf4a7fd2a1a7ca62f2600a94cc7768562e3abd70a5cdd6e |
| SHA512 | 35ebe260194078c4068db9a142bdddda97c17395475a2397569e44315f7820eb5a803bcb18d91c6ecb901749cbc388f4e59c428d890c0d26702d290e660dc864 |
C:\Users\Admin\AppData\Local\Temp\nsoF539.tmp
| MD5 | ce5e7ee7e40357da1d0a814e552953c3 |
| SHA1 | 1e9362ba3704ea8fd2a32a19d8fed449b2e520bd |
| SHA256 | b24632839646475bbe84fbfe2f8b0ba036bb9e8d7f9eb556ebbd75d63909d5d7 |
| SHA512 | 6efed953a70a09bf9980332a0b7c9dba48589acb0dd81a67a993f4e99197521a325d5ab687cafbee2ff7ece9c5e77f4dde52b65ea7f84ce6fdf86894bcdd361e |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
56s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4564 wrote to memory of 4416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4564 wrote to memory of 4416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4564 wrote to memory of 4416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4416 -ip 4416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1208 wrote to memory of 2340 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1208 wrote to memory of 2340 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1208 wrote to memory of 2340 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3756 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3756 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3756 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 600
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 224
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2656 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2656 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2656 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240611-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrId = "base" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ = "IXmlCnfg" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer\ = "funmoods.dskBnd.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\hrdId = "7da82f55000000000000fad28091dcf5" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\dfltLng\dfltLng | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\dfltLng | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib\ = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer\ = "esrv.funmoodsESrvc.1" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\CLSID\ = "{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrSrchUrl = "http://start.funmoods.com/results.php?f=3&a=orgnl&q=" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\ = "CDskBnd Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsd1102.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nsd1102.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsd1102.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nsd1102.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nsd1102.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
\Users\Admin\AppData\Local\Temp\nsd1102.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2424-79-0x0000000001F80000-0x0000000001F92000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd1102.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
\Users\Admin\AppData\Local\Temp\nsd1102.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
\Users\Admin\AppData\Local\Temp\nsd1102.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | ddcada8c66d56df6e4ef2bbedf2bb865 |
| SHA1 | 059a7f8bb8ed2e99d5153d26ecf986e91c24df19 |
| SHA256 | abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872 |
| SHA512 | 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91 |
\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
| MD5 | fe768a6b82ed2a59c58254eae67b8cf9 |
| SHA1 | 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6 |
| SHA256 | 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570 |
| SHA512 | 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll
| MD5 | 7f8be790b6614f46adeafd59761abbeb |
| SHA1 | a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700 |
| SHA256 | b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf |
| SHA512 | 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
| MD5 | ffba0384096f7a6c2189009b3c54c8db |
| SHA1 | e1e883b9345bd74b0c7e158751c60b0ee2139677 |
| SHA256 | 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b |
| SHA512 | 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll
| MD5 | d5a9ec59fbf50e576b1d3b60ccfb7117 |
| SHA1 | cc22b0aa6f4b5367865b75f3c0afa788c7f97d8e |
| SHA256 | ba6870cd06e5700f918c30ee92391d8a77c99b3fda06372c42b35983ee88253c |
| SHA512 | 60b4965d7f4ff6df4aedda7ec87a074e1d2c13860a3dea325eb551191e643ea9cbed4efe13c3ea2358a3b896c010b773c1c76ac52be81c0a171796fe988be086 |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll
| MD5 | 12be59f427297e54fef41f9bb32d4233 |
| SHA1 | 0088967a4ed52f491976136c95d43e0e1b06cc31 |
| SHA256 | e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb |
| SHA512 | 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.Admin\user.js
| MD5 | 2bbed7c9521174d68eb82751901184d3 |
| SHA1 | 5adc5a58175f2cf899695e3c162b31f1dfa04524 |
| SHA256 | 0eebe6ecb1c7f74a5175dd6aef7ea4a605741a54104f26b08f29ed0b763ae7db |
| SHA512 | 0feec3cc87c72b66b5dd53ee42e812b4a392ce7a26c47d31a06554e777271c7075bb4870a1435fde647a4fa7c1418d1eef8f7bbaf2d133fb43a2b7a7631bf471 |
\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll
| MD5 | d5e0f923b3ee640efd6a58ec0c70cbdc |
| SHA1 | 74f62a9acdb9f9dd0580d69450c062ba8870deea |
| SHA256 | 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281 |
| SHA512 | 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe
| MD5 | 673e6109fbc2405238429562ae058f37 |
| SHA1 | 293a96724fc0e772706f108895db321b58051524 |
| SHA256 | 4dae85611b9fd18f44c36f330762ca7dae3842604999d6a5edd3d416b4ab0841 |
| SHA512 | 0d1db02c84d2a7502af966886889a63467fdc310c25076cd1629064f9dc5bda63248ea2cb34757f9e93e341cd89833979c8bdfffab2d09c722c3a20cd244f4c0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.Admin\user.js
| MD5 | 157f832cbfe7e8cef946ead2c280c131 |
| SHA1 | ab58acd7518668fbc28023cf2d679661a9bed967 |
| SHA256 | 641d5016c2764d298fcdf0fd6294859d477ecd7061493601e1454efd6197b2a8 |
| SHA512 | 72e5b3002f3d59414709cf229c20c6bc43a77c4e3767c9e0faee338ec71b72717352151be6e6b7fb0c31bbe5b0e379360443dd5d41895e1820a897afe3855db5 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso1406.tmp
| MD5 | 25fd931584a2170912bc15591b3536bf |
| SHA1 | 013732ae9a49c11b9e3825ce813e279bf33a0617 |
| SHA256 | ddfd5f83c4ebcc27e8d76e0cb5de356466af0d1bb77cc6752cd1b1fa445b6821 |
| SHA512 | b835e9b3c1077f6210fd8888e408d81a35db2ba19b18fd908154ae0848ea17bbb79185e1952a828a379eca8d72c5b7ce46b79d0d7fcc4cc2f5ee9412d4175c0a |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst1426.tmp
| MD5 | 0a59f2428253ce9998a2367ddb4de95e |
| SHA1 | 3d087119bbb61965a0b5e52bbd52f8621ba75f40 |
| SHA256 | dfdaecea05e20a65a8433740020ee97dba0f9a3819bf72167a7bbbff8315aed2 |
| SHA512 | d492cda3a25f2919ebed660bab7be574a6779a89eb0556229d05f7d5e15cbd64996c199e180f486c5d71240560fdaba3fc50cab15ecef68a67fd09a07c273dd9 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi1436.tmp
| MD5 | a3fbfe5e7ccc31803fd4594662ab9df8 |
| SHA1 | 1e44b5241364ab7c7c5d70a05cde6601e27ad8de |
| SHA256 | 6ae76255ddcae73a0813628dbedad83ec7f3584356d6df52558c713a8fdbf03c |
| SHA512 | e4bd2fd48b86445ca09deaad79c03e54fb40e2fd190811c0f379d2c581596f65cae3ccfaa77a096c92fdf4e5a0ff9689ddea5b58cee8e2f4af7670cca698bddf |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsy1447.tmp
| MD5 | d55d228e7450415a15ea49ad751e5edd |
| SHA1 | 228f4fac1f4fa54fa1fd05f6ec4f0b57096eed74 |
| SHA256 | d5d204522339e1c046ea17ceb459fd825e5bfd7f7d4f86f83f08b26d3d9f5a42 |
| SHA512 | d783b49f86b94b5c8192e1e35851db1a582c081246787c7cfd9fe09345f99a27384b25463afbe89dc3c9927c3f819348d02eadcbb3354ffffb1882ebd30e76c4 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd1467.tmp
| MD5 | cc6a3a349ccc58e63a64a1cdd66e6529 |
| SHA1 | 6f43712b394cc31acc1e1b76d5dd383f33b8ff67 |
| SHA256 | 650085a4ba8ffc5b1a218ee0918132b6c099512bea076c5f1e1a4618379ced3b |
| SHA512 | b297a63347a35c8a32932648dc880636cf3b0a17f83bde6a75735e5e12b1b0d6f96b6055162947847693044370c3396b27d23537b32ccb02c528ad5334c768fd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.Admin\user.js
| MD5 | 195866c8c7be808cd4479f79b2a1ec43 |
| SHA1 | 520081de12f48e79b159630c3fadede57d6648a5 |
| SHA256 | bf24dfa79af726b50f5e04792a30f345a5d96a637b9f4038995a86cd4634cba2 |
| SHA512 | 46259768eeb1d8884684949c3b9bd455269e4651415660c631c645ee73d87c84270ecb7b574d7355c9a67aa41a710c511e0459495c0081abce3711cfa82f2957 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi14D7.tmp
| MD5 | b0b184d3533dfb71dad5d119c89bafe9 |
| SHA1 | b8185d2f3b2db6e51cab6400464f4eefa94448c4 |
| SHA256 | 6b73302f4fe9f72dfb8f8e4d66e43ed0abd3e117562ca9f01400d3c484cb4c94 |
| SHA512 | 6cf0ad59fd2d13d527cba6e44e7f345d31f60eadb3c3ed07e6347a9f9f2a875b0ef541466a5d216fcd1daff6192808b72e194358c7d4ac8baa2e49891e2b259d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\user.js
| MD5 | 084dab28532c3b94c4bc63ca6a849e8b |
| SHA1 | 1ac7d6fa7d683b715cb4e6385c18f5d0cf6ce488 |
| SHA256 | 1cc310f9692e80da2b4be52bc30010e3abb837c4e413e7707ef80a3d1fe40d73 |
| SHA512 | 9dd626c6f809a71c06f86afdbd848cd47d15b8263335055a169485ea2b3dcfa96d4c0c757e2e969045684ee29e1c7c2215a630b1390481728990ef2997800ba9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\user.js
| MD5 | 21d75937e56deae9c0a5bc7fea54cdcf |
| SHA1 | ea07a56039a4eced6b4236bb88d78b6af63feec8 |
| SHA256 | fd93e9cbf16e6f782a8919ca859af41e21b90b58a2dcad4b585634796b8121f2 |
| SHA512 | 9cd8605d5a43a58166f902a2dc9d95d21e445b98691f38513377f77251ade3ca4bf614f43cd9bfdb1c9319378986570802ed4d36e4e01c16e0d168bba3d2f1f0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\user.js
| MD5 | f7f8f4406260e114815914a509304030 |
| SHA1 | f92eb8d80b078f8c39e4250eb33fe3378a461dc3 |
| SHA256 | e435664659202a515bc1c2caa67ef2e3e409b50414014aceef9d43f181036be8 |
| SHA512 | 9fedc5c77ab40308e1806f859b2a412c1e63c7492dd1c61e1f15b900f3c0e2c37a64e08c9ad183fb6b023f693c8e9675bb1c20fc46e558025fecb6414ca45b53 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\user.js
| MD5 | 1c7e22b1c2e165d0a7fed0e8ee8b43ca |
| SHA1 | f98c157764f1eca73a96ed7a5b776bb1bf1bea33 |
| SHA256 | 437faa82fa02f852976fade0b55684d19f2dfee0aa98267c70ccfac6fa5a7642 |
| SHA512 | a11593414e7b767cedd4299724f40c1e1ba7b6eafd7a0fcd439a237d19422122213c0ec32f966cd268f29f23e7f044bfa8e26111e77a994c8511096f0f349eb2 |
memory/2424-1584-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd1102.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4828 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4828 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4828 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4952 -ip 4952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 224
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 224
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240611-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | img.uptodown.net | udp |
| US | 151.101.3.52:80 | img.uptodown.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsoED1.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
\Users\Admin\AppData\Local\Temp\nsoED1.tmp\nsRandom.dll
| MD5 | ab467b8dfaa660a0f0e5b26e28af5735 |
| SHA1 | 596abd2c31eaff3479edf2069db1c155b59ce74d |
| SHA256 | db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73 |
| SHA512 | 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301 |
memory/2368-20-0x00000000027B0000-0x00000000027C2000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsoED1.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsoED1.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
memory/2368-35-0x00000000027B0000-0x00000000027C2000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:20
Platform
win7-20240611-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2188 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3364 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3364 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3364 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2660 -ip 2660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240611-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 3820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 3820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 3820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3820 -ip 3820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 224
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:20
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 656 wrote to memory of 1620 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 656 wrote to memory of 1620 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 656 wrote to memory of 1620 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1620 -ip 1620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
93s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\bh\\funmoods.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\ = "escrtSrvc Object" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\afltId = "orgnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CLSID\ = "{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\hrdId = "3d018f94000000000000d64620966489" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer\ = "f" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CurVer\ = "funmoodsApp.appCore.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\aflt = "orgnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrSrchUrl = "http://start.funmoods.com/results.php?f=3&a=orgnl&q=" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\smplGrp = "none" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\VersionIndependentProgID\ = "escort.escortIEPane" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\data | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CLSID\ = "{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
| US | 8.8.8.8:53 | 228.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/3032-84-0x00000000023E0000-0x00000000023F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | ddcada8c66d56df6e4ef2bbedf2bb865 |
| SHA1 | 059a7f8bb8ed2e99d5153d26ecf986e91c24df19 |
| SHA256 | abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872 |
| SHA512 | 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
| MD5 | fe768a6b82ed2a59c58254eae67b8cf9 |
| SHA1 | 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6 |
| SHA256 | 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570 |
| SHA512 | 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll
| MD5 | 7f8be790b6614f46adeafd59761abbeb |
| SHA1 | a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700 |
| SHA256 | b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf |
| SHA512 | 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
| MD5 | ffba0384096f7a6c2189009b3c54c8db |
| SHA1 | e1e883b9345bd74b0c7e158751c60b0ee2139677 |
| SHA256 | 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b |
| SHA512 | 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn4059.tmp
| MD5 | 0758d4d4886797289205fc26551d23d4 |
| SHA1 | 8214b9b3de2efb450559993ddec96a82c0595464 |
| SHA256 | 164c1dc9317fefa574fff1103af6b1712c26e8858e963238cf5dd633469a39ee |
| SHA512 | fe78c9c1262b8d58b3c529caf593b1a2135ac6cf4365e78b7bdbc7abc23613c4df1cdf9a40ff2924f9d7aeeda04c1de9e9105003b4b1757ce1092791c8364934 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn405A.tmp
| MD5 | 09dbdef4d0f1e4ef4f7b237040da8a66 |
| SHA1 | 9586e65c2675d213b64ff8f0b5d70041ff91c8be |
| SHA256 | 1842c27e1a7fc4f9ace4f9961912c67df991a6e774dc899623935dacf2dc2fd7 |
| SHA512 | d4f4094ce6aac6ce7f2c332df952108c2b7035b1015496093d6800cd5e703c51cee198f25f9d58efeff8ad12f94978ad47206bc67807f26ff45074a86f2a5cc0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4yypthkk.Admin\user.js
| MD5 | dc7c27f75dc75eea90525b8ef0de11da |
| SHA1 | 558b98b4cf08177b652dc6278c2c7274c92c8712 |
| SHA256 | b4cd4e32a5a359eee1e294db77e108200749bc44c4e559133c72ec76514e9d1f |
| SHA512 | 2c405cebc076318301ba793bbf28021c6bf79213f579ff838a2ce90f04bf81e8742c46589c6f3ce6cf556b2935e740e484032ef49f5c3c254ef2caf2549b11f6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4yypthkk.Admin\user.js
| MD5 | 531378636bbdba470aca5deeaa9d5ae0 |
| SHA1 | aa6473111b72e2d623120297d3fc4acfe443b6bc |
| SHA256 | 229e9734e6b4113c2e85715ec25886debccb1b8f5e66319aebf2a309e20e1032 |
| SHA512 | 848911934a14db29404305e35c2d9042546fedb23733d27d4e65b7934dda4e63ac464607995a9729052de588c40aee5e58131d026cca40e2b07f3c49386fbbb2 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn40AD.tmp
| MD5 | a3067dff99b6d62d3f5bd74da93d5d9a |
| SHA1 | d88b9c515e26d4353f89abcdef64a9bf445f1a2a |
| SHA256 | c9607e9b8c0d9cde473e7355a93a13b938f3fdd1e45c38be14c9f96adf63cdc7 |
| SHA512 | 02b04e96d426f2be9d095389fdc678bb344da0d07d367cb23d7069a1df9b77da568609104c6d4ef9703361d782c280f7ba5086fc44f65a5566bb53c4cd1dbdd8 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn40FF.tmp
| MD5 | 075451b44d437388c363300c7c5066b5 |
| SHA1 | 6a595d6af758d342acaad030500f43cc46ffe2d6 |
| SHA256 | 70a32d129304b909a84d41d9f974ab698681aa70a7ebf2dba2e54c258fa9428d |
| SHA512 | f2a0db3c3f27be1252cfb8e71886f4c6d1a2cdbe66a79cdb426cb8db99b9c336fa00deca63f8bb1909e233509ba967e9493d7fdce5860a2d0442147330855c46 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\user.js
| MD5 | 523bede1592acd8bd1c5e94673012f91 |
| SHA1 | e3e33e0cacaa2b8e55fe697a17fc428bd241ee93 |
| SHA256 | 855d9a87bb9870f9fa9b1c14f748100fbcfca86cfb89119cf750f899f0277074 |
| SHA512 | 229b90b35fb1c5ab02953222683fc9af901405e5f9d78f5e31c514b0588cdd264233dee8143f021e515301418d195f37496f82b68dd1f604ea011df7c9561c75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4yypthkk.Admin\user.js
| MD5 | 2bbed7c9521174d68eb82751901184d3 |
| SHA1 | 5adc5a58175f2cf899695e3c162b31f1dfa04524 |
| SHA256 | 0eebe6ecb1c7f74a5175dd6aef7ea4a605741a54104f26b08f29ed0b763ae7db |
| SHA512 | 0feec3cc87c72b66b5dd53ee42e812b4a392ce7a26c47d31a06554e777271c7075bb4870a1435fde647a4fa7c1418d1eef8f7bbaf2d133fb43a2b7a7631bf471 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\user.js
| MD5 | 36d71d4d6f1d5e92adf1db7e77936110 |
| SHA1 | d3c82e7f0d865a6396a5e6c213a987f392a1446b |
| SHA256 | f04dcb49bac55f02e733ca13179d30e9d7e3e881a35256497690e19b25e02f38 |
| SHA512 | 0e6a842260cf45b676c9e31950095bb8609a98032bb5b62b4cfd9f525f9d00bb9874fc81bc95c7f4a096f4c87452056761d84834838874bc788672659ac608aa |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll
| MD5 | 12be59f427297e54fef41f9bb32d4233 |
| SHA1 | 0088967a4ed52f491976136c95d43e0e1b06cc31 |
| SHA256 | e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb |
| SHA512 | 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\user.js
| MD5 | e960b74f0689d88d3d243626c71eb289 |
| SHA1 | ed493321acf7050a4df418cf46f13ba8fedf07ea |
| SHA256 | 270571a667c274ea8fe0a475e57741fafa1dc2890da21b4efeca4bcfbb43540f |
| SHA512 | 89beb66e442a9f8a25784ef34efe4cb5f6806a1044ae1e8992963542c98e7095a864deeba2e18bbc153198ec8d2f03e6ca6a1b4d942eb1096cfd16d63e4352e2 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd41B8.tmp
| MD5 | ff8a1b257ee1278af69b91b537b130dc |
| SHA1 | 74827dbee506a6983f3db8c175721d4f285b7e26 |
| SHA256 | e3e5a0125f7d196f20106664863a95424e9d7aa5e9dc0338f489a11e0af9fdd1 |
| SHA512 | fd94602786cd182c6274af6dad5d38befd11aae2a8362fe9cfed9e5f2ff6c3230612d6d70d20e25b337176b49eb91eea450ac7421840f3e438124e36797a9e4a |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll
| MD5 | d5e0f923b3ee640efd6a58ec0c70cbdc |
| SHA1 | 74f62a9acdb9f9dd0580d69450c062ba8870deea |
| SHA256 | 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281 |
| SHA512 | 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0 |
memory/3032-1600-0x0000000003B60000-0x0000000003B72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq3D19.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240220-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3108 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3108 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3108 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:20
Platform
win7-20240611-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 228
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240220-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 224
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 336 wrote to memory of 3120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 336 wrote to memory of 3120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 336 wrote to memory of 3120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 612
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240419-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 224
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1844 wrote to memory of 1604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1844 wrote to memory of 1604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1844 wrote to memory of 1604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1844 wrote to memory of 1604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1844 wrote to memory of 1604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1844 wrote to memory of 1604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1844 wrote to memory of 1604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4496 wrote to memory of 2992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4496 wrote to memory of 2992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4496 wrote to memory of 2992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nst2222.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nst2222.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nst2222.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nst2222.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nsi2286.tmp
| MD5 | 7271c630d76fe24bfc601cff33cf57aa |
| SHA1 | bbd75d10939954b941e961ddc65a170188447fb6 |
| SHA256 | 817bf925e8f3c9dfece5e8b93830ea514061a19b73eb9b2c2479e0281ee364ce |
| SHA512 | 258038719917524c04f2455065480d24e2ff57f0390cd0145fe1d631dff9f34f1a96167a615ffb9ff70387c3d9699fcaac29a531e71ea55a9a8d35d05475f081 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.Admin\user.js
| MD5 | 5bf11ab21587410e09af8c60e5dc3f68 |
| SHA1 | 2b89c6da5e1e292ecc4fb8022a9cb9274ed31aa2 |
| SHA256 | 7d96d78547040e33057b28277627221a7cf22c6bbe158ca44a85bba2d7a0f803 |
| SHA512 | 30a8a910af021c806143bdfd031e50bdf5be9d25497be19179e23b6509d07c0df87e9b0db5619ff233a058a33638ce892983ca0dffa334a700cae242cd60f65a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.Admin\user.js
| MD5 | 07cc08b68bd244e4e75f8ac66c7f8d3e |
| SHA1 | ddde5cbd3698cc42a21721f5217a64f085933c0a |
| SHA256 | 6707adbc39be1a879f1a6fe28b6079817a8d26ec61fe3984ef3316b4b5f1841d |
| SHA512 | 7d486a084acb39718a3b1cba64d252013e8d009dae56a924873d550057e8edbf3063a2caf3fa290494a85f2c02fbec1869a593fbbc8eac77c69d1263cfd5b5c5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\user.js
| MD5 | d0ccd3c503994fe886e23e0a665432ba |
| SHA1 | f56992656070e9e01c78d2f4345cedc68c00b654 |
| SHA256 | 5bcbec1d25e852db70ad6136f0cfb4c5d17acfa4b745abc36790064522b0eb71 |
| SHA512 | 610699de7dfdc66966f36efda78dab847fcc9e84ad227090471166b43145573038cf8926d5245884c4bfe16139e4695993e12864a2ef5d1570ab8503dd9769be |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03f518342b62cc476b693d6b5b436ae4_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.uptodown.net | udp |
| US | 151.101.3.52:80 | img.uptodown.net | tcp |
| US | 20.189.173.13:443 | tcp | |
| US | 8.8.8.8:53 | 52.3.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsgFC33.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
C:\Users\Admin\AppData\Local\Temp\nsgFC33.tmp\nsRandom.dll
| MD5 | ab467b8dfaa660a0f0e5b26e28af5735 |
| SHA1 | 596abd2c31eaff3479edf2069db1c155b59ce74d |
| SHA256 | db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73 |
| SHA512 | 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301 |
C:\Users\Admin\AppData\Local\Temp\nsgFC33.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
memory/2452-29-0x0000000003230000-0x0000000003242000-memory.dmp
memory/2452-28-0x0000000003230000-0x0000000003242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsgFC33.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
memory/2452-40-0x0000000003230000-0x0000000003242000-memory.dmp
memory/2452-41-0x0000000003230000-0x0000000003242000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 856 wrote to memory of 1488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 856 wrote to memory of 1488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 856 wrote to memory of 1488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1488 -ip 1488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-20 07:17
Reported
2024-06-20 07:19
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224