374268bf53e8af26659c162c1df8f5e19d1fec25f3a1fd8efa26ea6147ad9016

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$LOCALAPPDATA/funmoods.exe
Size

1.6MB
MD5

badf0b8e9bc8d7352fb084951255ee4f
SHA1

e584634b5565fd81d7258fca86c632c9d3e1cd14
SHA256

73db5f6b89963d6692e3c43c8f3e5265ec4512ce87fe652e9ec3a4a0bb036db8
SHA512

3b704e3b0d440f1e580cc277c3c68223139f35156b00250ebf9a231f03d5f74bd19bbf948061e7b8be13b9c08aca9f30a0929cfce5a9d5cc3558cd187a05d53e
SSDEEP

24576:VtxBMupYpmZICsiWuu0uFYBimEuDYYmTj67rRXFO6BbwZTdNFtr6Ps7QOWxQ6NVN:p6HmZICsfujIvGmTW7rRQakZpt+xQON

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	funmoods.exe

Executes dropped EXE 3 IoCs

pid	Process
2212	FM4ie.exe
4332	FM4ffx.exe
2544	funmoodssrv.exe

Loads dropped DLL 64 IoCs

pid	Process
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
4332	FM4ffx.exe
2212	FM4ie.exe
4332	FM4ffx.exe
2212	FM4ie.exe
2212	FM4ie.exe
2212	FM4ie.exe
2212	FM4ie.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
2212	FM4ie.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe
4332	FM4ffx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object"	FM4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	FM4ie.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe	FM4ie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral4/files/0x000700000002346f-152.dat	nsis_installer_1
behavioral4/files/0x000700000002346f-152.dat	nsis_installer_2
behavioral4/files/0x000700000002346e-160.dat	nsis_installer_1
behavioral4/files/0x000700000002346e-160.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}	FM4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16"	FM4ie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar"	FM4ie.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32\ThreadingModel = "apartment"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ThreadingModel = "apartment"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\VersionIndependentProgID	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\Version = "1.0"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrId = "base"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\CLSID\ = "{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CLSID\ = "{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID\ = "funmoodsApp.appCore.1"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\dfltLng	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\Version = "1.0"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ = "IxpEmphszr"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CLSID	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ProgID	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\f\ = "escrtAx Object"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID\ = "funmoods.dskBnd"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "CDskBnd Object"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}	funmoodssrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\Version = "1.0"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ = "IEvntCntr"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsnTs = "1.5.11.1621:48:22"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1	FM4ie.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe
3952	funmoods.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 2212	3952	funmoods.exe	83
PID 3952 wrote to memory of 2212	3952	funmoods.exe	83
PID 3952 wrote to memory of 2212	3952	funmoods.exe	83
PID 3952 wrote to memory of 4332	3952	funmoods.exe	84
PID 3952 wrote to memory of 4332	3952	funmoods.exe	84
PID 3952 wrote to memory of 4332	3952	funmoods.exe	84
PID 2212 wrote to memory of 2544	2212	FM4ie.exe	85
PID 2212 wrote to memory of 2544	2212	FM4ie.exe	85
PID 2212 wrote to memory of 2544	2212	FM4ie.exe	85

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
  "C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
    "C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
  C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll

Filesize
329KB

MD5
12be59f427297e54fef41f9bb32d4233

SHA1
0088967a4ed52f491976136c95d43e0e1b06cc31

SHA256
e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb

SHA512
0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db

Download Submit
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll

Filesize
535KB

MD5
d5e0f923b3ee640efd6a58ec0c70cbdc

SHA1
74f62a9acdb9f9dd0580d69450c062ba8870deea

SHA256
3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281

SHA512
471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0

Download Submit
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll

Filesize
245KB

MD5
7f8be790b6614f46adeafd59761abbeb

SHA1
a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700

SHA256
b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf

SHA512
4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca

Download Submit
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Filesize
398KB

MD5
ffba0384096f7a6c2189009b3c54c8db

SHA1
e1e883b9345bd74b0c7e158751c60b0ee2139677

SHA256
93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b

SHA512
7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

Filesize
319KB

MD5
fe768a6b82ed2a59c58254eae67b8cf9

SHA1
3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6

SHA256
3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570

SHA512
3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

Filesize
1.1MB

MD5
ddcada8c66d56df6e4ef2bbedf2bb865

SHA1
059a7f8bb8ed2e99d5153d26ecf986e91c24df19

SHA256
abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872

SHA512
63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsa797F.tmp

Filesize
770B

MD5
8bcc73dc3b625ddfe7962d477c2749f7

SHA1
a8034f67e9fa904a9f29c4f4643933bf3f98b101

SHA256
b2c138a3155c85197035a55d0497fcad5a13d28ddba23e9661d3fa543d4935b9

SHA512
9dd24df58e2e4446d24445ca07431f181846e1c84e69dffc2830d231a35f6f0ce6f923a35dc37671eb9f665d372be4e78aa13025f5d17cd317680e6cedafd690

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsa79D0.tmp

Filesize
929B

MD5
3f1ed51b652a79053a3ebdbf2eba4ce2

SHA1
b29b28f6e69b7cfdf5fc97cbb7aa0955ea253427

SHA256
bedcb9e7ef1653cce0d9a0511a39253857f9c10f57f9f25e279b70b1f566b80b

SHA512
983d9b85e9ef88627b17a4d5c46299d7377360e63a3d5c2efda027ce22893efa8f884a3eeb12c65f6bf0c58fac03e600b3a7e9242bcd3314e19de6f0d21f01b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsa7B62.tmp

Filesize
575B

MD5
7679a4ef9eb45b665891fd78400a8c39

SHA1
20ea3064db52345fb64a7f28736a0a0f0e8f2eb5

SHA256
1393c00adca393834354e2453359a88519a38a5ed8373ba98d029d68eb6f51ea

SHA512
6f64b768ba7aa10179f3436d30640cdc6cb5cb46064c3c0f2f8c14ccc5ea25c8a46ac99273aca94d4418a0c411f777e00a7d280af2a67c631e52ddb0f6a275cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsa7BB5.tmp

Filesize
830B

MD5
f3bca1045420583c8c0fe2b55d8fda4c

SHA1
58f3f3aba9de1f8d75a938b83979f1f326868336

SHA256
011044c91060c56a78ab76ef954ffe5363ea2d4ee9e7ee5012d1e321dc4600da

SHA512
9c44c2ac8220ff03114bdb7f50d03d4555e893c98dc56f5090b45b9d649a8ba620c406510ea3edbed93b16ee7af62f1425b31cdcd8f9ff1bd2fa848346cd5504

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsf79F0.tmp

Filesize
981B

MD5
89fe5e91240682a7e17e5b83425bf2b7

SHA1
2557784baf7cd001838a9a8e1cff67e4693e0301

SHA256
dba4198101db3123c6558c4913397ca5a83634929318562e04fa4049c105636f

SHA512
a88f7d001284a2111dd7c18e93b4ee22156fa2bfa83e5fe6986fb5eddbaf386ea20fef2f2fefb15c1cfe7be72dae8d8a3858b3cb2808d22dc54c3590cdb83327

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsf7B2E.tmp

Filesize
287B

MD5
79c7f56f58860a4ee10b846f29796dc6

SHA1
19f88147096b29bee55b8a483523a6b54fd3d43f

SHA256
f3578ede4d2d0d587abd93ac9b23ec2d48a9978802657b8b244143234c0a2245

SHA512
c50d9651ecd02d4b7582881221130fa4b52d7f5df42f3ba6e9f7a7526d6445a146fabf6a05ce0a971bc9884d1b6c053ce1e01a53a8e85db65aceaab59330cc80

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsf7B2F.tmp

Filesize
342B

MD5
6619e6a4ea0ca7b779cfa2d2ee14f9e8

SHA1
bf6653ba9548c4dd8c79c65dce49698981b91b53

SHA256
7672a1c5cfe44b8c8f0ba9ee44ac1aafc5e102e5cc850a0c0f3ebc03eb8e6adc

SHA512
ab46a1208c78ea83fd73326ea8782cdf16bdeba8d51ad34f881ef40897dbe82424fb8aa7f39e40db4da06c3f596f475f416320483129e9d74e767ef4c9f732b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsl7B52.tmp

Filesize
520B

MD5
066a78b2e370cc0d23aa99bc8b8e47c4

SHA1
06be2077fa9e0fb574a1db309baaf175a30680dc

SHA256
1e52e3f39e88d9990e040935578ef9c609090d4e3950a947ce58a694f3935df0

SHA512
c607177e48f7e98d94c82d328747bc2f29ef52a516c7d56562f950cc379495d6125c50e041f0973dacffb4319019ae796911b6d0ae2b5e16e43e55e025cd3a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsl7BA5.tmp

Filesize
781B

MD5
5311b413acce8f14c1ccce7248c3e62a

SHA1
5048ef72122f30e2780208f57bb35ecf768029c3

SHA256
bce0cb7695ecdb1166158f9fe03e374e2b2b586f9335a5817409f43ee5396cfe

SHA512
11852ca1c68b35db8f5ec0fd01a3f23c6ad12e8f62fd780793f5072f004e262827408403e656347412b98a8ff32169d07cbbc4485e5314660292a1041908b4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsp7A2F.tmp

Filesize
1KB

MD5
e4a081ae00c3e7852cb8a65a970ca5b7

SHA1
8d73bc08e58244b0954862c5afe04c317d950000

SHA256
769096fbace9c7f40b1dbbb32e88897eaeb7a72ddfa1331cbca262f20be2f68d

SHA512
920c01bc4d317e1208f9562315246aa096ecfa119c937bbdd1b5be51b7a3795fae90ec36575f16041471acd6cf6934c7c21f4a264577398c0781382499973cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsq7A7F.tmp

Filesize
1KB

MD5
4cad7a5ebf73bd1bd806acea0112a203

SHA1
b40d3545682171ab80081a391d14e5931b52a9f6

SHA256
4775c8c5f2841128406f4ef574164bd1f3ac0d024bb9bdac5b01be03201778d6

SHA512
ee167636d05fd778dd96cf83fe3b2225c5f6f45ebb510b46dc40e152b89d2886686ca0d14bdb378ba3fed3442994745e3a36bd3c7806e8c8273dd1b9d36c2f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsq7B1E.tmp

Filesize
232B

MD5
3971b3fe601090d0f747cda4d8a090a1

SHA1
2b286d5aaa1fe4351be13c0201cb503426bb0b71

SHA256
9636155ded6fe04129b90370b4ccc2ef9ae2071cb1f6abe65872a01053224e58

SHA512
b2513594592bd56effb6767184cd570bb1ee747b62b112d4bdf6be177edcee98a9ded3c6ca76dcc2845ef56be0252975ba8c88eb726484ef25afb6ab7e5e7111

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsu790D.tmp

Filesize
537B

MD5
73fe20acc7f0e84c2cf07ac9cb207a19

SHA1
738e1bedb2889c7987d446236512cddd95f1a51c

SHA256
81e69d01cbe23386be8f668e475c18b218b53390b3beabf1ca5cf2603937e822

SHA512
7c837d3584a178028f33319995c017e497ecc95df0fb75fcb4724dc8e93643f5c6e0b4532ce73fea0f8f49ecaabcb003e23ea1605fcca9dfe3ffec8b2ad9af8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsu79AF.tmp

Filesize
876B

MD5
62b94e369acbf0fde3adc6c460634fe0

SHA1
a8deb587047f5c5d305c433e91544d0aa316be55

SHA256
612c70893f30e9e2e28c799fff9c67d2c22bb1200b1f92f158a46d5b49c95178

SHA512
58cddad441b5ba0c1b5660def3130ca69eab9c4e7298cb33028792bf2b3499b4dd787a6ccbb4b727ec3485bcad8f6eea0c2e904c2aa36d1196b1f58be6b6a782

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsv7B40.tmp

Filesize
398B

MD5
b58e872540d6129b80127ca61584f220

SHA1
9736e9ef0a1f5e73d2f17318c5b484bcfbcc6210

SHA256
c132f99608a1d6b996b918658661895cfb7b2e84650aabaacf1c8ee5fe4444d7

SHA512
a348fa8248396db20fd55230c40c6ece0e24a232ab279ee1d9eabdb444caddab9db7e688af7e173058582c6c0d83515bda736b7f8ffe311af278038c117536fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsv7B41.tmp

Filesize
463B

MD5
4c749a1687002abb4c2e191f9141a608

SHA1
5e1a8cd0c0943878ebbe459d3e83241d0f5c350b

SHA256
6f3360a6c2d8aaf16990adb17f93d7da6f6bd75ef15596029428ed9aa2350f03

SHA512
8b95eae2269684c5a4e226fcd27f5a9c88eda1a2d9147765c3630e3165ed181c658df7342fdd44a7f0710df433cbc93bda633e3c6f0c9bc3bba148b70dccc285

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\ExtractDLLEx.dll

Filesize
7KB

MD5
ba4063f437abb349aa9120e9c320c467

SHA1
b045d785f6041e25d6be031ae2af4d4504e87b12

SHA256
73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5

SHA512
48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\Processes.dll

Filesize
56KB

MD5
cc0bd4f5a79107633084471dbd4af796

SHA1
09dfcf182b1493161dec8044a5234c35ee24c43a

SHA256
3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c

SHA512
67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\Time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\chrmPref.dll

Filesize
194KB

MD5
6845d147b88de1f005d9c6ebb6596574

SHA1
64523302e2b1e2ee7a31580d2acac852db3c7e45

SHA256
c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e

SHA512
cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\mt.dll

Filesize
5KB

MD5
aac69f856c4540edd4ef7ce6c8571639

SHA1
2860f55ea9774d631219e66604051e90a43258b7

SHA256
6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd

SHA512
ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd759E.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\smqlthjz.Admin\user.js

Filesize
482B

MD5
61a21dca3790319d9deca3321832df20

SHA1
45bc9469d4d027fdc559db0f92ad00e76cd1cb04

SHA256
686d474785136d5e648d7e775897f85191ee3d70fcdd247c381b2adeeb2bf6e5

SHA512
c0e6455ed5ab9ebd3c45b1f2d3b16cd5130331f2278227b2095515b7f0be5c2c6048d35c54e9a41e6d8494037fb2be067d7ef2c1d1dcbb633deb673e972d342f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\smqlthjz.Admin\user.js

Filesize
713B

MD5
1a6214185d919aaedec19fe7f0983f40

SHA1
dbc4105e647b55bde55bd57802339e666e0cf3d7

SHA256
b69cf096b056e7b8f3a6d1fb54668065db0f72bec609f280afffd04b58e5a3f7

SHA512
c652ea14266473f6713c9d01a4a4993702e6d812c3e4f8f6d57bb1763767ee251b5fecb8d6824cf7eae879c3cb2c628d0192181341cfd58f0f6ea377e13d4d2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wzqtbj0o.default-release\user.js

Filesize
679B

MD5
701e5f14e40dc24415e5ae7ed518c265

SHA1
22e5e26c5b6615751dbd222e56d9841d8a612a93

SHA256
61f048a2f40dae329560d238786663f77e164fc7b57cf8140657c631932b2ff8

SHA512
828f608e97064b07f00fd750f796dbfbc64bc53092e4a219d6eca0596a35b1c03af5cd46ad75e8abb454182fa641f99f1fa71b454275651832a40f2631b376a3

Download Submit
memory/3952-84-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/3952-1600-0x0000000003B50000-0x0000000003B62000-memory.dmp

Filesize
72KB

Download