Malware Analysis Report

2025-08-11 04:30

Sample ID 250115-t7z2razmek
Target JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0
SHA256 19a18b2cd97bcb69202c9f203fadcaff5f23aa4b7c6b79ede8acb310b479fb0c
Tags
discovery adware spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

19a18b2cd97bcb69202c9f203fadcaff5f23aa4b7c6b79ede8acb310b479fb0c

Threat Level: Shows suspicious behavior

The file JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery adware spyware stealer upx

Reads user/profile data of web browsers

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

NSIS installer

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 16:42

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 696 wrote to memory of 5076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 696 wrote to memory of 5076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 696 wrote to memory of 5076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 408 wrote to memory of 4848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 408 wrote to memory of 4848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 408 wrote to memory of 4848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 236

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 3528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4924 wrote to memory of 3528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4924 wrote to memory of 3528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3528 -ip 3528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240729-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 224

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\funmoods.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\funmoods.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082} C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/FNMD/FM/1.5.11.1/funmoods.xml" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutUrls C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\FaviconURL = "http://start.funmoods.com/favicon.ico" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\Codepage = "65001" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\DisplayName = "Search" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://start.funmoods.com/?f=2&a=down" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\URL = "http://start.funmoods.com/results.php?f=4&a=down&q={searchTerms}" C:\Users\Admin\AppData\Local\funmoods.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://start.funmoods.com/?f=1&a=down" C:\Users\Admin\AppData\Local\funmoods.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\bh\\funmoods.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\CLSID\ = "{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\aflt = "down" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ThreadingModel = "apartment" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrSrchUrl = "http://start.funmoods.com/results.php?f=3&a=down&q=" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\bh\\funmoods.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsApp.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsApp.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "CDskBnd Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlDay = "20103" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsEng.dll\\2" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\CLSID C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\Programmable C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 4816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 4816 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 1400 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 1400 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 1400 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 1400 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 1400 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 1400 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2376 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 2376 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 2376 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe"

C:\Users\Admin\AppData\Local\funmoods.exe

"C:\Users\Admin\AppData\Local\funmoods.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 img.uptodown.net udp
US 151.101.131.52:80 img.uptodown.net tcp
US 151.101.131.52:443 img.uptodown.net tcp
US 8.8.8.8:53 crl.starfieldtech.com udp
US 192.124.249.41:80 crl.starfieldtech.com tcp
US 8.8.8.8:53 52.131.101.151.in-addr.arpa udp
US 8.8.8.8:53 ocsp.int-r1.certainly.com udp
US 151.101.131.3:80 ocsp.int-r1.certainly.com tcp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 3.131.101.151.in-addr.arpa udp
US 8.8.8.8:53 www.uptodown.com udp
US 151.101.131.52:80 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 151.101.131.52:80 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 151.101.131.52:80 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 start.funmoods.com udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.165:80 reports.montiera.com tcp
US 8.8.8.8:53 165.230.16.69.in-addr.arpa udp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 r.funmoods.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\nsRandom.dll

MD5 ab467b8dfaa660a0f0e5b26e28af5735
SHA1 596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256 db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA512 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

memory/4816-19-0x0000000002320000-0x0000000002332000-memory.dmp

memory/4816-20-0x0000000002320000-0x0000000002332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\inetc.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

memory/4816-58-0x0000000002320000-0x0000000002332000-memory.dmp

memory/4816-59-0x0000000002320000-0x0000000002332000-memory.dmp

C:\Users\Admin\AppData\Local\funmoods.exe

MD5 e10aa65bc9f094483b45ee6745e89606
SHA1 f69007d78c2636c53afe608f9eb8d116603652f7
SHA256 5211d85e3d577f54134a8ab8c5c9f23bd3b7332825dcab75a19258b25790b37f
SHA512 b7c55c05f53bcac6d077cdd69c37459f3e3a39c719489d7027d16d87eea96479f7baaedb31f4a7b2e0a39aba872b6435be6dd7fcdce66d42a94c87ed2b49cba6

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ckv2sw8.Admin\user.js

MD5 0c7c8a283b16e0fa47c0016069de06e6
SHA1 56dfdd0983f1ff14fd39acf3094f38e40a221e8e
SHA256 d34969a861d89c54d6a1f430cac910c32203c47def8ceb55c28065f508c3d7d9
SHA512 4028c03372de5c43493709adbef322156fecced278707c3c26949dd54ff3f9219f8c4f405ad8f4e69cebc77257fdbe4ea5986aa5e659098e5094f0f666c1d314

C:\Users\Admin\AppData\Local\nsnF34F.tmp

MD5 3062047a2880b6809f9f5e203a624692
SHA1 6ae308f3d7b8c4d30f85a8e6288f88f1500f0d4a
SHA256 eb8861bc4c152c0c8fe13e9ee53b4fcb84733ac5539d0e86c98e2ec3015d6184
SHA512 066e4a0cb8c06ae1c96d7d0d9b39a5abac8e5fad258ec8c8841bcf81293fc9a727f275813836a0e41c1b34bd67f0f33532a701bbc888aa3f1edcede970cc64d3

C:\Users\Admin\AppData\Local\nsiF32E.tmp

MD5 06c42349f82ace83f953695a7036967e
SHA1 3488e08a3fb81316456f6449bdeb9254c3b4f5f8
SHA256 afa2580870da87ca052d778bb13ea37bea1cf83aae932dcc575d700e1c9e831b
SHA512 272c97324cd7922a9fb6514f3b082655a09d37e70381f520c012ad285fe8f55d88c8c79dbd5b80cf6009e4934c2255c98f99c6ee97639c481330c8c9f509061e

memory/4816-224-0x0000000004BB0000-0x0000000004BB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\user.js

MD5 21e2ca66b86e5bf3a6032fdbc45e90b5
SHA1 ea70be42630e89f7a650abb4e71852efa9893c9b
SHA256 704628eb647ff0f3e61d951bd0cb3f97f7e58a8284c4e50c71f4369aa111873a
SHA512 3757f022724b7ba2efb3c0f5da649bfa8e609752266fde6b2999de31fc01390eae20e6a65d8cbcffaf338936de5dd018b76953679e763448078e27b208b9fd65

C:\Users\Admin\AppData\Local\nsdF44F.tmp

MD5 a6586122c0662f36a4f26b6c3959811c
SHA1 929259027561933065e6267fe948b33bd549d2a8
SHA256 2bce865f219fe68157cf29b115642d1c68a0cf062c14e3853321e4d7b4fc4edb
SHA512 622683523e7049eef983dfd0fa177882b1a1fe153aac634308b2ebee5b6b1d7bca93ce67327d77d9e2df13010ef7d2785cee5752dc7847435f71ba1c8d156bcf

C:\Users\Admin\AppData\Local\nsdF451.tmp

MD5 8cd889b2732d44f4b63bb9e376128973
SHA1 d1fd1621ac821c096c5de67367403270c868b423
SHA256 b828a98fa04a684e67cc7094e2a53ab7b611e39dc655f6e812541560ef99cc79
SHA512 c878d6bb0941dbdb9ec32fc8437e8ba775645818c114f8ae2b154cd20ec9cdc3759e4151a30582cd0e55f8b73603a4283335a98145d201b8bd816ce5533c0808

C:\Users\Admin\AppData\Local\nsyF51E.tmp

MD5 7278e2536cdb7b7b289d1608b8bb731f
SHA1 ae9ae0d8c25ca64553b56eb8fb4ed5edc5c8833c
SHA256 145136f0c0ed3502e8721cf84cb1c6f686216e1027d232202a2811141914fdcb
SHA512 b4650b56ce6f7457a1783f20bce99106fbeb46d5a6b7740e165d5c9273c6337c93f1145afb00f64fcff141d082a1153a70da257d6d00562fe9479f4d8e2f45ab

memory/1400-1136-0x00000000022E0000-0x00000000022F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\user.js

MD5 b804e77d692f76f6b411f020cc930dc0
SHA1 019911c69ba034cf0be5f9ef70d9d748df9eb98c
SHA256 d469d6f59a86889c7d5d0282279b19109b8f5d7ba1e8552d355805417a8c2c46
SHA512 47978f97fe69ef35b7ffa7649f3289ebc8fb5c3a12a201d763a4607b9f63ff39d2e66be629b82f8af0521bd1930d604a981dad63d976a21d69f2be2219da7c75

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\chrmPref.dll

MD5 57d63d48f0bb2fe9b3751342e1b0cc67
SHA1 65afbce77b4990f7f5efb5251e90bd9cc744583c
SHA256 72753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab
SHA512 5766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe

MD5 ce86ace6982b9f2d8836ff204c592dd2
SHA1 60ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac
SHA256 3d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a
SHA512 c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll

MD5 ac557d58c73411da1d2aa66109182dfa
SHA1 d464184873099e2f3f1700bcb74284b8ca7959ed
SHA256 01f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e
SHA512 ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsfF977.tmp

MD5 9a573122109bd0eb9d9d89601f5baae0
SHA1 7bb54aec051f708a8e7d0383a3937fec89e91ed5
SHA256 a04e1eaa4b876e6fc57810383076142ecf7c44844379c87aace0730ba5316732
SHA512 4305aa38b28d830663eabeead44b348dfbc7cad784e53abe8709b9cba42bfc94c8c1102d072aa26af5c4fc0a65be12f251d6d66549ea4c9aa0714ab3840b7a32

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll

MD5 f95617b082693af8490edb28b771870e
SHA1 e6e7ffa25aa1acfa07888fd388af8dfaf28da656
SHA256 7352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f
SHA512 72bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsqF9B7.tmp

MD5 f0e0de251179e1d4f03ee28c211d6d70
SHA1 4951792a9ec8329145ab4f176e61d4efa70cf99e
SHA256 d1e2ca289fd4e353e1307446ec2f66fd01665cd0b7a84e8936eedaf7c7ba33fb
SHA512 9dc68d752c1f7ae57d28f1375b06bd5f1a3f4023d7eef05143de0f5412893dc4b45f5ea35b62a9efb30962749079975eacdd336ce52b490c1fdce411fe0458f6

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\IEFunctions.dll

MD5 5a3a8d916dd0071f16d217bbcfe7d047
SHA1 c2265fa5cec491706d0921e4274c674b693f326f
SHA256 465e81022be2df0433a6e02d427a79dc733031abc89d99746b73576a976857e3
SHA512 8908ee2e329171d2ee430aacf7f86be565472cdb9b338786188ab37d6e6a714e5bc98552a39737ff8a5f314730c9f351aa0f1fa8207eff32289d7bccb3e05a08

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\funmoods.xml

MD5 4572bfac1a74abe2d4d716871b2c9cad
SHA1 daa25567a196e9e7b10b2bf33ba35299f2c16f84
SHA256 8f2ac3e5f4345b19010d7dc0a7ed835727f5e7780f4c00517aadb18724dcaf29
SHA512 285f22cea572aab5b37acb00e1e77db684e57c40361bf7eb05dc27c0ac42587b1dd9666cfaa9547862db43d5284c0e9087dd2c45247635fa22a51a6431267d15

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nslF9E7.tmp

MD5 62a82675fe80409c19902610a0a0c085
SHA1 0c80c106a2601bef89b3b6e5eef206216c6cd0f2
SHA256 5bef586c04f5c27e8dc16b62aacb56acdd828347019f9dbcc9711691f956a5d0
SHA512 64ee95fe38f2f932b5a9335387c16c95fac1b07e7f74875d9f2edba1fcc96778d0cf2109b23cb81839946fc3e3124ea31356b263ca84957459930583460c35bc

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll

MD5 9001188b424b2c2fa40368ee2b1df506
SHA1 6ac9d3d3e42acc49524bf9bf80ff3a473c90212b
SHA256 5809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea
SHA512 9d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ckv2sw8.Admin\user.js

MD5 720b65b2a770bc6138438fddc6962500
SHA1 7df0b1c24c8c2322ccbb95a30aba10d7b17b9259
SHA256 531819f9be5b043f982080a0e801dc27b37e7f0d6ef10f4d6cedb8b5bf31a1e0
SHA512 54f05ae9ff38b13e7f547ef59cf88b291f8aab8d7892a6ca448e05bef34ca405cd09e8c3b5a3d7e47009d5dcf53e03f7368e1ac8e7f1cef6c61b22a8dc3d9ba3

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nslFA86.tmp

MD5 72098deaaad52be23940e72f28c7680d
SHA1 a5361fc2b4cf32b1876a88b7e8eeca25d1f5ca1d
SHA256 e2e484a10428663298a35c82c858937c001b099e39fa0d60e1fe2a09f744c494
SHA512 f84faeedcdd79fda1750aafc58c44fdfbf0497e26bd6b4ddacc24cf5f8e6a7edbac0ec084d22d62fa21d31c9269223cfcdb3b14fd72e8bf3dde054b9a453c838

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ckv2sw8.Admin\user.js

MD5 6c9c0e1c065d8b3e26b7fa0497d3ea75
SHA1 7df20f1abaf04ca5f94d492e0ad9fe2f8eb0d6fe
SHA256 8e143c953a4f72586023bc183ae49a5f6116aa213dc7287e5ad591c0e8207c66
SHA512 ce8138386e7f56ebf721a611376441d80b9f7b227d352671aa4cc6d6664095fb904f9ff401e26c171c61235971094130baddd8029e9fbe58dfe8c0a759379c68

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsgFAB6.tmp

MD5 dd93dd3ebfb0b592732bdee5bdcf23db
SHA1 3e56df3803c4c23b52c031d749ab627b0515a586
SHA256 eb9d282bc22910cc105ce4566971cd17cd400b0a1ac4ceefa11a6cc10008329b
SHA512 5872221127bd77139ef2572cc9a90ffc1dd74fe45630c0a32e5d568354ae43d7de201bc494da5b4e9fe0607661e81ada212e32d7daf7ab416019cdeaea8c7515

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsgFB55.tmp

MD5 c459f044c8acab0ea20b4d96d9611e6c
SHA1 36e1a94b96909c333830d0272f1f06ebc33ea64c
SHA256 dc0d996f5f64c2982b0f554aa8419901ef8ccbde6a2817ef9c2eae254db01069
SHA512 ea340b7ecfbeea0de0ced8f274c40db42f87f1fb9a761af18f4a0c3a5621f47ab0c509f933c9c93a86cebaafdad6b5c6d78c206d8ef75ff8e480dd9fb4daf707

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nslFB75.tmp

MD5 412da775db4b54c49ad156b8b6f5ab74
SHA1 c736d65d487aabe591ce42bf6e8d10fc7f5829b7
SHA256 7cad7e22a9b84cf52691e666cbc99e4977defc74de12f772f8752e551544ad99
SHA512 68b3e6c274b035d48e68dc73996212154a92cbcf6ae508f18280349b7e1c26efeda76024530a8a0d4cf495eb27afc264d71c7e14fbfe1ce46b1199516a924346

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsbFBD4.tmp

MD5 bdbec4d620b4c4658d39070752f0e5e4
SHA1 bb9e0b89cfd028a79bd1cad9db4fb54c029c7ccd
SHA256 ff07e15a4e1e1ba84ad9d9e0892c4bd4a369c00bbbd6ea0c514f60acce26a05d
SHA512 adc6a8e4c8ab0d3c4b1931c86ae40b4335a567d680700809b4cacd465c9d53a9759a4e480a1deb6da26f5c873fe2729186f6b88e7ab059fed98a609badc36308

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\user.js

MD5 122384a2fb0a6d2defd644ac0a614227
SHA1 a43a0dfd8faf6cc8d2922e5dc551f24381708d76
SHA256 370572aaa27d7b6c1bf15cee5f5c148f002db60b44fed73ae58a2fa1afc96fb8
SHA512 b8c0699e77450055a290cb60aae5b5d3466cf02d30453390b6aa33c60db4d8a9f991d6001fc383ca3575528cc038a8c16f60b7eb380bb68eea4767c7e6f42c1c

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsrFC84.tmp

MD5 fb91b861e2eff8844a79b3d20481415e
SHA1 5678e1cb7e56972ddb38f493dab8f6dcb2c55452
SHA256 f49c1a6f2c93f0fb61a43e61716f47371508ff5affedf1d1f53777bf3dd90f29
SHA512 8857b67fe57932631cf05e6b5be19a1fe95208b33183e354a121cc61ee0fe5c955ecd1c192a1e956046b7f1f93a50fb366111ab1c7c95c04b395d9279ed38319

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\user.js

MD5 3a49c3d986994bdf8ec9ca1f13ab9308
SHA1 f2b65b981f81b403053aff34e3eb7cb1665a281d
SHA256 e1dca9a4d2acdbb45629e66d70e82c9e4e05e60eadce0b08836b587acfc86d0b
SHA512 a48e14a3cbefab953172514b01bdca9db1962ce22cd8e4f552a8845f6e72290757256c9ae4aa42bfe4d9398c7c18887addde4685f946940b66a919f40ecc39b1

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsrFDC0.tmp

MD5 f44793fe2999354e679e47bf6a5fbdb9
SHA1 48f904a170935a2aa80b45b9e6222d41e2a93782
SHA256 5a38839f7d8574ebe7b0fdaa0e5099690b053ad8ee46ee0e730649b0177ceb9d
SHA512 c0d1e155a0d8865b15683c29898357af10cdcda2a57b017cfeaea5a113a3c2fc3b3db1cd51c5abc65e660bea21d24fad63c0995046be224acc59014ca007f829

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsmFE3E.tmp

MD5 39dfcf2906eee958e051a42cc5aacea0
SHA1 ef97c611be6646c003a262237b5139820e7c4ce3
SHA256 d6b7d13bd2aa7f19b44d7275ed61eb72d2a2eb411757a14fcdbdb153803a2793
SHA512 c1b7d0fef62e4870d4c109f05a5a38742ce7ceb77bce0507f0f3e410143b9a82881c9a636e97e1246a7e1b8418696ae33ccf5b9515b63b7e403d1be085bd6d68

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nssFE5F.tmp

MD5 1da1785492e6a2721ba238ce5dd9b5b3
SHA1 c39f01af6c273e70c6ddb2c92bbcdec7d983c125
SHA256 22d101e38d14b29e22cce6cc6229ff7681b938d16d32ab984e8d76b9da626453
SHA512 6e13bd0e8e84f36a0ef52b20e043194237d026ff8e135c9b826cd4ff0a71ffa1531b40fbc01f0dd93560875786897107ffcc841e821b75ae553ad722e0d1f9e9

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nshFEBD.tmp

MD5 4fd339ef0589a83c3eab32699267716d
SHA1 ad2af6cf7375f15e7270a214ccf0a3f864d111cf
SHA256 51247d54f9cc800d5435191b202298ea0f3ebc3baaedf0f40d9431d44e0c3539
SHA512 b9d461315cf1689a7917abc9f2f5bf93ad0a589668117d0e7198a7d2dffbc775bf1fd5384a68a228b609ea17151274d4201fe8c6959d50fb20a6ca6bbca4388c

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsxFECE.tmp

MD5 f30994449ab5fb1c6129e98b0b968f2b
SHA1 d0da0692377c4bfe2ff990321eb387bed7d333ca
SHA256 b8f379228ab4bf4bed62af0179f45e8b307aee4c3ba5a5f7b561b43a4bf16674
SHA512 1a8e2e731ef300183f879feb78d35f7d5f8ced67e11130eca2f3776b24fd5c61dfcb61b9633f93160780fe4b8687798bbfecf1254b6244d370a3fe1b659aa0f6

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnFF2D.tmp

MD5 005fab27b135b16b0d1ea525dcb0c793
SHA1 ea0de0edd5c2ba5f0d9d851c089c4c09dc0376af
SHA256 4735f776aa686198c80f523fa78b68a3668f6753f8f51a91b023611634d97ea2
SHA512 98f265e24c7e70ef2996c3a112776e3d20212df2b9e56ac2cd93c39f49f0a16e0da0df0994dfff179418bcb7dbcb6ee94826176122cd2976c5d92d75fdeba766

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdFFDA.tmp

MD5 1b6970ff0e42aab8cda50dad88c79003
SHA1 283be10551400779ce7e21af8d2441a83abc6fe4
SHA256 d5c5583827312d026ed17b5963dd7cd2d8c659a2755afd6c4281ca41c93f4fd2
SHA512 b7a1568ec9009348778996d14f780be56a9c2770303cc9c2dcb8787a30635f3b3e0ac72c7fa8a7fea70ca5b3e1bfd096cad8b3de02f14eebda9df8f9c8a51eb0

memory/1400-3161-0x0000000004030000-0x0000000004042000-memory.dmp

C:\Users\Admin\AppData\Local\lateral1.bmp

MD5 09fbaede48cfedb759e640bed10d5dbf
SHA1 e1c0a5a77042595beae53955cad72143aac61045
SHA256 e9be711645adceef7a7f55ad9b573cf67910c885ebf63024928656823079512b
SHA512 aeb67c0ccfea4b5c09dcbb398be9e863c3c35eb3f9cb8c8eb666e8d69fd00ac6195024e443333ce5645a04b00c38c17182533d9f8ba7312ff446f1be5cba0d28

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1caa54207c56b9df0fd4aa6cd3002d87
SHA1 dcd5bdf23c52bbb57574366dd3a07158a3198603
SHA256 39325ac4d09d4ac26f7a7f62d727fff3f98c8d12c2934ea74d6e6c449c1a962c
SHA512 1775d915cbc07cb908cfad0418b08fa0841bdf6548111bbe044da404e23c7c9cd320154050e5a19a283d06527ce79201577b106dfdf6d4c25eafe21712fc45f7

C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3668 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3668 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3668 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsyA14F.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nsyA14F.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsyA14F.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

\Users\Admin\AppData\Local\Temp\nsyA14F.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js

MD5 c6eda8e55f8669828ce84830dceac5af
SHA1 da90cc768a6d7bd7bd2507a2f572aee2a48b3a65
SHA256 e4ebc6e7a465221d9fa549c61020409c43b7bcd4c5315f59155654d906a92c83
SHA512 1f21107d269fe4e3d35ba431a7b8414b2b8f57edda4987d3969d561e2c96951ed727ddc4aa3c9df2285edd25f0b593171fd02bbc5178cedb0c99bfc5b2d2f3b9

C:\Users\Admin\AppData\Local\Temp\nsyA1EE.tmp

MD5 c4b8833c291dcbfaf8fcf9208c7e231f
SHA1 d4810343d6fa4698302557fbedbd23c5d5b45730
SHA256 e6a5617414e2ba41120a626843d5918c5613cd87c54b8eac6d0faf147ef0c1c7
SHA512 319c3f225a75754f1a5cdcc90abc563e4b0d4f12a337c23107ff8d6c54be62c07b3a664fd687f5fa1fb3f69b3984c2f3a47684d0c842d2c699d8f95c37e2063a

C:\Users\Admin\AppData\Local\Temp\nsjA230.tmp

MD5 abcfdc6cfdb17f543e0ac433394bada7
SHA1 ca561a3814bd5c380abea0f76a6450e958b74654
SHA256 d1d7b36fbd079a76db4bc42e0fa27bea77428a32802417691151dd1eb18a6b6b
SHA512 19f5e9a51a7fe12a190db6b1f99e508b8d03d88bf8dbaf11ba0db17c84dadada384315017fba41dde58cc7369fec61342e0849f47ce9f1fa5ea824100f019228

C:\Users\Admin\AppData\Local\Temp\nsoA250.tmp

MD5 82c7e0e70d064491fad74a736f78dfa1
SHA1 792298c6355926cf86d7edf44f1fe97456402fbd
SHA256 2755137ca859bfab7389694be42dbf124eab3827c310271044aeebb4aca2d725
SHA512 0f1edcbc930c43adb0deceb0dd7f9b99652ea705f89cabfda1486015f777233d7e2392587cf2e503a3895fac626f52caa130eca1126b22b29a1f8658d475a5c2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js

MD5 4a2d448c0be622b9ff918c5352d52948
SHA1 102a8c68eeab088fbcf50430e9ef401f655ecdd9
SHA256 a0c357cf390c150fae4aa8fade08b88221f1fad9c46a4e03ec5e840febf11921
SHA512 d9a4198de4e8ea8914c8d544de708628bec6cfdae7e91e7a82bf436136c9bb65aa0d152d85a4cf5f284fc49445c6000d83eb5283d617b6fdaa23beb9a11983aa

C:\Users\Admin\AppData\Local\Temp\nsjA281.tmp

MD5 1da0df55aa5147b962024730e8fda687
SHA1 7bfcd8c8e5fb1a23d49bf3e4575dc9b6b022c377
SHA256 09dd86231540764ed0c64214366f297a9b4b431d488a26f265e6e926d3cb1c30
SHA512 78106806fa6f7a07565a3b8d1e84eb076dbbe1cd1a61ef57123e3b95e0153e27584490a6b02122db5271e9e582b0b956ee243c1af889dfbd9379ba69c4155884

C:\Users\Admin\AppData\Local\Temp\nsoA2A1.tmp

MD5 67bdb6e5fd9fe8f9ad74c9cd1f318674
SHA1 6a46b660258c366532289f29cbc72463308b6ddf
SHA256 bf915aef1e1d6747163b233dbac1b0fbe7704c05cc941dc5879c3d1ff2fc343d
SHA512 1671d0811ad1b43ef2ad7936547560794a3fd819ecae5c8dd5f0bdf7aadc0004d9be8aa7c2b447514e6d2ef0f32d799a775546063eb865bd744db29f245d1d53

C:\Users\Admin\AppData\Local\Temp\nsjA2D2.tmp

MD5 99276dafb9454a3111f145251709144c
SHA1 932eb24e55565cb7699278cdc3c75976e835aaad
SHA256 f5affe255dffae659cbd6dde9b0ba3f7d9931ef72727f6ed9a9372e92e29ad34
SHA512 7a129343c75f9dd015d75444e32c104cb3e710986c4a1c490a9e43b768f74a7459d0cc25c2d6edfe085aac7d364c81aa3d53fccde47c29292234c308fb83e131

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js

MD5 e65ac0d92a12719ebd70eb64dc3c9db9
SHA1 e27bb357c3c451964702fbfa447e3f5e97a5d8ea
SHA256 2e84bc04e4803dfdfe64345de6d536b75dda1680bec617f0eaaee1547c41cc82
SHA512 0cbc5e2bfb6436aa07dd9fc036dda5a127d002ea9063c4ff2088278be2398e558b69240696d3908181f501eb4d4edde2832b0382304ca471fdb189dac003f93c

C:\Users\Admin\AppData\Local\Temp\nstA312.tmp

MD5 a1ce1651f54d92d7f048bb75579f8210
SHA1 dd96fc611b4ff6e40fcc6c2a90ac10c39cc91096
SHA256 b0e4d99d2447f5949449eae33044647aebffc4f33135bd6bf1c17dab8f47568c
SHA512 77fa6330048030b13170dc980f61f88a6fc6d0a71d0edcdf1ddf6058f8b1d6117bdc78b71aa17d01398071aee300e84ceb842271d5a52e73656a7a8ca569a77e

C:\Users\Admin\AppData\Local\Temp\nstA361.tmp

MD5 d66b7c36887a3a1f869cd8b637cc43b6
SHA1 2e7ad1e83bbe8ae41a119efcaaede2bc82e9d8db
SHA256 d7516cb11c81e5ef2e0c7cffa7175c3a7f36f945e788a27024fdc79443fdda45
SHA512 155ba55e437c52f3f53d27750fb8365f3489c08a00a8a842610d9d2687aaa067add493273caf5b49fe4bff39eca917eb3f4b4bcb58537119b3ce82e3ed40ceb8

C:\Users\Admin\AppData\Local\Temp\nstA362.tmp

MD5 c42ac66e65b412612edb71a328403241
SHA1 4461abd35d83f1c35460c8594055635ae41ff585
SHA256 949f7631b32975077cbdec0aa2f5e89515236493811761f4ae9104d5368cc859
SHA512 dd8cd0b46fbf90d1954174eab59fb63734dc1e840aa3786ae1579ee8ef90b5c8a5dfbe0c7cd0b5518a3dbed22eb00f77bd8d8e1cff6c0ba43af257486b06dda8

C:\Users\Admin\AppData\Local\Temp\nstA363.tmp

MD5 312669ce514b8bc32bb714105ed7aef7
SHA1 33c38cf50d1537fac6ba4fc52d5630fef5b48b33
SHA256 bd15ca594d081e2792a821ca2fce6aa065664e4a885d545c7087b17984da88af
SHA512 d08d27e15a3bd6bfe3ee3236a478a15776786fe042f6eb01958a011eb15cf8c9b6c32306eee9635e608235ca0e16f471792518d06e79abeb1f8f4ea2f2876e3e

C:\Users\Admin\AppData\Local\Temp\nsjA374.tmp

MD5 50a304f854d280d8cbf9891a23897ed9
SHA1 371c3b8c67265abf507d28d76bc159af9a1a3edb
SHA256 d3cc1ded3dfc6fa1c8bac9bc175f695f12d48ee3a6bcd8defc643075712bde97
SHA512 63a6e9b44fa19c479719e7f1c13c85cdc91a7adf210924880232cd754140259d4b437c3684a18afee70099b0a4166d59abac3213e4cc0e9c9b55e983b134df54

C:\Users\Admin\AppData\Local\Temp\nsjA375.tmp

MD5 86d36fc714b08cd9c8867d386705dca8
SHA1 171026e987ee425fa37724041d0a8eed13cd836c
SHA256 a6d859c3854093cce6cedb105bee52784203f3dff42d081a6fc684fbfdf89ee9
SHA512 04cdcac851ac5ef5aa0c29fcf7c4ac51871d9e68b3a2129cfe108b7e6f3dd741916fab971ef7f70790cd877622d393232dd62798c981f63efadc8726c0d04733

C:\Users\Admin\AppData\Local\Temp\nsyA385.tmp

MD5 44a1caae3ae6b7927ed06b79b433bca1
SHA1 e1b217373ca90f05aa96ef304d614503512e4314
SHA256 2853f85c31b515f1e3a3e1a5c3dfd2f38a10f9f6f85f9ec7af53b97507b0eeb2
SHA512 2b95ef6879811107a5620eb478d678d51341dd701cd316317a34953c256ab06b148dc5fa23edd16d11dadd60280fd75b0960fd5d16021c9f0bc5f154a572d66a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js

MD5 e14d5067a2f09b8a6356b09356d41a94
SHA1 013b1260dc29f5b6e022ba2dac6dd011b5be390a
SHA256 1d1aa82d8cc2cea6e90b19977f96463718e02cdee3c17294ad809890aba0d5ac
SHA512 6079f1dbd241b88d14bbeb0bbf4dd79016e4133f0178a5ee992eaebe2b04b17027b923797594146193076789d38adeeb58b9e82f1c2c64997c2138554c2420c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js

MD5 0433d4170f1e241cb8bbd4388fb9ae3d
SHA1 a2dc940d7c63cf66737931f8d96e73e992d1de78
SHA256 cd19e7f5492b496e5dd100e0b5962db42d5de505b25f5e3af3082c7a291c0608
SHA512 34c8cffb4130338fd2d173b59c142b986b5b7617fbca8a2640939e0c4bc9619930d744e8d65fcd8ddbd1daa9c0ff1151cfe3d238385305aabb440ce1d018288d

C:\Users\Admin\AppData\Local\Temp\nsoA3EA.tmp

MD5 9d902f232320f460fd38ed523397e1ea
SHA1 34bf2740c3e61715fdaba503771aca292184fe3f
SHA256 117e36f2e4a2bce84c20603cc9e60680d8952f9d7a9619c4a318fd17b772f847
SHA512 afdabce0debf13217e63193390e1fd3ecfa03679343d5f84daabc337a4bdeb490739871cdd0b1c6f10aaf0a619a84eaa963549ad374162dd32599ab13d98afb0

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutUrls C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/FNMD/FM/1.5.11.1/funmoods.xml" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27} C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\URL = "http://start.funmoods.com/results.php?f=4&a=down&q={searchTerms}" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\FaviconURL = "http://start.funmoods.com/favicon.ico" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cc03d4b2ab14914fb6ed7db01993b5f000000000020000000000106600000001000020000000a6537c09b245a381216bfa8b5410fe5070f24763ba975f40681ed168b9e2a944000000000e800000000200002000000094e6e4b25c6d124ad35f4a607eb2394b73f7abdf14d2fb6ac38dbb238ece8b475000000040c34753f8cd691bb52ca74f641b575aff42688dfc6812775722ba21b826ad4206571b041e3a18a9f9ab8e48aeef7215cbd0b93cf6463f367b6225e2224a0a3cd7e5ffa0f65ee6abf8755061a0b70f8440000000756453beac2918ba973abaa012b56d36c67ade03502fe49b8229ab98b56477e028b5fb48b7302df1c7da97f76e3c8010dc5b24f5904ae3a76cc5526c8a53e2e4 C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\DisplayName = "Search" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://start.funmoods.com/?f=2&a=down" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\Codepage = "65001" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cc03d4b2ab14914fb6ed7db01993b5f000000000020000000000106600000001000020000000958b5b02a0b829c898577b2216faa672014c116c573a60b417f47773aa76279b000000000e8000000002000020000000a91165a664de3c8d550f81d33247ac47a2cf048195e814db2e0ff4f7bfb70549100000009bda5071eb73d2a709fc001061146b434000000060de59156de1a61b7580edf3f6b81f708f2f145c497032b4b2b56335331d870aa6a8113865838f6d832e38bd2796304b620d9fa89f46e32f90a0b34b4fd6f029 C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{516B3355-5026-40AF-A6C0-A99ABDBDCB27}" C:\Users\Admin\AppData\Local\funmoods.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://start.funmoods.com/?f=1&a=down" C:\Users\Admin\AppData\Local\funmoods.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ProgID\ = "funmoods.dskBnd.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\ = "escrtSrvc Object" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID\ = "funmoodsApp.appCore.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsApp.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CLSID C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ = "IRegmapDisp" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ = "esrv" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodssrv.exe" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlRef C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ = "escorTlbr" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS\ = "0" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 1836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 1836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 1836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 2624 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2624 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2624 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2624 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2624 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2624 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2624 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2624 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 3012 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 3012 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 3012 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 3012 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe"

C:\Users\Admin\AppData\Local\funmoods.exe

"C:\Users\Admin\AppData\Local\funmoods.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 img.uptodown.net udp
US 151.101.131.52:80 img.uptodown.net tcp
US 151.101.131.52:443 img.uptodown.net tcp
US 151.101.131.52:443 img.uptodown.net tcp
US 151.101.131.52:443 img.uptodown.net tcp
US 151.101.131.52:443 img.uptodown.net tcp
US 8.8.8.8:53 www.uptodown.com udp
US 151.101.3.52:80 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 151.101.3.52:80 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:80 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 151.101.3.52:443 www.uptodown.com tcp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 start.funmoods.com udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.165:80 reports.montiera.com tcp
US 8.8.8.8:53 r.funmoods.com udp

Files

\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\nsRandom.dll

MD5 ab467b8dfaa660a0f0e5b26e28af5735
SHA1 596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256 db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA512 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

memory/1836-17-0x00000000034A0000-0x00000000034B2000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\inetc.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

memory/1836-42-0x00000000034A0000-0x00000000034B2000-memory.dmp

\Users\Admin\AppData\Local\funmoods.exe

MD5 e10aa65bc9f094483b45ee6745e89606
SHA1 f69007d78c2636c53afe608f9eb8d116603652f7
SHA256 5211d85e3d577f54134a8ab8c5c9f23bd3b7332825dcab75a19258b25790b37f
SHA512 b7c55c05f53bcac6d077cdd69c37459f3e3a39c719489d7027d16d87eea96479f7baaedb31f4a7b2e0a39aba872b6435be6dd7fcdce66d42a94c87ed2b49cba6

\Users\Admin\AppData\Local\Temp\nso1095.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nso1095.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nso1095.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

\Users\Admin\AppData\Local\Temp\nso1095.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

memory/1836-119-0x0000000003980000-0x0000000003989000-memory.dmp

C:\Users\Admin\AppData\Local\nst1105.tmp

MD5 06c42349f82ace83f953695a7036967e
SHA1 3488e08a3fb81316456f6449bdeb9254c3b4f5f8
SHA256 afa2580870da87ca052d778bb13ea37bea1cf83aae932dcc575d700e1c9e831b
SHA512 272c97324cd7922a9fb6514f3b082655a09d37e70381f520c012ad285fe8f55d88c8c79dbd5b80cf6009e4934c2255c98f99c6ee97639c481330c8c9f509061e

C:\Users\Admin\AppData\Local\nse1145.tmp

MD5 aa4d624ec6ddb4db8f587700e83fcde7
SHA1 8ac1c3397c90be253a718dc8af9e84ee63ea4185
SHA256 7f7fe8a15e9d52cc9bb617544ad0ed458afbd7adaaf99bb06d18b9b8da3637c8
SHA512 0c206d53a114228c675b4d328c1bd4b297b6224e113c076353d4698bd963898f58fa4a75281db04ebdeb6051a9aed95f01ba7f3f164d2d24dfc397437106b210

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js

MD5 263956e932a663281f70126c8ab7b72b
SHA1 ce03abd9aff66d4492d2df98943df051f081b2d7
SHA256 1f136822737da4313b695d47e5ef874af58defed029239bc91720b1cc12623ff
SHA512 bc36de595c2c2caa4fb210ec15c6e46d0f1f2271cc065d54b47891eea9bbfa14f2c9aa551312379d4f06a73d7d916313290a0dd25fd11dd7741af75fef7d1f52

C:\Users\Admin\AppData\Local\nse1198.tmp

MD5 d8f9a0b75b3f26b35a60282641c34ec4
SHA1 a5578ab6139a5a36c93351e1db1b04762b2568f6
SHA256 f9ab80e456eaca18b242dab0c81d94431a0c8297b508f9a20f0f2cd3843da795
SHA512 8ef7e920aa982798a6c5517854c3bbaf382924ff6e3aac688e15ac8c49ca4a509fa4fc0bc452eea234ef7c40ca2d26c7d471efb9a04f21f8e61c88101cb81858

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js

MD5 35bd49cc80393a45ddd5dfb69e92e936
SHA1 8a235a288238d1ad253a2afed7ad8be6edd7b09f
SHA256 0689f3e70406af7fd14e5f3f25954fae558e4ed6eca8294e3ebc7a28305728ba
SHA512 8d755ff2bdd9116763a6afb465e583a43076d3d767a39f6ec46b2b3f20563d79f41a5409867ae6e21b1b0aa529806487aba21975344bd474a08341ccc0295e7d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js

MD5 21e2ca66b86e5bf3a6032fdbc45e90b5
SHA1 ea70be42630e89f7a650abb4e71852efa9893c9b
SHA256 704628eb647ff0f3e61d951bd0cb3f97f7e58a8284c4e50c71f4369aa111873a
SHA512 3757f022724b7ba2efb3c0f5da649bfa8e609752266fde6b2999de31fc01390eae20e6a65d8cbcffaf338936de5dd018b76953679e763448078e27b208b9fd65

C:\Users\Admin\AppData\Local\nst1297.tmp

MD5 7278e2536cdb7b7b289d1608b8bb731f
SHA1 ae9ae0d8c25ca64553b56eb8fb4ed5edc5c8833c
SHA256 145136f0c0ed3502e8721cf84cb1c6f686216e1027d232202a2811141914fdcb
SHA512 b4650b56ce6f7457a1783f20bce99106fbeb46d5a6b7740e165d5c9273c6337c93f1145afb00f64fcff141d082a1153a70da257d6d00562fe9479f4d8e2f45ab

C:\Users\Admin\AppData\Local\nsy1218.tmp

MD5 9078402e3f1787b308f74c6eac230755
SHA1 6b99c0a60317f05bc517b3e022043bf62b3db54c
SHA256 cdd7176f46745b59659b8e758fa15caa9874c7fc40c6bdd5558c70d3fda2b433
SHA512 fa80488b5da0dc74423db3ed61fe98b3cfdc20c2f68513ced04b56d72422ac44fe24ce9503e50c4dfef1ca186c0345ffeea5196322379441eb244b8cb4a9a34b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js

MD5 b804e77d692f76f6b411f020cc930dc0
SHA1 019911c69ba034cf0be5f9ef70d9d748df9eb98c
SHA256 d469d6f59a86889c7d5d0282279b19109b8f5d7ba1e8552d355805417a8c2c46
SHA512 47978f97fe69ef35b7ffa7649f3289ebc8fb5c3a12a201d763a4607b9f63ff39d2e66be629b82f8af0521bd1930d604a981dad63d976a21d69f2be2219da7c75

memory/2624-1082-0x00000000003E0000-0x00000000003F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\chrmPref.dll

MD5 57d63d48f0bb2fe9b3751342e1b0cc67
SHA1 65afbce77b4990f7f5efb5251e90bd9cc744583c
SHA256 72753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab
SHA512 5766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe

MD5 345e32c7a9584757123ea67bf2ff07c8
SHA1 125d5c8e973c0628a85135e760243a26af1b503a
SHA256 c27fd7cfd14f41f9abc8ca5a5a8f3174ca111a31e12a24434425c5dbc37d9e3d
SHA512 46b5ec65facbae54d9a7200ca809c6f449fad901e7571c2b43571ff8e13ecb5b14e081d877b073387199b11cf7865bed4cd396baaf33efd6e213815c196c0d36

C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\IEFunctions.dll

MD5 5a3a8d916dd0071f16d217bbcfe7d047
SHA1 c2265fa5cec491706d0921e4274c674b693f326f
SHA256 465e81022be2df0433a6e02d427a79dc733031abc89d99746b73576a976857e3
SHA512 8908ee2e329171d2ee430aacf7f86be565472cdb9b338786188ab37d6e6a714e5bc98552a39737ff8a5f314730c9f351aa0f1fa8207eff32289d7bccb3e05a08

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsj15A7.tmp

MD5 4a0eab80ac5f73615fe94472eca40210
SHA1 dd758dc7ad8c9ce4847c0cbfb4397641b8687879
SHA256 2bcd8746a649e0fb0e3c97475cd030cd776d967afe6ff33cc49bcd1ce1f2bce7
SHA512 17da8260e354266d4b0a0f930e39dcb9bf0c822a0e3de0dde66d1efceb37e6037701fdc55c3da8500d90c3dd753a3cbabd903f9bbf40dd7cfb57dc251700a4d0

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\funmoods.xml

MD5 4572bfac1a74abe2d4d716871b2c9cad
SHA1 daa25567a196e9e7b10b2bf33ba35299f2c16f84
SHA256 8f2ac3e5f4345b19010d7dc0a7ed835727f5e7780f4c00517aadb18724dcaf29
SHA512 285f22cea572aab5b37acb00e1e77db684e57c40361bf7eb05dc27c0ac42587b1dd9666cfaa9547862db43d5284c0e9087dd2c45247635fa22a51a6431267d15

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst15E6.tmp

MD5 56abb28af8be952358661fe82387f768
SHA1 8db730f46ff5c5473d2dafdd18d9abda9e5f6c1c
SHA256 420092aa001aeb31e48d024459e776bd6be8a0bb507ddc4349e6a5511d60d3a0
SHA512 2b492caf605f4aa32f852f88d40ead7c5c26bd91cb670e6b8ec9d58a599a7bdb038086365e8ad3ca30c33dfdbaeaac56c0d85d81a13d5e6eb1eac810f9497317

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js

MD5 34ad50939227c403dded4ab2c75a9999
SHA1 6a0434bb714e48720f6a1ac429a45b894c21549b
SHA256 bb6414fb7e0965d42a10954f89a58b79479223d435baa5ff8317ed7a45528aa5
SHA512 db84544d395d34fdd436c2f1d5fcea20ff63fd3f60790800b7e45217ed50932332490f37b9b4e446b3bb1f02e8711cebc934fc8a392af98764f599d734a527e1

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsy1607.tmp

MD5 074d0b893c01ab477286792f38df37db
SHA1 dc620df8c64d39d1ac5986c81760ffb7d6c206b1
SHA256 075c330434be862544566d62b2cbd27245dcb172bc2333e8b83dc08adb49f078
SHA512 9db8a366bdd2c09501626b10ca6a35ff74e70ce9ee7b7ecf773f9c0ebb595daf84f9574ddf95ebf76a825a19161f6dc6648aa3e924564ab78ad822ec343beccf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js

MD5 87ba0ee318b41827fa592f6ac5ad902b
SHA1 1f6650251d0a77e8feb4e992fa6eccf40e0d4254
SHA256 d67989d74088bbf1afbc9dc01365277e179992c69addb284545e52fed9b62c4a
SHA512 4fd77a7eb0804c75d247598de38ea06b4247d1ffa465c4b590a716aee008000d3ed91d90c72f5d48d3748d76ea4f5e44f2c88a8d94594132cbb429c83404c62b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js

MD5 f77379615d44c83c207a42be8b28a3cd
SHA1 ba043d95172a9c3b1acc16547424db2399abf574
SHA256 cf193b36e5567404a83fc7620baef2fbdd4d7601827ea23ccfcd4e7842201e47
SHA512 d96ffb9f667175bf7397c8c018b44f3eaa5454519af05101d7e395e383cb358d72d1c3fb08df8de4a5d9309e12b80c2876ee31ee916d546afd8839830da35a93

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nso1762.tmp

MD5 4e5d69a9aa35bcafe76530b8a9c41260
SHA1 9dbc2f63896cc57139669413b98b375cd705ab5e
SHA256 9369a77778d1e8b84080e57c9f7fabe6cdc4eaaa88de2f2db2014291c268160d
SHA512 337f5bf04800c4f0d8de62b986bae23027c050855d6d8ebd43c60152f641a6d257ebfe07afae536ca7d76fc3aabcca42e1ac8c6197e8904d6580ba6aef5f3c21

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nso1763.tmp

MD5 18877366875d86d8ecf154164bfa4718
SHA1 7690a1edd1197ade5d2eef13e2c91355b9743df9
SHA256 63a85d0a0cf3a111a6d0e2ca2551c88a1912458fab7effc9203cd24aab54f9d0
SHA512 682328075cb64da30874be8bb2ff812b13f1ea79ec3ac82d39f114059f9e8843d048c9421ad67181510629dc5d0754914eeea4eb5a4d7a2f4bea52ce97c62677

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js

MD5 e795027877d424bb9b648efeed293841
SHA1 3c5f487b4470655f671dd14f6d7c12adeb65c5f3
SHA256 e47902f3fbe94541fb1c676eab75cef615aa0c41bad87b64fe35675f2f50076c
SHA512 3f3a9ce94f5d2f65881dbb793d70564c9dadaea517007af6b4c40cc340bc209d2f7568df27c630ad28b9a260a342d863027ed6a4f34c81e4c3fc4f07aa30c8a4

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst1783.tmp

MD5 afa107b38e75abb2f721ffadbeded8a4
SHA1 c98166db0695bf14f96f9273cf46fd3d7f8cee29
SHA256 5224e5fc7adcfc9c80c6fda2f1b2bd180d7496cfd7a42d00747a7ec78a234fdd
SHA512 144c954ca856e496b9083778967707dd4d603b2234e20a400f9161511846563571064a8717e356a2e640163fca4f054a51cfe6aa970a8da47073548a3ddf4b5b

C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

memory/2624-3095-0x00000000044A0000-0x00000000044B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1836-3172-0x0000000003980000-0x0000000003989000-memory.dmp

C:\Users\Admin\AppData\Local\lateral1.bmp

MD5 09fbaede48cfedb759e640bed10d5dbf
SHA1 e1c0a5a77042595beae53955cad72143aac61045
SHA256 e9be711645adceef7a7f55ad9b573cf67910c885ebf63024928656823079512b
SHA512 aeb67c0ccfea4b5c09dcbb398be9e863c3c35eb3f9cb8c8eb666e8d69fd00ac6195024e443333ce5645a04b00c38c17182533d9f8ba7312ff446f1be5cba0d28

C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20241010-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\ = "CDskBnd Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ = "esrv" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ = "IxpEmphszr" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID\ = "funmoodsApp.appCore" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\afltId = "orgnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\data C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\ = "esrv 1.0 Type Library" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer\ = "funmoods.dskBnd.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2740 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2740 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2740 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2740 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2704 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 2704 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 2704 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 2704 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.165:80 reports.montiera.com tcp
US 8.8.8.8:53 r.funmoods.com udp

Files

\Users\Admin\AppData\Local\Temp\nsy3515.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nsy3515.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsy3515.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nsy3515.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

\Users\Admin\AppData\Local\Temp\nsy3515.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

\Users\Admin\AppData\Local\Temp\nsy3515.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2740-79-0x0000000000460000-0x0000000000472000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy3515.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

\Users\Admin\AppData\Local\Temp\nsy3515.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

\Users\Admin\AppData\Local\Temp\nsy3515.tmp\chrmPref.dll

MD5 57d63d48f0bb2fe9b3751342e1b0cc67
SHA1 65afbce77b4990f7f5efb5251e90bd9cc744583c
SHA256 72753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab
SHA512 5766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8

\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe

MD5 ce86ace6982b9f2d8836ff204c592dd2
SHA1 60ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac
SHA256 3d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a
SHA512 c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa

\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe

MD5 a6ea8baf987c05383013259a3a96b221
SHA1 dc1f3df6abd8b9fa1a3d364e9021cd5f62590f9f
SHA256 d978712e92d634c150493e35f7dab39483559350914c1a302c0b2c0aaf1c47a3
SHA512 0e6200677efff5a9e2babd8ebac1aba3c32a1f4de0251ba2036b6bd0996170777de40ba5df6e933e0b89fbdf8cc4709d09cd077016c83018d9e338a37b63b277

\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll

MD5 ac557d58c73411da1d2aa66109182dfa
SHA1 d464184873099e2f3f1700bcb74284b8ca7959ed
SHA256 01f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e
SHA512 ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617

\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe

MD5 a39180ce5d32d60c104990288a91e3a7
SHA1 4cd1d8a3ecb34997cae7d5d4a50555afeefccdb6
SHA256 d4d434cef3654987ba48f5ec24840457793eb13d7384051050feaba6138d47ef
SHA512 e9bd06ff8d1da315b70351d84bdd176bfbf5dd336b58b4fcb10c0cefaa9e20f80cd8d39ca3101f886e4e7ad680b23de78b4a3aaa04e7d54ce87d8567d676cd55

\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll

MD5 e51b884e8074fa7cdbeaeee9aee10c18
SHA1 c12e825456ffc981d6dfc5d561b82c3ecf2ba251
SHA256 ed9d73bf47b8b00d5df2d39d35ef4b82a5c1adc6aa3b97e576b6735a510c50ba
SHA512 2657848d148adf943f9ff99b7853d0743b1d8210cb4dbdc7418c5edb5578f362f9a3e2ea628a345b470ad83587d65aaaa1d511e4267c3382e9a51f482092487e

\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll

MD5 f95617b082693af8490edb28b771870e
SHA1 e6e7ffa25aa1acfa07888fd388af8dfaf28da656
SHA256 7352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f
SHA512 72bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508

\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll

MD5 9001188b424b2c2fa40368ee2b1df506
SHA1 6ac9d3d3e42acc49524bf9bf80ff3a473c90212b
SHA256 5809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea
SHA512 9d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js

MD5 7ada0e563adf850139e2d73523473380
SHA1 e6972aab8431239a2d9682f3ec8977cd8103a677
SHA256 9f6267f08e2d26743c3b8563e287a1d56f0dc3f77dad187cd4ff0d99f6e6a083
SHA512 775faedf92603f32d15a207038dc7af89fa011989d447e49a7590929c773a7fb298d3491664587473d37e6151ef5f0be15a6dacd4f0b8d5a5fda98c52cb0df1d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js

MD5 a4c2abfbea2a0df941fa23201ebdbdd6
SHA1 ecf8a30774a8195b4208bb22d9eab06c8d436b05
SHA256 120bfbedad4e1d85d0d093b3b2bd5759e2e631b29aeb6acb654bb6628fcf7626
SHA512 2023f3100c35a902f48b35dbaa8a31c3f725f013c818723d4b29e828babb8827df53afe0cf1dc9bbb705b544877ef424d87511978a8e37c7f979ea5d5c5c3dd1

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe

MD5 345e32c7a9584757123ea67bf2ff07c8
SHA1 125d5c8e973c0628a85135e760243a26af1b503a
SHA256 c27fd7cfd14f41f9abc8ca5a5a8f3174ca111a31e12a24434425c5dbc37d9e3d
SHA512 46b5ec65facbae54d9a7200ca809c6f449fad901e7571c2b43571ff8e13ecb5b14e081d877b073387199b11cf7865bed4cd396baaf33efd6e213815c196c0d36

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js

MD5 30255cd17cb28ce1ab18d0f936e00848
SHA1 68af5eccd3e369905f3a91a59b6b55825cc47575
SHA256 56f883a9279a948056f2aa5e905681ff6009cde12afbd122bbffc936e87c4433
SHA512 4ef93afab7c746355530b6f6e5bad1f0fa3518d5817f7376a1dc3d03ab77b8d8414484f914b7238e36a2350f51bd7df2e24bc47e920f71e19d1795c38d35d334

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nso3E52.tmp

MD5 04ca2dd3138640490e6cc1ad85944ab6
SHA1 0bc4d73490e3e6ace3897514d37049e8815f42e5
SHA256 44da703460a0b76ee393452221fcecd388e460c958b18893299fcfaa7fd48e8b
SHA512 3e6ce79de90da7b6c661ddb9942b432e5d5edc2167cce5d178b73d9193b3f51744b3eee38b9752323631a8d8a41072c50f469c2324f7458bb36f0cd5bbd97040

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst3E72.tmp

MD5 3fdca31fdb5dea71ebeea098eaa899d7
SHA1 28b39036e6d8ea1af44643e40cd7edeb8fad2264
SHA256 8dd4b3295efada1de1eb4e4b71b0ecfedcd494d36c327f136782a1f1f5c1fc1f
SHA512 94a6cf89bffc00ad5fae674aa3c5b15aac1c257133ef406e3e710dd9bb981a0d139e03f655dc4b00eaf009e646aefc95f6ab3cdae19ba8fcd08b3781817c7a9f

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsj3E83.tmp

MD5 8b2e3630af1e0a6facb2916b74f694d4
SHA1 78ecee758e49f4152be6e0711bd7a83a6b1b0568
SHA256 3a19bf09e1a6bfabe612d245d1ef01072f1befdf0f870aed7f6c9cafcb3ae93e
SHA512 53b031052676acc4c21fafc75f975e8a3328f979c4bc7b9f0090ca2b6e08689bed5a0204b4db382a3914bc12b1cc5ccca047d23d371ea898ab4b685e35d54ecc

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsj3F20.tmp

MD5 b19e5bf70d70fb4f34a158b44f36c583
SHA1 55fb2af2bf4981a5de4c854070759c271872059f
SHA256 74d9301f2eb611e98c372c16db9533e42d2354c35001e66109b2a5b2ba23f25c
SHA512 11aaab1296a5222882de1f8acbeaaa86f5be3a438ae1eccc7cfe083846bf103404cb268d5bb73dc58f524453f015a76b5feb632a708b298110bd26cb51b9f023

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst3F5F.tmp

MD5 5fbb5afaefc7e409bbd162e8e19d4b6d
SHA1 aff0d979f6257095b914dbf96a8718da808877f3
SHA256 f2527ad5bc31fa7f7727d8b7c23d130a5f4b217b3d4fe9d700aa89ca2bd439f8
SHA512 54bad00997be3f3068a21f962876e636488bad2f7766cf8898ed54e9c86b1f9bb787dbd02d75a9192d2f5b24d8a8c822c5684ec1fb227fda7a2c325ef2356723

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsy3F7F.tmp

MD5 4fc9d286e3fde00a7ebc6e1f15ff57fd
SHA1 8f9db532a3a52a7190e7984ba8d6cf79ab080fd2
SHA256 eab3ba297eda2a40c5887a16e91d9367089221cc662e25b9cf2c9887492e9586
SHA512 c91e24d04f5e7df8b0950246859a4c7be792c5e74a8164bc2f2fed096c1939b0f277c11f33d15d17b91e15f2ec711b7f7390ec1f4a211d11f729f4f726b2173f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js

MD5 56e13ce1355c76ff2314a76d8bd35b2e
SHA1 ce866817876b7be757d1ea7ae2b7c53ebfdfb1cb
SHA256 dad72bfea56e9c79666ff5e00528e178c4341b003d8c353865c27c581e9a337c
SHA512 f471e4598dfba8041f53b5ec4031cf5f0e3b2bac390c93aa540f0da037547b45786424cf45841d8b56bdce619bf7742bf716f59f81eb96b8ee618327dd57358c

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst4185.tmp

MD5 6135c76deb66535d5258b3f1f8137532
SHA1 145b8cec41181d08a1d0b87468d9896fc82f63e1
SHA256 d044359ac175299d13b07bd11227a738947b9a19625ee6c6479512abe93ea517
SHA512 6f6fd72a19e9c2c2d7997a8c671d62fc9c6ef12e6898707383c9187af74e3650b3da58e0b5b3e1cb3e965c4b5bb194d12badbb834c9f36a24823db0aa3468338

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js

MD5 ee414f9552ae0e9de9e333a8c56c5faf
SHA1 2f0daf73f9077c3af676ce24e169d9697130f378
SHA256 0b3267ddaf175fb2023dfa9da3345a564b728ab218c5990928ce17778e7f526d
SHA512 149c8f2ad3558fc22fe1e6c276281232176560d1d2910915349bfb275c0326671764829397de6acc9664f0006e24a25b546493b3067be57ee53ceb584d65e956

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js

MD5 75fc45f6f02db12f332caa49817db106
SHA1 ccdc593148c318fda4de37290096150a28dca63a
SHA256 005828cd1c5e71d4308f54390eb88e8205b1140e7ccff368ea0434fc8a9c0180
SHA512 671ab7b5d20b7b4bf17a9aef22b99e578cdac86431f22fb04d960afeaecae0ba487bd0e2a8cd4170fff892962e6716f4e4068ff52763cbda477fd8f1c3eda86a

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nse421B.tmp

MD5 3dc6fc0b4bc9519436fbd57784b9f6ae
SHA1 eed787c05224b4afc25cf7442a368353172a4697
SHA256 35d63a35bc7fba5039eb1d7495e4c2c16e413f4105efeff563cc2093b3d0da31
SHA512 27659caaba74c5b4093e064b08b921f4df16e84b818a14dd9a290798f749bb85b25417fef7395cfdcdc851df82b3ca5ed2dc8337093d35d2f68fe4d9ad0bf99f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js

MD5 609708741ccb7fe2b7ee032ed676d0cd
SHA1 d09dbdaca730a4652aea37375b1db9257e9bc8b1
SHA256 147b94de28e8bb82915ed7e80ec89a2828a188aac80997b21eb1c5fdb6bf7469
SHA512 aef7318a01ef89790f317fe47460ad79883c84e82354885aca05e37b3dcfdb18a09ba11ab4b8c2dce0a09e0c4e394362c2e108282885ca5225328855b8694240

memory/2740-1584-0x0000000002470000-0x0000000002482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy3515.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\Programmable C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\ = "escrtSrvc Object" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\hrdId = "971d8dda0000000000007e3d785e6c2e" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsEng.dll\\2" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\Programmable C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\afltId = "orgnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID\ = "funmoods.dskBnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsnTs = "1.5.11.116:42:49" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID\ = "funmoodsApp.appCore" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib\ = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ = "IEvntCntr" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ = "escrtAx Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\ = "funmoodsCmn 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2000 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2000 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
PID 2000 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2000 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 2000 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
PID 4148 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 4148 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
PID 4148 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.165:80 reports.montiera.com tcp
US 8.8.8.8:53 r.funmoods.com udp
US 8.8.8.8:53 165.230.16.69.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2000-84-0x0000000002420000-0x0000000002432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\chrmPref.dll

MD5 57d63d48f0bb2fe9b3751342e1b0cc67
SHA1 65afbce77b4990f7f5efb5251e90bd9cc744583c
SHA256 72753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab
SHA512 5766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe

MD5 ce86ace6982b9f2d8836ff204c592dd2
SHA1 60ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac
SHA256 3d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a
SHA512 c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe

MD5 a6ea8baf987c05383013259a3a96b221
SHA1 dc1f3df6abd8b9fa1a3d364e9021cd5f62590f9f
SHA256 d978712e92d634c150493e35f7dab39483559350914c1a302c0b2c0aaf1c47a3
SHA512 0e6200677efff5a9e2babd8ebac1aba3c32a1f4de0251ba2036b6bd0996170777de40ba5df6e933e0b89fbdf8cc4709d09cd077016c83018d9e338a37b63b277

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll

MD5 ac557d58c73411da1d2aa66109182dfa
SHA1 d464184873099e2f3f1700bcb74284b8ca7959ed
SHA256 01f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e
SHA512 ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js

MD5 50a190a643f231c8d6817b22cf411c2a
SHA1 0a4f5748c2b9ef29dfc1dddc3a307d5833125852
SHA256 8e66f4f6b90976466e96f228edee8e019501777aad93431ae610335c645441b4
SHA512 b46847a99b2143ff7079331321de6013e89c3fdb76a071c6e47115670ad1f1448214c761fe16705614b68112c0360ac9451af5908bf70b922208c29c8e3eb9cd

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsxBFDB.tmp

MD5 9b797f1bb4a24566963b77332796ebf7
SHA1 4fe25da60d189457b7e8c6759af57e10674460e5
SHA256 8a620c47db43eef8ebcb4616c6b058765306b47921f915016f425f9d8bcf9bb7
SHA512 97a133915cd3a8639b35d48b0f193126496bb0a03f62d2985c4ad4c465d3c6bde5c4494d4f569f94aa90f2dcb3db82fe5eaec9540019446d6bda39213100d7d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js

MD5 24afdf39dffc976aef20905665d91b08
SHA1 774d60192ce2ba59bd7d4ee9f14efe7af131b0b0
SHA256 31de9666b1fb5736ca76e586b6ff467b328a303ea7fc7b394fecb1b24522e743
SHA512 05af78fbd9f372f5ec4a94eccecfbbd170b14231397d3d5f6e096eb61785c0eef0fedb113b43257b4d444902a87e2a1d6296d4a04c57cc3833224f01891dfb6f

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnBFEC.tmp

MD5 d1a4af83f16f9306e527465025c70d40
SHA1 8fe8f54b4628ab26d6f0cb1ebad6c4568aa92419
SHA256 9c47d5c54f66e6276a25966f2b3ac647b389772a3b5214b3ccabc3a3c9af9232
SHA512 4a47a2c1d2bc579c771200d8af5a5bcb76eb5f3b7b27172cf50c477ce15b04480c2766bf42d5cb7a8a27cfb1c4591c9e1c735922989ca34420c0fddbd5f80c19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js

MD5 109071e4292964007e4e8dcf3b918b1b
SHA1 67385d2e5dc8e2f640ed4f42c248ee4a23ff6da8
SHA256 8c8aa83638a005bb116cb2e9cc8665b193d529fcae2340f3e0b961a94f77832c
SHA512 e1f4a5c0fa21aa8e42f9e1ec0abdac20ce2898985945fd45ae75dcb753598807a9a19813f2a2915b606c8feeb1c3f15da3662948a1aad64440b9e8f37598390c

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll

MD5 f95617b082693af8490edb28b771870e
SHA1 e6e7ffa25aa1acfa07888fd388af8dfaf28da656
SHA256 7352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f
SHA512 72bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js

MD5 f6bb4c41a5c723bdbfa7f2538547145d
SHA1 10a21cca7a8e1dadb7d592bb6487591640756dd9
SHA256 cda69d4d4ac25cc36df161ac6b6fadeffa388c1a0010fe505ab493c12f8b0766
SHA512 fcaea3fd47669e3bb55d6c6bcda9aef0bb0aa4b466aaa70981c3870d129c11aacae9f7d85943dbef6860d63a124cc680a62ab5a92c917d32c77b119f8a79b165

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll

MD5 9001188b424b2c2fa40368ee2b1df506
SHA1 6ac9d3d3e42acc49524bf9bf80ff3a473c90212b
SHA256 5809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea
SHA512 9d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC0EE.tmp

MD5 7ff58acd61479e45ec30172e3dcc21bf
SHA1 3b0d8bcb16a15a3bbef91d814fa40a12d37046a5
SHA256 663c46d33d12b521aa717c0e3520852eed199b697eda458ab65db971e2cf87ad
SHA512 38e32dd10448faf22ccd04e0502354acf7355bee96d7b60cf1323891cfdfbea035f1a8b93860fb8fd2a84d41278c97a978c96bac8dd2df5d5fa79e91e203b34a

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnC17D.tmp

MD5 b70a3ae702a94f63b4c8d2342ca94425
SHA1 a621b40b4f513834a6703c5fda8671c352d181c4
SHA256 fb8d54caf0b0e3e46756967a92f07f17489402614352df9812aac60026f22114
SHA512 e3a75fe6f133878ea1a6953e04ecbf0cb043e2d131979573f9c4e31b4cfad4af20656b20f9fde0d134f8608874551f95f84369f2ed370afa52d88466631d6b11

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnC17F.tmp

MD5 8cc1d03d3559f97300866ea644872cb8
SHA1 0acfad913038b4a9684911a42e58e45392e32fe7
SHA256 d9f52daad3006b1d0e31ebb44f5ff45392675e71e6f1c9085326254a3a3ad333
SHA512 e3ed34a9b28a05c6898aa8fb491e69001df73b0f477ace98168540369ba050793782a6ed426327b1793ed528db604ff7613e6d819dfd02b9a3fbe13adb62c1fb

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC190.tmp

MD5 b2872927dbd3897c21b032afa5729ffe
SHA1 1acdfb1cebf384d78f032d4267d72fbc82962ad6
SHA256 c9ea2c167f7329d0c547382ef97f13e4f87faa588bdd5521210ef458107134ce
SHA512 65ef9b2a76be968f55b4570e2e88d951d3f18c8dd20072b23bcf5b997b88538b25e541d4237e15f6c26bc6c6140136d97ec7e49a1e1c29529117d7abe6c4e7cb

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC191.tmp

MD5 87d8fa84521ceaf4ad49873e852366d4
SHA1 ecde848d61884879442378764128fdd5f39f141d
SHA256 0aea2d4cf44486f26e571200a18f7a19e1992b0bbc04fbf069c3d8acefbba9a4
SHA512 fbfa689eded7bb328ee12ee5ed437d72c66ed154eb9cc8efa40bbc640682c872e0cf604824efab8695438fb1231727cc66a22525fb1ed704baea2ded3fc2a808

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\user.js

MD5 e2db0b9ed33fb3ffafa6d26a83d035f7
SHA1 525d6979bde80c9863498bc03aecb353cc9d2a70
SHA256 ca92c777b1ead7d94f7f7bb72bc1609c1b2c3bf86a65aa7cc8f24ce946fb61de
SHA512 a942dad45716d83d8cabe7c47da30ab9db4a0495f9e788d14fd656356bcfdad4798ae7866d46bd85ffc296fa998e4b2c0f225b7f0407ee25b99fd41ca3427b98

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\user.js

MD5 7d3751e4f32177ee986ad47afa4977e5
SHA1 a71e9a06f35bfeddcd2c8dd01edc401e5500f515
SHA256 9ddf9abc626345ab926a108bc939a4e37c1863301c6bbcfdf1dd2f9d0ac46286
SHA512 6351e4b26f3b6e7d875f65f1be7254dd2f622089eb9a286bec484451cc6a1f3c37d639f406f359beeb6c5347e30a042b7d2bbf759c02fbef66b9c2a6f4fe9b6c

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC1E3.tmp

MD5 ea63c872919417f8cf9d00e35ea056e7
SHA1 4fe71ac12b2da8c1cee141430b43e3ce910e3d22
SHA256 e24f41e607040f778414f706826471686def64aef6111efb83d947a58f689f30
SHA512 f5106337d4292b67a129350eadc9281416a708996202a37f2e036a10d0a7fec62b299d0f2993f2ebee5ea75259b8bcbac66c110b85fb8ee3cf133f5c9091f18d

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsiC203.tmp

MD5 456688a268164631f9c4fe9b6a420f4e
SHA1 5f738ac84c6005b8d4f9f56c418d89560287d637
SHA256 93abc7fb98ddbcaeefb064e357a81cbba71962d8688e35838e63c95a82201688
SHA512 22123a06a87a35253fca58d608daa0b1b5a8c93e6f3f146a85e239db55652067134aaf6c32aa732c2a897b857bfac0591d92d0047598e1f190132efab37e8284

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\user.js

MD5 6a9f18f328c7045a301cf9618c3210cf
SHA1 31a24acbfffdbfef12a8076ec10200c7686de2ee
SHA256 f468ec7a07eacec92e6e55deb108cdbcfdbea04a89adebd9268f6ac2a7e6ce10
SHA512 309ef953b3b61eb9cd11b6c1c9012717b8229fc0c6c813a791c86d679d56fa7700ccd3cbf2cb2d93c4a9f74477adbdb5dfb6a1bce332826b3dc3fe9532dd33b1

memory/2000-1600-0x0000000003A10000-0x0000000003A22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 4240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 4240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 4240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4240 -ip 4240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240729-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20241010-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 228

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 3576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 3576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 3576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1608 -ip 1608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 224

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5096 wrote to memory of 544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5096 wrote to memory of 544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsiB44D.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nsiB44D.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsiB44D.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nsiB44D.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nsoB50F.tmp

MD5 2de28ef8b3d759f950370e8134cf2e7d
SHA1 cf4eda85b5e6572111f22b9519eb3ad594692cde
SHA256 a26b1f4385db29fba580e1940cae74adb6602b8cba9dda01effdd642b0653d4b
SHA512 bafef113f3923564b01ad68dc4e8f2e6c7e3a66296597366df095f70f08f5ce52407af3e01675cc1683fcb515e7001051457aaeacc247ad311bee5856d9b895f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\user.js

MD5 1339374958e20825f4fa16f8f331abb8
SHA1 e28472b0478e6c2ba3e72172b34f8981a3f87c33
SHA256 918ebacfe518b4b270456a0f2f6d4e750d5f2aab1c67fa9ea5d90f1ef9923396
SHA512 3d93daad8f8756886e54c0989cec55573f90a861eca8d89464e9efc86d1669189ac15f02f30c5fa54f097061704afb3dfd89a90017567f4675b883daa555d780

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\user.js

MD5 74adfd017bca6c359bc4050838d36806
SHA1 2f094be470a8fd5957a068c1babce8e52a7abcb8
SHA256 80fe442b9ba6d7f130ef38b3db1383770f069f6e5af902b7c87e9aa611ff28fa
SHA512 f8d09dccb26ec7538c287b4d50f9f55912c0d8e847b470a1ba42eab056abe120a87b06e9eb3f1dbbceed54e109bbf48024f14e6485a606a20f26652ef1ddd59f

C:\Users\Admin\AppData\Local\Temp\nstB57F.tmp

MD5 34b29f2d0a7c2e3768a01533cbae5c76
SHA1 8a9cdb55e37f9cc808d61f762063ff334a339585
SHA256 458b17e77d4f24873b79ce4628e746293957a8f84fdaaa07ea9059f5a174834b
SHA512 283fe691ffbeec4c1fe63cf2fbd4fcd656419164377e5e79b2928f9bdc3917ad8c556e453ba474a70204cbd84142e216c2fb547b145e5ae66c19a33117273428

C:\Users\Admin\AppData\Local\Temp\nsyB59F.tmp

MD5 a5038c4f872a3951ab4bb0b07b75d960
SHA1 7f7fd2b186bb08d76af672ff310c39b7779e9230
SHA256 a7045fae6a1852677f1ccdb565dadab0b6247a05db376dd2e66689a6bc466a05
SHA512 d36802b7015cf489557fb9dd35d3d2d361c656d64fe89c805f5cb80cd8d03c947d50ead9822a6e1aa3e1809e59e420ca339c0e4f8b3eb53e21bdc71a3f822ddb

C:\Users\Admin\AppData\Local\Temp\nstB5CF.tmp

MD5 5412291475c07d2cac1775668394ec23
SHA1 08eebedb08c0a80bc569bc888a1aae364778def0
SHA256 e81338668467d2b799a98e675dfc7f65bad0e39aa2b67f006c8d439037062020
SHA512 d71ec044adf742f737851fd879fe55c89e189772cc7e19d89d490133987a6fd41236662504f8c6340564d7cccf84feeaf40832e491128db19a7b751044ebf5a8

C:\Users\Admin\AppData\Local\Temp\nsjB5E0.tmp

MD5 00cde1e35bb43209dbf11535b85befb3
SHA1 fc212ff04843e39251936687c983e3a0af071cc1
SHA256 4010a5883766767cb6cda9f848b73b84be11d04ecedb56625197ea5b29946c2d
SHA512 afc97d8633d0471af09ff08faf409f816486ce5a2c92fcb84028549bfa59c6a67f67ea0bad0768991adf71a039b91b2920c49e7c164be06c8c73a28facf3b8d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\user.js

MD5 03189589f99d48b8ac332d294c221733
SHA1 a89140e9dd25b45b350e9502159c3a494f8bb682
SHA256 12592c432692824efa59b723287d9f84b7d04ad7b3a3ee1b75b49ad79f731295
SHA512 a529e3a4648cac36c5714ede8371ff5047f8bc86a94769415df079c3af19c9c5e7bf3b43e75165a3c605f4077704c41c5ebf61fab095af015cd00191f0304eec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\user.js

MD5 62b99b24c526eb931f669cfb4f154bdf
SHA1 63d795bb606c761365addd64caaf86228039f1ba
SHA256 96ac5c54efc35ba78eef700530edb37731f5e392eb7426eefd13e546ff139a6c
SHA512 207e4c503e1dc403136fca6630cf0c2ea7a898a75a8e6422ff6ae42c5e0f1bbeeaddbf93c52629c4bc378ab8e9ec3657e333d0c44cbf60dfb24e5d82ac9375a8

C:\Users\Admin\AppData\Local\Temp\nsoB6A3.tmp

MD5 20b13e7769da09ba85544d16badb33c5
SHA1 9b357c2d38819c7eb0d4c8ef4752e3d928fc3365
SHA256 7f37a66031f82f15bb9a6a93837084f807226a4956afdd6d3904f295477bebc9
SHA512 71c3059b748b627a1cdca6c787c4ad78a327ea04f16d2de36c445dfe958e9456539ced6b191de3fd7be8a7b0fd245462c08daadcd8abfd2da749460579cfcc75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\user.js

MD5 d5a18c9ce336b38715ec1701f2ced1aa
SHA1 b8b9a6d039c74f0c4df25cb68de7529645705e8e
SHA256 ecba2ffb3cd011090e044db47f6df2a075a6ec294cafc6fb4a2bccaecbd8abcc
SHA512 691e875ff157851b0f005ad8ab0547ed28d5e6a79bebce4f78b5e10a9f36b7a8e1813dd624542cc9bc5bdc05fc8cb43eed87c8e7c716538e2853c9471703e603

C:\Users\Admin\AppData\Local\Temp\nsoB6A4.tmp

MD5 20d26fdcdff73e5cb3578f7f095f8ab1
SHA1 d847ecd56650d8e5f838c104e3ef9ea427cb8eb7
SHA256 fe1fe0598a990c4b7773995924d36ac5190e144c3e0b107698e52461472a5dda
SHA512 e05e7590a4761ffbf3f2c23baabb2fc86a4f71af9138aa563044ffacd10e9acd1157783bebe85c15621544756af74aa4d08f740314a4b05d9be121705b36190b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\user.js

MD5 6509e18ec8a949726ba51c78388e0949
SHA1 ad798a569543d5932f52dae621637f7c97990e46
SHA256 2a11caf1795c15a83f640af3abe5de1eebee47442dfab949cc3750d91e6cfd61
SHA512 4a7d20fa054b792a25e61ba03f8ec21af7308e4b9f98314cfb99fcce4a293c3b3ad6fa7eb6d40c587d1374b91170ab4347d9346055e85416b9380c8903d46e8a

C:\Users\Admin\AppData\Local\Temp\nsuB718.tmp

MD5 fdd1845348e840238f31593a686c4bd8
SHA1 ad3ca8fd93eabae9baa026f4ec7a49d54093042a
SHA256 9acf25b45b0a49ac00f2d219acb8f90b1f4377ae14da664ce0d1804c8a287d25
SHA512 149f4da55c56e5724a8dae58459ae890327fc802d9682573cd823082af9bc1a44e86608afacec6af471a4bd841157db7123da4e8f0702031bfdb537f5a052512

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 224

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 216 wrote to memory of 664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 216 wrote to memory of 664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 664 -ip 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4456 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4456 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2016 -ip 2016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 4116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 4116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 4116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 3996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 3996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 3996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3996 -ip 3996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 224

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win7-20240729-en

Max time kernel

16s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 224

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2025-01-15 16:42

Reported

2025-01-15 16:45

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 4716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3132 wrote to memory of 4716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3132 wrote to memory of 4716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4716 -ip 4716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A