Analysis Overview
SHA256
19a18b2cd97bcb69202c9f203fadcaff5f23aa4b7c6b79ede8acb310b479fb0c
Threat Level: Shows suspicious behavior
The file JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
UPX packed file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
NSIS installer
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies registry class
Modifies Internet Explorer start page
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 16:42
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 696 wrote to memory of 5076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 696 wrote to memory of 5076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 696 wrote to memory of 5076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 408 wrote to memory of 4848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 408 wrote to memory of 4848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 408 wrote to memory of 4848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4848 -ip 4848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 236
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
133s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4924 wrote to memory of 3528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4924 wrote to memory of 3528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4924 wrote to memory of 3528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3528 -ip 3528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1044 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1044 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1044 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1044 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1044 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1044 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1044 wrote to memory of 2280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240729-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 224
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
145s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082} | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/FNMD/FM/1.5.11.1/funmoods.xml" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutUrls | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\FaviconURL = "http://start.funmoods.com/favicon.ico" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\Codepage = "65001" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\DisplayName = "Search" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://start.funmoods.com/?f=2&a=down" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\URL = "http://start.funmoods.com/results.php?f=4&a=down&q={searchTerms}" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://start.funmoods.com/?f=1&a=down" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\bh\\funmoods.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CLSID\ = "{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\aflt = "down" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ThreadingModel = "apartment" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrSrchUrl = "http://start.funmoods.com/results.php?f=3&a=down&q=" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\bh\\funmoods.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsApp.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsApp.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "CDskBnd Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlDay = "20103" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID\ = "f" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsEng.dll\\2" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\CLSID | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\Programmable | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe"
C:\Users\Admin\AppData\Local\funmoods.exe
"C:\Users\Admin\AppData\Local\funmoods.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.uptodown.net | udp |
| US | 151.101.131.52:80 | img.uptodown.net | tcp |
| US | 151.101.131.52:443 | img.uptodown.net | tcp |
| US | 8.8.8.8:53 | crl.starfieldtech.com | udp |
| US | 192.124.249.41:80 | crl.starfieldtech.com | tcp |
| US | 8.8.8.8:53 | 52.131.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.int-r1.certainly.com | udp |
| US | 151.101.131.3:80 | ocsp.int-r1.certainly.com | tcp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.131.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.uptodown.com | udp |
| US | 151.101.131.52:80 | www.uptodown.com | tcp |
| US | 151.101.131.52:443 | www.uptodown.com | tcp |
| US | 151.101.131.52:443 | www.uptodown.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 151.101.131.52:80 | www.uptodown.com | tcp |
| US | 151.101.131.52:443 | www.uptodown.com | tcp |
| US | 151.101.131.52:80 | www.uptodown.com | tcp |
| US | 151.101.131.52:443 | www.uptodown.com | tcp |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | start.funmoods.com | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.165:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | 165.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\nsRandom.dll
| MD5 | ab467b8dfaa660a0f0e5b26e28af5735 |
| SHA1 | 596abd2c31eaff3479edf2069db1c155b59ce74d |
| SHA256 | db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73 |
| SHA512 | 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301 |
memory/4816-19-0x0000000002320000-0x0000000002332000-memory.dmp
memory/4816-20-0x0000000002320000-0x0000000002332000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\inetc.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
memory/4816-58-0x0000000002320000-0x0000000002332000-memory.dmp
memory/4816-59-0x0000000002320000-0x0000000002332000-memory.dmp
C:\Users\Admin\AppData\Local\funmoods.exe
| MD5 | e10aa65bc9f094483b45ee6745e89606 |
| SHA1 | f69007d78c2636c53afe608f9eb8d116603652f7 |
| SHA256 | 5211d85e3d577f54134a8ab8c5c9f23bd3b7332825dcab75a19258b25790b37f |
| SHA512 | b7c55c05f53bcac6d077cdd69c37459f3e3a39c719489d7027d16d87eea96479f7baaedb31f4a7b2e0a39aba872b6435be6dd7fcdce66d42a94c87ed2b49cba6 |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ckv2sw8.Admin\user.js
| MD5 | 0c7c8a283b16e0fa47c0016069de06e6 |
| SHA1 | 56dfdd0983f1ff14fd39acf3094f38e40a221e8e |
| SHA256 | d34969a861d89c54d6a1f430cac910c32203c47def8ceb55c28065f508c3d7d9 |
| SHA512 | 4028c03372de5c43493709adbef322156fecced278707c3c26949dd54ff3f9219f8c4f405ad8f4e69cebc77257fdbe4ea5986aa5e659098e5094f0f666c1d314 |
C:\Users\Admin\AppData\Local\nsnF34F.tmp
| MD5 | 3062047a2880b6809f9f5e203a624692 |
| SHA1 | 6ae308f3d7b8c4d30f85a8e6288f88f1500f0d4a |
| SHA256 | eb8861bc4c152c0c8fe13e9ee53b4fcb84733ac5539d0e86c98e2ec3015d6184 |
| SHA512 | 066e4a0cb8c06ae1c96d7d0d9b39a5abac8e5fad258ec8c8841bcf81293fc9a727f275813836a0e41c1b34bd67f0f33532a701bbc888aa3f1edcede970cc64d3 |
C:\Users\Admin\AppData\Local\nsiF32E.tmp
| MD5 | 06c42349f82ace83f953695a7036967e |
| SHA1 | 3488e08a3fb81316456f6449bdeb9254c3b4f5f8 |
| SHA256 | afa2580870da87ca052d778bb13ea37bea1cf83aae932dcc575d700e1c9e831b |
| SHA512 | 272c97324cd7922a9fb6514f3b082655a09d37e70381f520c012ad285fe8f55d88c8c79dbd5b80cf6009e4934c2255c98f99c6ee97639c481330c8c9f509061e |
memory/4816-224-0x0000000004BB0000-0x0000000004BB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\user.js
| MD5 | 21e2ca66b86e5bf3a6032fdbc45e90b5 |
| SHA1 | ea70be42630e89f7a650abb4e71852efa9893c9b |
| SHA256 | 704628eb647ff0f3e61d951bd0cb3f97f7e58a8284c4e50c71f4369aa111873a |
| SHA512 | 3757f022724b7ba2efb3c0f5da649bfa8e609752266fde6b2999de31fc01390eae20e6a65d8cbcffaf338936de5dd018b76953679e763448078e27b208b9fd65 |
C:\Users\Admin\AppData\Local\nsdF44F.tmp
| MD5 | a6586122c0662f36a4f26b6c3959811c |
| SHA1 | 929259027561933065e6267fe948b33bd549d2a8 |
| SHA256 | 2bce865f219fe68157cf29b115642d1c68a0cf062c14e3853321e4d7b4fc4edb |
| SHA512 | 622683523e7049eef983dfd0fa177882b1a1fe153aac634308b2ebee5b6b1d7bca93ce67327d77d9e2df13010ef7d2785cee5752dc7847435f71ba1c8d156bcf |
C:\Users\Admin\AppData\Local\nsdF451.tmp
| MD5 | 8cd889b2732d44f4b63bb9e376128973 |
| SHA1 | d1fd1621ac821c096c5de67367403270c868b423 |
| SHA256 | b828a98fa04a684e67cc7094e2a53ab7b611e39dc655f6e812541560ef99cc79 |
| SHA512 | c878d6bb0941dbdb9ec32fc8437e8ba775645818c114f8ae2b154cd20ec9cdc3759e4151a30582cd0e55f8b73603a4283335a98145d201b8bd816ce5533c0808 |
C:\Users\Admin\AppData\Local\nsyF51E.tmp
| MD5 | 7278e2536cdb7b7b289d1608b8bb731f |
| SHA1 | ae9ae0d8c25ca64553b56eb8fb4ed5edc5c8833c |
| SHA256 | 145136f0c0ed3502e8721cf84cb1c6f686216e1027d232202a2811141914fdcb |
| SHA512 | b4650b56ce6f7457a1783f20bce99106fbeb46d5a6b7740e165d5c9273c6337c93f1145afb00f64fcff141d082a1153a70da257d6d00562fe9479f4d8e2f45ab |
memory/1400-1136-0x00000000022E0000-0x00000000022F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\user.js
| MD5 | b804e77d692f76f6b411f020cc930dc0 |
| SHA1 | 019911c69ba034cf0be5f9ef70d9d748df9eb98c |
| SHA256 | d469d6f59a86889c7d5d0282279b19109b8f5d7ba1e8552d355805417a8c2c46 |
| SHA512 | 47978f97fe69ef35b7ffa7649f3289ebc8fb5c3a12a201d763a4607b9f63ff39d2e66be629b82f8af0521bd1930d604a981dad63d976a21d69f2be2219da7c75 |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\chrmPref.dll
| MD5 | 57d63d48f0bb2fe9b3751342e1b0cc67 |
| SHA1 | 65afbce77b4990f7f5efb5251e90bd9cc744583c |
| SHA256 | 72753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab |
| SHA512 | 5766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
| MD5 | ce86ace6982b9f2d8836ff204c592dd2 |
| SHA1 | 60ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac |
| SHA256 | 3d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a |
| SHA512 | c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll
| MD5 | ac557d58c73411da1d2aa66109182dfa |
| SHA1 | d464184873099e2f3f1700bcb74284b8ca7959ed |
| SHA256 | 01f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e |
| SHA512 | ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsfF977.tmp
| MD5 | 9a573122109bd0eb9d9d89601f5baae0 |
| SHA1 | 7bb54aec051f708a8e7d0383a3937fec89e91ed5 |
| SHA256 | a04e1eaa4b876e6fc57810383076142ecf7c44844379c87aace0730ba5316732 |
| SHA512 | 4305aa38b28d830663eabeead44b348dfbc7cad784e53abe8709b9cba42bfc94c8c1102d072aa26af5c4fc0a65be12f251d6d66549ea4c9aa0714ab3840b7a32 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll
| MD5 | f95617b082693af8490edb28b771870e |
| SHA1 | e6e7ffa25aa1acfa07888fd388af8dfaf28da656 |
| SHA256 | 7352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f |
| SHA512 | 72bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsqF9B7.tmp
| MD5 | f0e0de251179e1d4f03ee28c211d6d70 |
| SHA1 | 4951792a9ec8329145ab4f176e61d4efa70cf99e |
| SHA256 | d1e2ca289fd4e353e1307446ec2f66fd01665cd0b7a84e8936eedaf7c7ba33fb |
| SHA512 | 9dc68d752c1f7ae57d28f1375b06bd5f1a3f4023d7eef05143de0f5412893dc4b45f5ea35b62a9efb30962749079975eacdd336ce52b490c1fdce411fe0458f6 |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\IEFunctions.dll
| MD5 | 5a3a8d916dd0071f16d217bbcfe7d047 |
| SHA1 | c2265fa5cec491706d0921e4274c674b693f326f |
| SHA256 | 465e81022be2df0433a6e02d427a79dc733031abc89d99746b73576a976857e3 |
| SHA512 | 8908ee2e329171d2ee430aacf7f86be565472cdb9b338786188ab37d6e6a714e5bc98552a39737ff8a5f314730c9f351aa0f1fa8207eff32289d7bccb3e05a08 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\funmoods.xml
| MD5 | 4572bfac1a74abe2d4d716871b2c9cad |
| SHA1 | daa25567a196e9e7b10b2bf33ba35299f2c16f84 |
| SHA256 | 8f2ac3e5f4345b19010d7dc0a7ed835727f5e7780f4c00517aadb18724dcaf29 |
| SHA512 | 285f22cea572aab5b37acb00e1e77db684e57c40361bf7eb05dc27c0ac42587b1dd9666cfaa9547862db43d5284c0e9087dd2c45247635fa22a51a6431267d15 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nslF9E7.tmp
| MD5 | 62a82675fe80409c19902610a0a0c085 |
| SHA1 | 0c80c106a2601bef89b3b6e5eef206216c6cd0f2 |
| SHA256 | 5bef586c04f5c27e8dc16b62aacb56acdd828347019f9dbcc9711691f956a5d0 |
| SHA512 | 64ee95fe38f2f932b5a9335387c16c95fac1b07e7f74875d9f2edba1fcc96778d0cf2109b23cb81839946fc3e3124ea31356b263ca84957459930583460c35bc |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll
| MD5 | 9001188b424b2c2fa40368ee2b1df506 |
| SHA1 | 6ac9d3d3e42acc49524bf9bf80ff3a473c90212b |
| SHA256 | 5809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea |
| SHA512 | 9d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ckv2sw8.Admin\user.js
| MD5 | 720b65b2a770bc6138438fddc6962500 |
| SHA1 | 7df0b1c24c8c2322ccbb95a30aba10d7b17b9259 |
| SHA256 | 531819f9be5b043f982080a0e801dc27b37e7f0d6ef10f4d6cedb8b5bf31a1e0 |
| SHA512 | 54f05ae9ff38b13e7f547ef59cf88b291f8aab8d7892a6ca448e05bef34ca405cd09e8c3b5a3d7e47009d5dcf53e03f7368e1ac8e7f1cef6c61b22a8dc3d9ba3 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nslFA86.tmp
| MD5 | 72098deaaad52be23940e72f28c7680d |
| SHA1 | a5361fc2b4cf32b1876a88b7e8eeca25d1f5ca1d |
| SHA256 | e2e484a10428663298a35c82c858937c001b099e39fa0d60e1fe2a09f744c494 |
| SHA512 | f84faeedcdd79fda1750aafc58c44fdfbf0497e26bd6b4ddacc24cf5f8e6a7edbac0ec084d22d62fa21d31c9269223cfcdb3b14fd72e8bf3dde054b9a453c838 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ckv2sw8.Admin\user.js
| MD5 | 6c9c0e1c065d8b3e26b7fa0497d3ea75 |
| SHA1 | 7df20f1abaf04ca5f94d492e0ad9fe2f8eb0d6fe |
| SHA256 | 8e143c953a4f72586023bc183ae49a5f6116aa213dc7287e5ad591c0e8207c66 |
| SHA512 | ce8138386e7f56ebf721a611376441d80b9f7b227d352671aa4cc6d6664095fb904f9ff401e26c171c61235971094130baddd8029e9fbe58dfe8c0a759379c68 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsgFAB6.tmp
| MD5 | dd93dd3ebfb0b592732bdee5bdcf23db |
| SHA1 | 3e56df3803c4c23b52c031d749ab627b0515a586 |
| SHA256 | eb9d282bc22910cc105ce4566971cd17cd400b0a1ac4ceefa11a6cc10008329b |
| SHA512 | 5872221127bd77139ef2572cc9a90ffc1dd74fe45630c0a32e5d568354ae43d7de201bc494da5b4e9fe0607661e81ada212e32d7daf7ab416019cdeaea8c7515 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsgFB55.tmp
| MD5 | c459f044c8acab0ea20b4d96d9611e6c |
| SHA1 | 36e1a94b96909c333830d0272f1f06ebc33ea64c |
| SHA256 | dc0d996f5f64c2982b0f554aa8419901ef8ccbde6a2817ef9c2eae254db01069 |
| SHA512 | ea340b7ecfbeea0de0ced8f274c40db42f87f1fb9a761af18f4a0c3a5621f47ab0c509f933c9c93a86cebaafdad6b5c6d78c206d8ef75ff8e480dd9fb4daf707 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nslFB75.tmp
| MD5 | 412da775db4b54c49ad156b8b6f5ab74 |
| SHA1 | c736d65d487aabe591ce42bf6e8d10fc7f5829b7 |
| SHA256 | 7cad7e22a9b84cf52691e666cbc99e4977defc74de12f772f8752e551544ad99 |
| SHA512 | 68b3e6c274b035d48e68dc73996212154a92cbcf6ae508f18280349b7e1c26efeda76024530a8a0d4cf495eb27afc264d71c7e14fbfe1ce46b1199516a924346 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsbFBD4.tmp
| MD5 | bdbec4d620b4c4658d39070752f0e5e4 |
| SHA1 | bb9e0b89cfd028a79bd1cad9db4fb54c029c7ccd |
| SHA256 | ff07e15a4e1e1ba84ad9d9e0892c4bd4a369c00bbbd6ea0c514f60acce26a05d |
| SHA512 | adc6a8e4c8ab0d3c4b1931c86ae40b4335a567d680700809b4cacd465c9d53a9759a4e480a1deb6da26f5c873fe2729186f6b88e7ab059fed98a609badc36308 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\user.js
| MD5 | 122384a2fb0a6d2defd644ac0a614227 |
| SHA1 | a43a0dfd8faf6cc8d2922e5dc551f24381708d76 |
| SHA256 | 370572aaa27d7b6c1bf15cee5f5c148f002db60b44fed73ae58a2fa1afc96fb8 |
| SHA512 | b8c0699e77450055a290cb60aae5b5d3466cf02d30453390b6aa33c60db4d8a9f991d6001fc383ca3575528cc038a8c16f60b7eb380bb68eea4767c7e6f42c1c |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsrFC84.tmp
| MD5 | fb91b861e2eff8844a79b3d20481415e |
| SHA1 | 5678e1cb7e56972ddb38f493dab8f6dcb2c55452 |
| SHA256 | f49c1a6f2c93f0fb61a43e61716f47371508ff5affedf1d1f53777bf3dd90f29 |
| SHA512 | 8857b67fe57932631cf05e6b5be19a1fe95208b33183e354a121cc61ee0fe5c955ecd1c192a1e956046b7f1f93a50fb366111ab1c7c95c04b395d9279ed38319 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\user.js
| MD5 | 3a49c3d986994bdf8ec9ca1f13ab9308 |
| SHA1 | f2b65b981f81b403053aff34e3eb7cb1665a281d |
| SHA256 | e1dca9a4d2acdbb45629e66d70e82c9e4e05e60eadce0b08836b587acfc86d0b |
| SHA512 | a48e14a3cbefab953172514b01bdca9db1962ce22cd8e4f552a8845f6e72290757256c9ae4aa42bfe4d9398c7c18887addde4685f946940b66a919f40ecc39b1 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsrFDC0.tmp
| MD5 | f44793fe2999354e679e47bf6a5fbdb9 |
| SHA1 | 48f904a170935a2aa80b45b9e6222d41e2a93782 |
| SHA256 | 5a38839f7d8574ebe7b0fdaa0e5099690b053ad8ee46ee0e730649b0177ceb9d |
| SHA512 | c0d1e155a0d8865b15683c29898357af10cdcda2a57b017cfeaea5a113a3c2fc3b3db1cd51c5abc65e660bea21d24fad63c0995046be224acc59014ca007f829 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsmFE3E.tmp
| MD5 | 39dfcf2906eee958e051a42cc5aacea0 |
| SHA1 | ef97c611be6646c003a262237b5139820e7c4ce3 |
| SHA256 | d6b7d13bd2aa7f19b44d7275ed61eb72d2a2eb411757a14fcdbdb153803a2793 |
| SHA512 | c1b7d0fef62e4870d4c109f05a5a38742ce7ceb77bce0507f0f3e410143b9a82881c9a636e97e1246a7e1b8418696ae33ccf5b9515b63b7e403d1be085bd6d68 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nssFE5F.tmp
| MD5 | 1da1785492e6a2721ba238ce5dd9b5b3 |
| SHA1 | c39f01af6c273e70c6ddb2c92bbcdec7d983c125 |
| SHA256 | 22d101e38d14b29e22cce6cc6229ff7681b938d16d32ab984e8d76b9da626453 |
| SHA512 | 6e13bd0e8e84f36a0ef52b20e043194237d026ff8e135c9b826cd4ff0a71ffa1531b40fbc01f0dd93560875786897107ffcc841e821b75ae553ad722e0d1f9e9 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nshFEBD.tmp
| MD5 | 4fd339ef0589a83c3eab32699267716d |
| SHA1 | ad2af6cf7375f15e7270a214ccf0a3f864d111cf |
| SHA256 | 51247d54f9cc800d5435191b202298ea0f3ebc3baaedf0f40d9431d44e0c3539 |
| SHA512 | b9d461315cf1689a7917abc9f2f5bf93ad0a589668117d0e7198a7d2dffbc775bf1fd5384a68a228b609ea17151274d4201fe8c6959d50fb20a6ca6bbca4388c |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsxFECE.tmp
| MD5 | f30994449ab5fb1c6129e98b0b968f2b |
| SHA1 | d0da0692377c4bfe2ff990321eb387bed7d333ca |
| SHA256 | b8f379228ab4bf4bed62af0179f45e8b307aee4c3ba5a5f7b561b43a4bf16674 |
| SHA512 | 1a8e2e731ef300183f879feb78d35f7d5f8ced67e11130eca2f3776b24fd5c61dfcb61b9633f93160780fe4b8687798bbfecf1254b6244d370a3fe1b659aa0f6 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnFF2D.tmp
| MD5 | 005fab27b135b16b0d1ea525dcb0c793 |
| SHA1 | ea0de0edd5c2ba5f0d9d851c089c4c09dc0376af |
| SHA256 | 4735f776aa686198c80f523fa78b68a3668f6753f8f51a91b023611634d97ea2 |
| SHA512 | 98f265e24c7e70ef2996c3a112776e3d20212df2b9e56ac2cd93c39f49f0a16e0da0df0994dfff179418bcb7dbcb6ee94826176122cd2976c5d92d75fdeba766 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdFFDA.tmp
| MD5 | 1b6970ff0e42aab8cda50dad88c79003 |
| SHA1 | 283be10551400779ce7e21af8d2441a83abc6fe4 |
| SHA256 | d5c5583827312d026ed17b5963dd7cd2d8c659a2755afd6c4281ca41c93f4fd2 |
| SHA512 | b7a1568ec9009348778996d14f780be56a9c2770303cc9c2dcb8787a30635f3b3e0ac72c7fa8a7fea70ca5b3e1bfd096cad8b3de02f14eebda9df8f9c8a51eb0 |
memory/1400-3161-0x0000000004030000-0x0000000004042000-memory.dmp
C:\Users\Admin\AppData\Local\lateral1.bmp
| MD5 | 09fbaede48cfedb759e640bed10d5dbf |
| SHA1 | e1c0a5a77042595beae53955cad72143aac61045 |
| SHA256 | e9be711645adceef7a7f55ad9b573cf67910c885ebf63024928656823079512b |
| SHA512 | aeb67c0ccfea4b5c09dcbb398be9e863c3c35eb3f9cb8c8eb666e8d69fd00ac6195024e443333ce5645a04b00c38c17182533d9f8ba7312ff446f1be5cba0d28 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1caa54207c56b9df0fd4aa6cd3002d87 |
| SHA1 | dcd5bdf23c52bbb57574366dd3a07158a3198603 |
| SHA256 | 39325ac4d09d4ac26f7a7f62d727fff3f98c8d12c2934ea74d6e6c449c1a962c |
| SHA512 | 1775d915cbc07cb908cfad0418b08fa0841bdf6548111bbe044da404e23c7c9cd320154050e5a19a283d06527ce79201577b106dfdf6d4c25eafe21712fc45f7 |
C:\Users\Admin\AppData\Local\Temp\nssF27F.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral24
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3668 wrote to memory of 4868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3668 wrote to memory of 4868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3668 wrote to memory of 4868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsyA14F.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nsyA14F.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsyA14F.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nsyA14F.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | c6eda8e55f8669828ce84830dceac5af |
| SHA1 | da90cc768a6d7bd7bd2507a2f572aee2a48b3a65 |
| SHA256 | e4ebc6e7a465221d9fa549c61020409c43b7bcd4c5315f59155654d906a92c83 |
| SHA512 | 1f21107d269fe4e3d35ba431a7b8414b2b8f57edda4987d3969d561e2c96951ed727ddc4aa3c9df2285edd25f0b593171fd02bbc5178cedb0c99bfc5b2d2f3b9 |
C:\Users\Admin\AppData\Local\Temp\nsyA1EE.tmp
| MD5 | c4b8833c291dcbfaf8fcf9208c7e231f |
| SHA1 | d4810343d6fa4698302557fbedbd23c5d5b45730 |
| SHA256 | e6a5617414e2ba41120a626843d5918c5613cd87c54b8eac6d0faf147ef0c1c7 |
| SHA512 | 319c3f225a75754f1a5cdcc90abc563e4b0d4f12a337c23107ff8d6c54be62c07b3a664fd687f5fa1fb3f69b3984c2f3a47684d0c842d2c699d8f95c37e2063a |
C:\Users\Admin\AppData\Local\Temp\nsjA230.tmp
| MD5 | abcfdc6cfdb17f543e0ac433394bada7 |
| SHA1 | ca561a3814bd5c380abea0f76a6450e958b74654 |
| SHA256 | d1d7b36fbd079a76db4bc42e0fa27bea77428a32802417691151dd1eb18a6b6b |
| SHA512 | 19f5e9a51a7fe12a190db6b1f99e508b8d03d88bf8dbaf11ba0db17c84dadada384315017fba41dde58cc7369fec61342e0849f47ce9f1fa5ea824100f019228 |
C:\Users\Admin\AppData\Local\Temp\nsoA250.tmp
| MD5 | 82c7e0e70d064491fad74a736f78dfa1 |
| SHA1 | 792298c6355926cf86d7edf44f1fe97456402fbd |
| SHA256 | 2755137ca859bfab7389694be42dbf124eab3827c310271044aeebb4aca2d725 |
| SHA512 | 0f1edcbc930c43adb0deceb0dd7f9b99652ea705f89cabfda1486015f777233d7e2392587cf2e503a3895fac626f52caa130eca1126b22b29a1f8658d475a5c2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | 4a2d448c0be622b9ff918c5352d52948 |
| SHA1 | 102a8c68eeab088fbcf50430e9ef401f655ecdd9 |
| SHA256 | a0c357cf390c150fae4aa8fade08b88221f1fad9c46a4e03ec5e840febf11921 |
| SHA512 | d9a4198de4e8ea8914c8d544de708628bec6cfdae7e91e7a82bf436136c9bb65aa0d152d85a4cf5f284fc49445c6000d83eb5283d617b6fdaa23beb9a11983aa |
C:\Users\Admin\AppData\Local\Temp\nsjA281.tmp
| MD5 | 1da0df55aa5147b962024730e8fda687 |
| SHA1 | 7bfcd8c8e5fb1a23d49bf3e4575dc9b6b022c377 |
| SHA256 | 09dd86231540764ed0c64214366f297a9b4b431d488a26f265e6e926d3cb1c30 |
| SHA512 | 78106806fa6f7a07565a3b8d1e84eb076dbbe1cd1a61ef57123e3b95e0153e27584490a6b02122db5271e9e582b0b956ee243c1af889dfbd9379ba69c4155884 |
C:\Users\Admin\AppData\Local\Temp\nsoA2A1.tmp
| MD5 | 67bdb6e5fd9fe8f9ad74c9cd1f318674 |
| SHA1 | 6a46b660258c366532289f29cbc72463308b6ddf |
| SHA256 | bf915aef1e1d6747163b233dbac1b0fbe7704c05cc941dc5879c3d1ff2fc343d |
| SHA512 | 1671d0811ad1b43ef2ad7936547560794a3fd819ecae5c8dd5f0bdf7aadc0004d9be8aa7c2b447514e6d2ef0f32d799a775546063eb865bd744db29f245d1d53 |
C:\Users\Admin\AppData\Local\Temp\nsjA2D2.tmp
| MD5 | 99276dafb9454a3111f145251709144c |
| SHA1 | 932eb24e55565cb7699278cdc3c75976e835aaad |
| SHA256 | f5affe255dffae659cbd6dde9b0ba3f7d9931ef72727f6ed9a9372e92e29ad34 |
| SHA512 | 7a129343c75f9dd015d75444e32c104cb3e710986c4a1c490a9e43b768f74a7459d0cc25c2d6edfe085aac7d364c81aa3d53fccde47c29292234c308fb83e131 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | e65ac0d92a12719ebd70eb64dc3c9db9 |
| SHA1 | e27bb357c3c451964702fbfa447e3f5e97a5d8ea |
| SHA256 | 2e84bc04e4803dfdfe64345de6d536b75dda1680bec617f0eaaee1547c41cc82 |
| SHA512 | 0cbc5e2bfb6436aa07dd9fc036dda5a127d002ea9063c4ff2088278be2398e558b69240696d3908181f501eb4d4edde2832b0382304ca471fdb189dac003f93c |
C:\Users\Admin\AppData\Local\Temp\nstA312.tmp
| MD5 | a1ce1651f54d92d7f048bb75579f8210 |
| SHA1 | dd96fc611b4ff6e40fcc6c2a90ac10c39cc91096 |
| SHA256 | b0e4d99d2447f5949449eae33044647aebffc4f33135bd6bf1c17dab8f47568c |
| SHA512 | 77fa6330048030b13170dc980f61f88a6fc6d0a71d0edcdf1ddf6058f8b1d6117bdc78b71aa17d01398071aee300e84ceb842271d5a52e73656a7a8ca569a77e |
C:\Users\Admin\AppData\Local\Temp\nstA361.tmp
| MD5 | d66b7c36887a3a1f869cd8b637cc43b6 |
| SHA1 | 2e7ad1e83bbe8ae41a119efcaaede2bc82e9d8db |
| SHA256 | d7516cb11c81e5ef2e0c7cffa7175c3a7f36f945e788a27024fdc79443fdda45 |
| SHA512 | 155ba55e437c52f3f53d27750fb8365f3489c08a00a8a842610d9d2687aaa067add493273caf5b49fe4bff39eca917eb3f4b4bcb58537119b3ce82e3ed40ceb8 |
C:\Users\Admin\AppData\Local\Temp\nstA362.tmp
| MD5 | c42ac66e65b412612edb71a328403241 |
| SHA1 | 4461abd35d83f1c35460c8594055635ae41ff585 |
| SHA256 | 949f7631b32975077cbdec0aa2f5e89515236493811761f4ae9104d5368cc859 |
| SHA512 | dd8cd0b46fbf90d1954174eab59fb63734dc1e840aa3786ae1579ee8ef90b5c8a5dfbe0c7cd0b5518a3dbed22eb00f77bd8d8e1cff6c0ba43af257486b06dda8 |
C:\Users\Admin\AppData\Local\Temp\nstA363.tmp
| MD5 | 312669ce514b8bc32bb714105ed7aef7 |
| SHA1 | 33c38cf50d1537fac6ba4fc52d5630fef5b48b33 |
| SHA256 | bd15ca594d081e2792a821ca2fce6aa065664e4a885d545c7087b17984da88af |
| SHA512 | d08d27e15a3bd6bfe3ee3236a478a15776786fe042f6eb01958a011eb15cf8c9b6c32306eee9635e608235ca0e16f471792518d06e79abeb1f8f4ea2f2876e3e |
C:\Users\Admin\AppData\Local\Temp\nsjA374.tmp
| MD5 | 50a304f854d280d8cbf9891a23897ed9 |
| SHA1 | 371c3b8c67265abf507d28d76bc159af9a1a3edb |
| SHA256 | d3cc1ded3dfc6fa1c8bac9bc175f695f12d48ee3a6bcd8defc643075712bde97 |
| SHA512 | 63a6e9b44fa19c479719e7f1c13c85cdc91a7adf210924880232cd754140259d4b437c3684a18afee70099b0a4166d59abac3213e4cc0e9c9b55e983b134df54 |
C:\Users\Admin\AppData\Local\Temp\nsjA375.tmp
| MD5 | 86d36fc714b08cd9c8867d386705dca8 |
| SHA1 | 171026e987ee425fa37724041d0a8eed13cd836c |
| SHA256 | a6d859c3854093cce6cedb105bee52784203f3dff42d081a6fc684fbfdf89ee9 |
| SHA512 | 04cdcac851ac5ef5aa0c29fcf7c4ac51871d9e68b3a2129cfe108b7e6f3dd741916fab971ef7f70790cd877622d393232dd62798c981f63efadc8726c0d04733 |
C:\Users\Admin\AppData\Local\Temp\nsyA385.tmp
| MD5 | 44a1caae3ae6b7927ed06b79b433bca1 |
| SHA1 | e1b217373ca90f05aa96ef304d614503512e4314 |
| SHA256 | 2853f85c31b515f1e3a3e1a5c3dfd2f38a10f9f6f85f9ec7af53b97507b0eeb2 |
| SHA512 | 2b95ef6879811107a5620eb478d678d51341dd701cd316317a34953c256ab06b148dc5fa23edd16d11dadd60280fd75b0960fd5d16021c9f0bc5f154a572d66a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js
| MD5 | e14d5067a2f09b8a6356b09356d41a94 |
| SHA1 | 013b1260dc29f5b6e022ba2dac6dd011b5be390a |
| SHA256 | 1d1aa82d8cc2cea6e90b19977f96463718e02cdee3c17294ad809890aba0d5ac |
| SHA512 | 6079f1dbd241b88d14bbeb0bbf4dd79016e4133f0178a5ee992eaebe2b04b17027b923797594146193076789d38adeeb58b9e82f1c2c64997c2138554c2420c3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js
| MD5 | 0433d4170f1e241cb8bbd4388fb9ae3d |
| SHA1 | a2dc940d7c63cf66737931f8d96e73e992d1de78 |
| SHA256 | cd19e7f5492b496e5dd100e0b5962db42d5de505b25f5e3af3082c7a291c0608 |
| SHA512 | 34c8cffb4130338fd2d173b59c142b986b5b7617fbca8a2640939e0c4bc9619930d744e8d65fcd8ddbd1daa9c0ff1151cfe3d238385305aabb440ce1d018288d |
C:\Users\Admin\AppData\Local\Temp\nsoA3EA.tmp
| MD5 | 9d902f232320f460fd38ed523397e1ea |
| SHA1 | 34bf2740c3e61715fdaba503771aca292184fe3f |
| SHA256 | 117e36f2e4a2bce84c20603cc9e60680d8952f9d7a9619c4a318fd17b772f847 |
| SHA512 | afdabce0debf13217e63193390e1fd3ecfa03679343d5f84daabc337a4bdeb490739871cdd0b1c6f10aaf0a619a84eaa963549ad374162dd32599ab13d98afb0 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutUrls | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/FNMD/FM/1.5.11.1/funmoods.xml" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27} | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\URL = "http://start.funmoods.com/results.php?f=4&a=down&q={searchTerms}" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\FaviconURL = "http://start.funmoods.com/favicon.ico" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cc03d4b2ab14914fb6ed7db01993b5f000000000020000000000106600000001000020000000a6537c09b245a381216bfa8b5410fe5070f24763ba975f40681ed168b9e2a944000000000e800000000200002000000094e6e4b25c6d124ad35f4a607eb2394b73f7abdf14d2fb6ac38dbb238ece8b475000000040c34753f8cd691bb52ca74f641b575aff42688dfc6812775722ba21b826ad4206571b041e3a18a9f9ab8e48aeef7215cbd0b93cf6463f367b6225e2224a0a3cd7e5ffa0f65ee6abf8755061a0b70f8440000000756453beac2918ba973abaa012b56d36c67ade03502fe49b8229ab98b56477e028b5fb48b7302df1c7da97f76e3c8010dc5b24f5904ae3a76cc5526c8a53e2e4 | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\DisplayName = "Search" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://start.funmoods.com/?f=2&a=down" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{516B3355-5026-40AF-A6C0-A99ABDBDCB27}\Codepage = "65001" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cc03d4b2ab14914fb6ed7db01993b5f000000000020000000000106600000001000020000000958b5b02a0b829c898577b2216faa672014c116c573a60b417f47773aa76279b000000000e8000000002000020000000a91165a664de3c8d550f81d33247ac47a2cf048195e814db2e0ff4f7bfb70549100000009bda5071eb73d2a709fc001061146b434000000060de59156de1a61b7580edf3f6b81f708f2f145c497032b4b2b56335331d870aa6a8113865838f6d832e38bd2796304b620d9fa89f46e32f90a0b34b4fd6f029 | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{516B3355-5026-40AF-A6C0-A99ABDBDCB27}" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://start.funmoods.com/?f=1&a=down" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ProgID\ = "funmoods.dskBnd.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\ = "escrtSrvc Object" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ = "escortIEPane Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID\ = "funmoodsApp.appCore.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsApp.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CLSID | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID\ = "f" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ = "IRegmapDisp" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ = "esrv" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodssrv.exe" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer\ = "f" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlRef | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ = "escorTlbr" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS\ = "0" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe"
C:\Users\Admin\AppData\Local\funmoods.exe
"C:\Users\Admin\AppData\Local\funmoods.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | img.uptodown.net | udp |
| US | 151.101.131.52:80 | img.uptodown.net | tcp |
| US | 151.101.131.52:443 | img.uptodown.net | tcp |
| US | 151.101.131.52:443 | img.uptodown.net | tcp |
| US | 151.101.131.52:443 | img.uptodown.net | tcp |
| US | 151.101.131.52:443 | img.uptodown.net | tcp |
| US | 8.8.8.8:53 | www.uptodown.com | udp |
| US | 151.101.3.52:80 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.131.52:443 | www.uptodown.com | tcp |
| US | 151.101.131.52:443 | www.uptodown.com | tcp |
| US | 151.101.131.52:443 | www.uptodown.com | tcp |
| US | 151.101.131.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:80 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:80 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | start.funmoods.com | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.165:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\nsRandom.dll
| MD5 | ab467b8dfaa660a0f0e5b26e28af5735 |
| SHA1 | 596abd2c31eaff3479edf2069db1c155b59ce74d |
| SHA256 | db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73 |
| SHA512 | 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301 |
memory/1836-17-0x00000000034A0000-0x00000000034B2000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\inetc.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
memory/1836-42-0x00000000034A0000-0x00000000034B2000-memory.dmp
\Users\Admin\AppData\Local\funmoods.exe
| MD5 | e10aa65bc9f094483b45ee6745e89606 |
| SHA1 | f69007d78c2636c53afe608f9eb8d116603652f7 |
| SHA256 | 5211d85e3d577f54134a8ab8c5c9f23bd3b7332825dcab75a19258b25790b37f |
| SHA512 | b7c55c05f53bcac6d077cdd69c37459f3e3a39c719489d7027d16d87eea96479f7baaedb31f4a7b2e0a39aba872b6435be6dd7fcdce66d42a94c87ed2b49cba6 |
\Users\Admin\AppData\Local\Temp\nso1095.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nso1095.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nso1095.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nso1095.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
\Users\Admin\AppData\Local\Temp\nsjC3AE.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
memory/1836-119-0x0000000003980000-0x0000000003989000-memory.dmp
C:\Users\Admin\AppData\Local\nst1105.tmp
| MD5 | 06c42349f82ace83f953695a7036967e |
| SHA1 | 3488e08a3fb81316456f6449bdeb9254c3b4f5f8 |
| SHA256 | afa2580870da87ca052d778bb13ea37bea1cf83aae932dcc575d700e1c9e831b |
| SHA512 | 272c97324cd7922a9fb6514f3b082655a09d37e70381f520c012ad285fe8f55d88c8c79dbd5b80cf6009e4934c2255c98f99c6ee97639c481330c8c9f509061e |
C:\Users\Admin\AppData\Local\nse1145.tmp
| MD5 | aa4d624ec6ddb4db8f587700e83fcde7 |
| SHA1 | 8ac1c3397c90be253a718dc8af9e84ee63ea4185 |
| SHA256 | 7f7fe8a15e9d52cc9bb617544ad0ed458afbd7adaaf99bb06d18b9b8da3637c8 |
| SHA512 | 0c206d53a114228c675b4d328c1bd4b297b6224e113c076353d4698bd963898f58fa4a75281db04ebdeb6051a9aed95f01ba7f3f164d2d24dfc397437106b210 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | 263956e932a663281f70126c8ab7b72b |
| SHA1 | ce03abd9aff66d4492d2df98943df051f081b2d7 |
| SHA256 | 1f136822737da4313b695d47e5ef874af58defed029239bc91720b1cc12623ff |
| SHA512 | bc36de595c2c2caa4fb210ec15c6e46d0f1f2271cc065d54b47891eea9bbfa14f2c9aa551312379d4f06a73d7d916313290a0dd25fd11dd7741af75fef7d1f52 |
C:\Users\Admin\AppData\Local\nse1198.tmp
| MD5 | d8f9a0b75b3f26b35a60282641c34ec4 |
| SHA1 | a5578ab6139a5a36c93351e1db1b04762b2568f6 |
| SHA256 | f9ab80e456eaca18b242dab0c81d94431a0c8297b508f9a20f0f2cd3843da795 |
| SHA512 | 8ef7e920aa982798a6c5517854c3bbaf382924ff6e3aac688e15ac8c49ca4a509fa4fc0bc452eea234ef7c40ca2d26c7d471efb9a04f21f8e61c88101cb81858 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | 35bd49cc80393a45ddd5dfb69e92e936 |
| SHA1 | 8a235a288238d1ad253a2afed7ad8be6edd7b09f |
| SHA256 | 0689f3e70406af7fd14e5f3f25954fae558e4ed6eca8294e3ebc7a28305728ba |
| SHA512 | 8d755ff2bdd9116763a6afb465e583a43076d3d767a39f6ec46b2b3f20563d79f41a5409867ae6e21b1b0aa529806487aba21975344bd474a08341ccc0295e7d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js
| MD5 | 21e2ca66b86e5bf3a6032fdbc45e90b5 |
| SHA1 | ea70be42630e89f7a650abb4e71852efa9893c9b |
| SHA256 | 704628eb647ff0f3e61d951bd0cb3f97f7e58a8284c4e50c71f4369aa111873a |
| SHA512 | 3757f022724b7ba2efb3c0f5da649bfa8e609752266fde6b2999de31fc01390eae20e6a65d8cbcffaf338936de5dd018b76953679e763448078e27b208b9fd65 |
C:\Users\Admin\AppData\Local\nst1297.tmp
| MD5 | 7278e2536cdb7b7b289d1608b8bb731f |
| SHA1 | ae9ae0d8c25ca64553b56eb8fb4ed5edc5c8833c |
| SHA256 | 145136f0c0ed3502e8721cf84cb1c6f686216e1027d232202a2811141914fdcb |
| SHA512 | b4650b56ce6f7457a1783f20bce99106fbeb46d5a6b7740e165d5c9273c6337c93f1145afb00f64fcff141d082a1153a70da257d6d00562fe9479f4d8e2f45ab |
C:\Users\Admin\AppData\Local\nsy1218.tmp
| MD5 | 9078402e3f1787b308f74c6eac230755 |
| SHA1 | 6b99c0a60317f05bc517b3e022043bf62b3db54c |
| SHA256 | cdd7176f46745b59659b8e758fa15caa9874c7fc40c6bdd5558c70d3fda2b433 |
| SHA512 | fa80488b5da0dc74423db3ed61fe98b3cfdc20c2f68513ced04b56d72422ac44fe24ce9503e50c4dfef1ca186c0345ffeea5196322379441eb244b8cb4a9a34b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js
| MD5 | b804e77d692f76f6b411f020cc930dc0 |
| SHA1 | 019911c69ba034cf0be5f9ef70d9d748df9eb98c |
| SHA256 | d469d6f59a86889c7d5d0282279b19109b8f5d7ba1e8552d355805417a8c2c46 |
| SHA512 | 47978f97fe69ef35b7ffa7649f3289ebc8fb5c3a12a201d763a4607b9f63ff39d2e66be629b82f8af0521bd1930d604a981dad63d976a21d69f2be2219da7c75 |
memory/2624-1082-0x00000000003E0000-0x00000000003F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\chrmPref.dll
| MD5 | 57d63d48f0bb2fe9b3751342e1b0cc67 |
| SHA1 | 65afbce77b4990f7f5efb5251e90bd9cc744583c |
| SHA256 | 72753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab |
| SHA512 | 5766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe
| MD5 | 345e32c7a9584757123ea67bf2ff07c8 |
| SHA1 | 125d5c8e973c0628a85135e760243a26af1b503a |
| SHA256 | c27fd7cfd14f41f9abc8ca5a5a8f3174ca111a31e12a24434425c5dbc37d9e3d |
| SHA512 | 46b5ec65facbae54d9a7200ca809c6f449fad901e7571c2b43571ff8e13ecb5b14e081d877b073387199b11cf7865bed4cd396baaf33efd6e213815c196c0d36 |
C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\IEFunctions.dll
| MD5 | 5a3a8d916dd0071f16d217bbcfe7d047 |
| SHA1 | c2265fa5cec491706d0921e4274c674b693f326f |
| SHA256 | 465e81022be2df0433a6e02d427a79dc733031abc89d99746b73576a976857e3 |
| SHA512 | 8908ee2e329171d2ee430aacf7f86be565472cdb9b338786188ab37d6e6a714e5bc98552a39737ff8a5f314730c9f351aa0f1fa8207eff32289d7bccb3e05a08 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsj15A7.tmp
| MD5 | 4a0eab80ac5f73615fe94472eca40210 |
| SHA1 | dd758dc7ad8c9ce4847c0cbfb4397641b8687879 |
| SHA256 | 2bcd8746a649e0fb0e3c97475cd030cd776d967afe6ff33cc49bcd1ce1f2bce7 |
| SHA512 | 17da8260e354266d4b0a0f930e39dcb9bf0c822a0e3de0dde66d1efceb37e6037701fdc55c3da8500d90c3dd753a3cbabd903f9bbf40dd7cfb57dc251700a4d0 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\funmoods.xml
| MD5 | 4572bfac1a74abe2d4d716871b2c9cad |
| SHA1 | daa25567a196e9e7b10b2bf33ba35299f2c16f84 |
| SHA256 | 8f2ac3e5f4345b19010d7dc0a7ed835727f5e7780f4c00517aadb18724dcaf29 |
| SHA512 | 285f22cea572aab5b37acb00e1e77db684e57c40361bf7eb05dc27c0ac42587b1dd9666cfaa9547862db43d5284c0e9087dd2c45247635fa22a51a6431267d15 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst15E6.tmp
| MD5 | 56abb28af8be952358661fe82387f768 |
| SHA1 | 8db730f46ff5c5473d2dafdd18d9abda9e5f6c1c |
| SHA256 | 420092aa001aeb31e48d024459e776bd6be8a0bb507ddc4349e6a5511d60d3a0 |
| SHA512 | 2b492caf605f4aa32f852f88d40ead7c5c26bd91cb670e6b8ec9d58a599a7bdb038086365e8ad3ca30c33dfdbaeaac56c0d85d81a13d5e6eb1eac810f9497317 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | 34ad50939227c403dded4ab2c75a9999 |
| SHA1 | 6a0434bb714e48720f6a1ac429a45b894c21549b |
| SHA256 | bb6414fb7e0965d42a10954f89a58b79479223d435baa5ff8317ed7a45528aa5 |
| SHA512 | db84544d395d34fdd436c2f1d5fcea20ff63fd3f60790800b7e45217ed50932332490f37b9b4e446b3bb1f02e8711cebc934fc8a392af98764f599d734a527e1 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsy1607.tmp
| MD5 | 074d0b893c01ab477286792f38df37db |
| SHA1 | dc620df8c64d39d1ac5986c81760ffb7d6c206b1 |
| SHA256 | 075c330434be862544566d62b2cbd27245dcb172bc2333e8b83dc08adb49f078 |
| SHA512 | 9db8a366bdd2c09501626b10ca6a35ff74e70ce9ee7b7ecf773f9c0ebb595daf84f9574ddf95ebf76a825a19161f6dc6648aa3e924564ab78ad822ec343beccf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | 87ba0ee318b41827fa592f6ac5ad902b |
| SHA1 | 1f6650251d0a77e8feb4e992fa6eccf40e0d4254 |
| SHA256 | d67989d74088bbf1afbc9dc01365277e179992c69addb284545e52fed9b62c4a |
| SHA512 | 4fd77a7eb0804c75d247598de38ea06b4247d1ffa465c4b590a716aee008000d3ed91d90c72f5d48d3748d76ea4f5e44f2c88a8d94594132cbb429c83404c62b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js
| MD5 | f77379615d44c83c207a42be8b28a3cd |
| SHA1 | ba043d95172a9c3b1acc16547424db2399abf574 |
| SHA256 | cf193b36e5567404a83fc7620baef2fbdd4d7601827ea23ccfcd4e7842201e47 |
| SHA512 | d96ffb9f667175bf7397c8c018b44f3eaa5454519af05101d7e395e383cb358d72d1c3fb08df8de4a5d9309e12b80c2876ee31ee916d546afd8839830da35a93 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nso1762.tmp
| MD5 | 4e5d69a9aa35bcafe76530b8a9c41260 |
| SHA1 | 9dbc2f63896cc57139669413b98b375cd705ab5e |
| SHA256 | 9369a77778d1e8b84080e57c9f7fabe6cdc4eaaa88de2f2db2014291c268160d |
| SHA512 | 337f5bf04800c4f0d8de62b986bae23027c050855d6d8ebd43c60152f641a6d257ebfe07afae536ca7d76fc3aabcca42e1ac8c6197e8904d6580ba6aef5f3c21 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nso1763.tmp
| MD5 | 18877366875d86d8ecf154164bfa4718 |
| SHA1 | 7690a1edd1197ade5d2eef13e2c91355b9743df9 |
| SHA256 | 63a85d0a0cf3a111a6d0e2ca2551c88a1912458fab7effc9203cd24aab54f9d0 |
| SHA512 | 682328075cb64da30874be8bb2ff812b13f1ea79ec3ac82d39f114059f9e8843d048c9421ad67181510629dc5d0754914eeea4eb5a4d7a2f4bea52ce97c62677 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js
| MD5 | e795027877d424bb9b648efeed293841 |
| SHA1 | 3c5f487b4470655f671dd14f6d7c12adeb65c5f3 |
| SHA256 | e47902f3fbe94541fb1c676eab75cef615aa0c41bad87b64fe35675f2f50076c |
| SHA512 | 3f3a9ce94f5d2f65881dbb793d70564c9dadaea517007af6b4c40cc340bc209d2f7568df27c630ad28b9a260a342d863027ed6a4f34c81e4c3fc4f07aa30c8a4 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst1783.tmp
| MD5 | afa107b38e75abb2f721ffadbeded8a4 |
| SHA1 | c98166db0695bf14f96f9273cf46fd3d7f8cee29 |
| SHA256 | 5224e5fc7adcfc9c80c6fda2f1b2bd180d7496cfd7a42d00747a7ec78a234fdd |
| SHA512 | 144c954ca856e496b9083778967707dd4d603b2234e20a400f9161511846563571064a8717e356a2e640163fca4f054a51cfe6aa970a8da47073548a3ddf4b5b |
C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
memory/2624-3095-0x00000000044A0000-0x00000000044B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1836-3172-0x0000000003980000-0x0000000003989000-memory.dmp
C:\Users\Admin\AppData\Local\lateral1.bmp
| MD5 | 09fbaede48cfedb759e640bed10d5dbf |
| SHA1 | e1c0a5a77042595beae53955cad72143aac61045 |
| SHA256 | e9be711645adceef7a7f55ad9b573cf67910c885ebf63024928656823079512b |
| SHA512 | aeb67c0ccfea4b5c09dcbb398be9e863c3c35eb3f9cb8c8eb666e8d69fd00ac6195024e443333ce5645a04b00c38c17182533d9f8ba7312ff446f1be5cba0d28 |
C:\Users\Admin\AppData\Local\Temp\nso1095.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20241010-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\ = "CDskBnd Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ = "esrv" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ = "IxpEmphszr" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID\ = "funmoodsApp.appCore" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\afltId = "orgnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\data | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID\ = "f" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\ = "escortIEPane Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer\ = "f" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\ = "esrv 1.0 Type Library" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer\ = "funmoods.dskBnd.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.165:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsy3515.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nsy3515.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsy3515.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nsy3515.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nsy3515.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
\Users\Admin\AppData\Local\Temp\nsy3515.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2740-79-0x0000000000460000-0x0000000000472000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsy3515.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
\Users\Admin\AppData\Local\Temp\nsy3515.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
\Users\Admin\AppData\Local\Temp\nsy3515.tmp\chrmPref.dll
| MD5 | 57d63d48f0bb2fe9b3751342e1b0cc67 |
| SHA1 | 65afbce77b4990f7f5efb5251e90bd9cc744583c |
| SHA256 | 72753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab |
| SHA512 | 5766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8 |
\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
| MD5 | ce86ace6982b9f2d8836ff204c592dd2 |
| SHA1 | 60ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac |
| SHA256 | 3d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a |
| SHA512 | c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa |
\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
| MD5 | a6ea8baf987c05383013259a3a96b221 |
| SHA1 | dc1f3df6abd8b9fa1a3d364e9021cd5f62590f9f |
| SHA256 | d978712e92d634c150493e35f7dab39483559350914c1a302c0b2c0aaf1c47a3 |
| SHA512 | 0e6200677efff5a9e2babd8ebac1aba3c32a1f4de0251ba2036b6bd0996170777de40ba5df6e933e0b89fbdf8cc4709d09cd077016c83018d9e338a37b63b277 |
\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll
| MD5 | ac557d58c73411da1d2aa66109182dfa |
| SHA1 | d464184873099e2f3f1700bcb74284b8ca7959ed |
| SHA256 | 01f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e |
| SHA512 | ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617 |
\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
| MD5 | a39180ce5d32d60c104990288a91e3a7 |
| SHA1 | 4cd1d8a3ecb34997cae7d5d4a50555afeefccdb6 |
| SHA256 | d4d434cef3654987ba48f5ec24840457793eb13d7384051050feaba6138d47ef |
| SHA512 | e9bd06ff8d1da315b70351d84bdd176bfbf5dd336b58b4fcb10c0cefaa9e20f80cd8d39ca3101f886e4e7ad680b23de78b4a3aaa04e7d54ce87d8567d676cd55 |
\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll
| MD5 | e51b884e8074fa7cdbeaeee9aee10c18 |
| SHA1 | c12e825456ffc981d6dfc5d561b82c3ecf2ba251 |
| SHA256 | ed9d73bf47b8b00d5df2d39d35ef4b82a5c1adc6aa3b97e576b6735a510c50ba |
| SHA512 | 2657848d148adf943f9ff99b7853d0743b1d8210cb4dbdc7418c5edb5578f362f9a3e2ea628a345b470ad83587d65aaaa1d511e4267c3382e9a51f482092487e |
\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll
| MD5 | f95617b082693af8490edb28b771870e |
| SHA1 | e6e7ffa25aa1acfa07888fd388af8dfaf28da656 |
| SHA256 | 7352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f |
| SHA512 | 72bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508 |
\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll
| MD5 | 9001188b424b2c2fa40368ee2b1df506 |
| SHA1 | 6ac9d3d3e42acc49524bf9bf80ff3a473c90212b |
| SHA256 | 5809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea |
| SHA512 | 9d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js
| MD5 | 7ada0e563adf850139e2d73523473380 |
| SHA1 | e6972aab8431239a2d9682f3ec8977cd8103a677 |
| SHA256 | 9f6267f08e2d26743c3b8563e287a1d56f0dc3f77dad187cd4ff0d99f6e6a083 |
| SHA512 | 775faedf92603f32d15a207038dc7af89fa011989d447e49a7590929c773a7fb298d3491664587473d37e6151ef5f0be15a6dacd4f0b8d5a5fda98c52cb0df1d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js
| MD5 | a4c2abfbea2a0df941fa23201ebdbdd6 |
| SHA1 | ecf8a30774a8195b4208bb22d9eab06c8d436b05 |
| SHA256 | 120bfbedad4e1d85d0d093b3b2bd5759e2e631b29aeb6acb654bb6628fcf7626 |
| SHA512 | 2023f3100c35a902f48b35dbaa8a31c3f725f013c818723d4b29e828babb8827df53afe0cf1dc9bbb705b544877ef424d87511978a8e37c7f979ea5d5c5c3dd1 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe
| MD5 | 345e32c7a9584757123ea67bf2ff07c8 |
| SHA1 | 125d5c8e973c0628a85135e760243a26af1b503a |
| SHA256 | c27fd7cfd14f41f9abc8ca5a5a8f3174ca111a31e12a24434425c5dbc37d9e3d |
| SHA512 | 46b5ec65facbae54d9a7200ca809c6f449fad901e7571c2b43571ff8e13ecb5b14e081d877b073387199b11cf7865bed4cd396baaf33efd6e213815c196c0d36 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js
| MD5 | 30255cd17cb28ce1ab18d0f936e00848 |
| SHA1 | 68af5eccd3e369905f3a91a59b6b55825cc47575 |
| SHA256 | 56f883a9279a948056f2aa5e905681ff6009cde12afbd122bbffc936e87c4433 |
| SHA512 | 4ef93afab7c746355530b6f6e5bad1f0fa3518d5817f7376a1dc3d03ab77b8d8414484f914b7238e36a2350f51bd7df2e24bc47e920f71e19d1795c38d35d334 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nso3E52.tmp
| MD5 | 04ca2dd3138640490e6cc1ad85944ab6 |
| SHA1 | 0bc4d73490e3e6ace3897514d37049e8815f42e5 |
| SHA256 | 44da703460a0b76ee393452221fcecd388e460c958b18893299fcfaa7fd48e8b |
| SHA512 | 3e6ce79de90da7b6c661ddb9942b432e5d5edc2167cce5d178b73d9193b3f51744b3eee38b9752323631a8d8a41072c50f469c2324f7458bb36f0cd5bbd97040 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst3E72.tmp
| MD5 | 3fdca31fdb5dea71ebeea098eaa899d7 |
| SHA1 | 28b39036e6d8ea1af44643e40cd7edeb8fad2264 |
| SHA256 | 8dd4b3295efada1de1eb4e4b71b0ecfedcd494d36c327f136782a1f1f5c1fc1f |
| SHA512 | 94a6cf89bffc00ad5fae674aa3c5b15aac1c257133ef406e3e710dd9bb981a0d139e03f655dc4b00eaf009e646aefc95f6ab3cdae19ba8fcd08b3781817c7a9f |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsj3E83.tmp
| MD5 | 8b2e3630af1e0a6facb2916b74f694d4 |
| SHA1 | 78ecee758e49f4152be6e0711bd7a83a6b1b0568 |
| SHA256 | 3a19bf09e1a6bfabe612d245d1ef01072f1befdf0f870aed7f6c9cafcb3ae93e |
| SHA512 | 53b031052676acc4c21fafc75f975e8a3328f979c4bc7b9f0090ca2b6e08689bed5a0204b4db382a3914bc12b1cc5ccca047d23d371ea898ab4b685e35d54ecc |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsj3F20.tmp
| MD5 | b19e5bf70d70fb4f34a158b44f36c583 |
| SHA1 | 55fb2af2bf4981a5de4c854070759c271872059f |
| SHA256 | 74d9301f2eb611e98c372c16db9533e42d2354c35001e66109b2a5b2ba23f25c |
| SHA512 | 11aaab1296a5222882de1f8acbeaaa86f5be3a438ae1eccc7cfe083846bf103404cb268d5bb73dc58f524453f015a76b5feb632a708b298110bd26cb51b9f023 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst3F5F.tmp
| MD5 | 5fbb5afaefc7e409bbd162e8e19d4b6d |
| SHA1 | aff0d979f6257095b914dbf96a8718da808877f3 |
| SHA256 | f2527ad5bc31fa7f7727d8b7c23d130a5f4b217b3d4fe9d700aa89ca2bd439f8 |
| SHA512 | 54bad00997be3f3068a21f962876e636488bad2f7766cf8898ed54e9c86b1f9bb787dbd02d75a9192d2f5b24d8a8c822c5684ec1fb227fda7a2c325ef2356723 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsy3F7F.tmp
| MD5 | 4fc9d286e3fde00a7ebc6e1f15ff57fd |
| SHA1 | 8f9db532a3a52a7190e7984ba8d6cf79ab080fd2 |
| SHA256 | eab3ba297eda2a40c5887a16e91d9367089221cc662e25b9cf2c9887492e9586 |
| SHA512 | c91e24d04f5e7df8b0950246859a4c7be792c5e74a8164bc2f2fed096c1939b0f277c11f33d15d17b91e15f2ec711b7f7390ec1f4a211d11f729f4f726b2173f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js
| MD5 | 56e13ce1355c76ff2314a76d8bd35b2e |
| SHA1 | ce866817876b7be757d1ea7ae2b7c53ebfdfb1cb |
| SHA256 | dad72bfea56e9c79666ff5e00528e178c4341b003d8c353865c27c581e9a337c |
| SHA512 | f471e4598dfba8041f53b5ec4031cf5f0e3b2bac390c93aa540f0da037547b45786424cf45841d8b56bdce619bf7742bf716f59f81eb96b8ee618327dd57358c |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nst4185.tmp
| MD5 | 6135c76deb66535d5258b3f1f8137532 |
| SHA1 | 145b8cec41181d08a1d0b87468d9896fc82f63e1 |
| SHA256 | d044359ac175299d13b07bd11227a738947b9a19625ee6c6479512abe93ea517 |
| SHA512 | 6f6fd72a19e9c2c2d7997a8c671d62fc9c6ef12e6898707383c9187af74e3650b3da58e0b5b3e1cb3e965c4b5bb194d12badbb834c9f36a24823db0aa3468338 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js
| MD5 | ee414f9552ae0e9de9e333a8c56c5faf |
| SHA1 | 2f0daf73f9077c3af676ce24e169d9697130f378 |
| SHA256 | 0b3267ddaf175fb2023dfa9da3345a564b728ab218c5990928ce17778e7f526d |
| SHA512 | 149c8f2ad3558fc22fe1e6c276281232176560d1d2910915349bfb275c0326671764829397de6acc9664f0006e24a25b546493b3067be57ee53ceb584d65e956 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js
| MD5 | 75fc45f6f02db12f332caa49817db106 |
| SHA1 | ccdc593148c318fda4de37290096150a28dca63a |
| SHA256 | 005828cd1c5e71d4308f54390eb88e8205b1140e7ccff368ea0434fc8a9c0180 |
| SHA512 | 671ab7b5d20b7b4bf17a9aef22b99e578cdac86431f22fb04d960afeaecae0ba487bd0e2a8cd4170fff892962e6716f4e4068ff52763cbda477fd8f1c3eda86a |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nse421B.tmp
| MD5 | 3dc6fc0b4bc9519436fbd57784b9f6ae |
| SHA1 | eed787c05224b4afc25cf7442a368353172a4697 |
| SHA256 | 35d63a35bc7fba5039eb1d7495e4c2c16e413f4105efeff563cc2093b3d0da31 |
| SHA512 | 27659caaba74c5b4093e064b08b921f4df16e84b818a14dd9a290798f749bb85b25417fef7395cfdcdc851df82b3ca5ed2dc8337093d35d2f68fe4d9ad0bf99f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js
| MD5 | 609708741ccb7fe2b7ee032ed676d0cd |
| SHA1 | d09dbdaca730a4652aea37375b1db9257e9bc8b1 |
| SHA256 | 147b94de28e8bb82915ed7e80ec89a2828a188aac80997b21eb1c5fdb6bf7469 |
| SHA512 | aef7318a01ef89790f317fe47460ad79883c84e82354885aca05e37b3dcfdb18a09ba11ab4b8c2dce0a09e0c4e394362c2e108282885ca5225328855b8694240 |
memory/2740-1584-0x0000000002470000-0x0000000002482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsy3515.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
147s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\Programmable | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\ = "escrtSrvc Object" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\hrdId = "971d8dda0000000000007e3d785e6c2e" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsEng.dll\\2" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\Programmable | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID\ = "f" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\afltId = "orgnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID\ = "funmoods.dskBnd" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ = "escortIEPane Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsnTs = "1.5.11.116:42:49" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID\ = "funmoodsApp.appCore" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib\ = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ = "IEvntCntr" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ = "escrtAx Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\ = "funmoodsCmn 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.165:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
| US | 8.8.8.8:53 | 165.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2000-84-0x0000000002420000-0x0000000002432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\chrmPref.dll
| MD5 | 57d63d48f0bb2fe9b3751342e1b0cc67 |
| SHA1 | 65afbce77b4990f7f5efb5251e90bd9cc744583c |
| SHA256 | 72753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab |
| SHA512 | 5766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
| MD5 | ce86ace6982b9f2d8836ff204c592dd2 |
| SHA1 | 60ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac |
| SHA256 | 3d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a |
| SHA512 | c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
| MD5 | a6ea8baf987c05383013259a3a96b221 |
| SHA1 | dc1f3df6abd8b9fa1a3d364e9021cd5f62590f9f |
| SHA256 | d978712e92d634c150493e35f7dab39483559350914c1a302c0b2c0aaf1c47a3 |
| SHA512 | 0e6200677efff5a9e2babd8ebac1aba3c32a1f4de0251ba2036b6bd0996170777de40ba5df6e933e0b89fbdf8cc4709d09cd077016c83018d9e338a37b63b277 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll
| MD5 | ac557d58c73411da1d2aa66109182dfa |
| SHA1 | d464184873099e2f3f1700bcb74284b8ca7959ed |
| SHA256 | 01f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e |
| SHA512 | ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js
| MD5 | 50a190a643f231c8d6817b22cf411c2a |
| SHA1 | 0a4f5748c2b9ef29dfc1dddc3a307d5833125852 |
| SHA256 | 8e66f4f6b90976466e96f228edee8e019501777aad93431ae610335c645441b4 |
| SHA512 | b46847a99b2143ff7079331321de6013e89c3fdb76a071c6e47115670ad1f1448214c761fe16705614b68112c0360ac9451af5908bf70b922208c29c8e3eb9cd |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsxBFDB.tmp
| MD5 | 9b797f1bb4a24566963b77332796ebf7 |
| SHA1 | 4fe25da60d189457b7e8c6759af57e10674460e5 |
| SHA256 | 8a620c47db43eef8ebcb4616c6b058765306b47921f915016f425f9d8bcf9bb7 |
| SHA512 | 97a133915cd3a8639b35d48b0f193126496bb0a03f62d2985c4ad4c465d3c6bde5c4494d4f569f94aa90f2dcb3db82fe5eaec9540019446d6bda39213100d7d4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js
| MD5 | 24afdf39dffc976aef20905665d91b08 |
| SHA1 | 774d60192ce2ba59bd7d4ee9f14efe7af131b0b0 |
| SHA256 | 31de9666b1fb5736ca76e586b6ff467b328a303ea7fc7b394fecb1b24522e743 |
| SHA512 | 05af78fbd9f372f5ec4a94eccecfbbd170b14231397d3d5f6e096eb61785c0eef0fedb113b43257b4d444902a87e2a1d6296d4a04c57cc3833224f01891dfb6f |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnBFEC.tmp
| MD5 | d1a4af83f16f9306e527465025c70d40 |
| SHA1 | 8fe8f54b4628ab26d6f0cb1ebad6c4568aa92419 |
| SHA256 | 9c47d5c54f66e6276a25966f2b3ac647b389772a3b5214b3ccabc3a3c9af9232 |
| SHA512 | 4a47a2c1d2bc579c771200d8af5a5bcb76eb5f3b7b27172cf50c477ce15b04480c2766bf42d5cb7a8a27cfb1c4591c9e1c735922989ca34420c0fddbd5f80c19 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js
| MD5 | 109071e4292964007e4e8dcf3b918b1b |
| SHA1 | 67385d2e5dc8e2f640ed4f42c248ee4a23ff6da8 |
| SHA256 | 8c8aa83638a005bb116cb2e9cc8665b193d529fcae2340f3e0b961a94f77832c |
| SHA512 | e1f4a5c0fa21aa8e42f9e1ec0abdac20ce2898985945fd45ae75dcb753598807a9a19813f2a2915b606c8feeb1c3f15da3662948a1aad64440b9e8f37598390c |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll
| MD5 | f95617b082693af8490edb28b771870e |
| SHA1 | e6e7ffa25aa1acfa07888fd388af8dfaf28da656 |
| SHA256 | 7352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f |
| SHA512 | 72bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js
| MD5 | f6bb4c41a5c723bdbfa7f2538547145d |
| SHA1 | 10a21cca7a8e1dadb7d592bb6487591640756dd9 |
| SHA256 | cda69d4d4ac25cc36df161ac6b6fadeffa388c1a0010fe505ab493c12f8b0766 |
| SHA512 | fcaea3fd47669e3bb55d6c6bcda9aef0bb0aa4b466aaa70981c3870d129c11aacae9f7d85943dbef6860d63a124cc680a62ab5a92c917d32c77b119f8a79b165 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll
| MD5 | 9001188b424b2c2fa40368ee2b1df506 |
| SHA1 | 6ac9d3d3e42acc49524bf9bf80ff3a473c90212b |
| SHA256 | 5809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea |
| SHA512 | 9d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC0EE.tmp
| MD5 | 7ff58acd61479e45ec30172e3dcc21bf |
| SHA1 | 3b0d8bcb16a15a3bbef91d814fa40a12d37046a5 |
| SHA256 | 663c46d33d12b521aa717c0e3520852eed199b697eda458ab65db971e2cf87ad |
| SHA512 | 38e32dd10448faf22ccd04e0502354acf7355bee96d7b60cf1323891cfdfbea035f1a8b93860fb8fd2a84d41278c97a978c96bac8dd2df5d5fa79e91e203b34a |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnC17D.tmp
| MD5 | b70a3ae702a94f63b4c8d2342ca94425 |
| SHA1 | a621b40b4f513834a6703c5fda8671c352d181c4 |
| SHA256 | fb8d54caf0b0e3e46756967a92f07f17489402614352df9812aac60026f22114 |
| SHA512 | e3a75fe6f133878ea1a6953e04ecbf0cb043e2d131979573f9c4e31b4cfad4af20656b20f9fde0d134f8608874551f95f84369f2ed370afa52d88466631d6b11 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnC17F.tmp
| MD5 | 8cc1d03d3559f97300866ea644872cb8 |
| SHA1 | 0acfad913038b4a9684911a42e58e45392e32fe7 |
| SHA256 | d9f52daad3006b1d0e31ebb44f5ff45392675e71e6f1c9085326254a3a3ad333 |
| SHA512 | e3ed34a9b28a05c6898aa8fb491e69001df73b0f477ace98168540369ba050793782a6ed426327b1793ed528db604ff7613e6d819dfd02b9a3fbe13adb62c1fb |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC190.tmp
| MD5 | b2872927dbd3897c21b032afa5729ffe |
| SHA1 | 1acdfb1cebf384d78f032d4267d72fbc82962ad6 |
| SHA256 | c9ea2c167f7329d0c547382ef97f13e4f87faa588bdd5521210ef458107134ce |
| SHA512 | 65ef9b2a76be968f55b4570e2e88d951d3f18c8dd20072b23bcf5b997b88538b25e541d4237e15f6c26bc6c6140136d97ec7e49a1e1c29529117d7abe6c4e7cb |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC191.tmp
| MD5 | 87d8fa84521ceaf4ad49873e852366d4 |
| SHA1 | ecde848d61884879442378764128fdd5f39f141d |
| SHA256 | 0aea2d4cf44486f26e571200a18f7a19e1992b0bbc04fbf069c3d8acefbba9a4 |
| SHA512 | fbfa689eded7bb328ee12ee5ed437d72c66ed154eb9cc8efa40bbc640682c872e0cf604824efab8695438fb1231727cc66a22525fb1ed704baea2ded3fc2a808 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\user.js
| MD5 | e2db0b9ed33fb3ffafa6d26a83d035f7 |
| SHA1 | 525d6979bde80c9863498bc03aecb353cc9d2a70 |
| SHA256 | ca92c777b1ead7d94f7f7bb72bc1609c1b2c3bf86a65aa7cc8f24ce946fb61de |
| SHA512 | a942dad45716d83d8cabe7c47da30ab9db4a0495f9e788d14fd656356bcfdad4798ae7866d46bd85ffc296fa998e4b2c0f225b7f0407ee25b99fd41ca3427b98 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\user.js
| MD5 | 7d3751e4f32177ee986ad47afa4977e5 |
| SHA1 | a71e9a06f35bfeddcd2c8dd01edc401e5500f515 |
| SHA256 | 9ddf9abc626345ab926a108bc939a4e37c1863301c6bbcfdf1dd2f9d0ac46286 |
| SHA512 | 6351e4b26f3b6e7d875f65f1be7254dd2f622089eb9a286bec484451cc6a1f3c37d639f406f359beeb6c5347e30a042b7d2bbf759c02fbef66b9c2a6f4fe9b6c |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC1E3.tmp
| MD5 | ea63c872919417f8cf9d00e35ea056e7 |
| SHA1 | 4fe71ac12b2da8c1cee141430b43e3ce910e3d22 |
| SHA256 | e24f41e607040f778414f706826471686def64aef6111efb83d947a58f689f30 |
| SHA512 | f5106337d4292b67a129350eadc9281416a708996202a37f2e036a10d0a7fec62b299d0f2993f2ebee5ea75259b8bcbac66c110b85fb8ee3cf133f5c9091f18d |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsiC203.tmp
| MD5 | 456688a268164631f9c4fe9b6a420f4e |
| SHA1 | 5f738ac84c6005b8d4f9f56c418d89560287d637 |
| SHA256 | 93abc7fb98ddbcaeefb064e357a81cbba71962d8688e35838e63c95a82201688 |
| SHA512 | 22123a06a87a35253fca58d608daa0b1b5a8c93e6f3f146a85e239db55652067134aaf6c32aa732c2a897b857bfac0591d92d0047598e1f190132efab37e8284 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\user.js
| MD5 | 6a9f18f328c7045a301cf9618c3210cf |
| SHA1 | 31a24acbfffdbfef12a8076ec10200c7686de2ee |
| SHA256 | f468ec7a07eacec92e6e55deb108cdbcfdbea04a89adebd9268f6ac2a7e6ce10 |
| SHA512 | 309ef953b3b61eb9cd11b6c1c9012717b8229fc0c6c813a791c86d679d56fa7700ccd3cbf2cb2d93c4a9f74477adbdb5dfb6a1bce332826b3dc3fe9532dd33b1 |
memory/2000-1600-0x0000000003A10000-0x0000000003A22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2152 wrote to memory of 4240 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2152 wrote to memory of 4240 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2152 wrote to memory of 4240 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4240 -ip 4240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 224
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240729-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20241010-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 228
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 224
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2864 wrote to memory of 3576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2864 wrote to memory of 3576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2864 wrote to memory of 3576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2760 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1608 -ip 1608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 224
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
144s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5096 wrote to memory of 544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5096 wrote to memory of 544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5096 wrote to memory of 544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsiB44D.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsiB44D.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsiB44D.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nsiB44D.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nsoB50F.tmp
| MD5 | 2de28ef8b3d759f950370e8134cf2e7d |
| SHA1 | cf4eda85b5e6572111f22b9519eb3ad594692cde |
| SHA256 | a26b1f4385db29fba580e1940cae74adb6602b8cba9dda01effdd642b0653d4b |
| SHA512 | bafef113f3923564b01ad68dc4e8f2e6c7e3a66296597366df095f70f08f5ce52407af3e01675cc1683fcb515e7001051457aaeacc247ad311bee5856d9b895f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\user.js
| MD5 | 1339374958e20825f4fa16f8f331abb8 |
| SHA1 | e28472b0478e6c2ba3e72172b34f8981a3f87c33 |
| SHA256 | 918ebacfe518b4b270456a0f2f6d4e750d5f2aab1c67fa9ea5d90f1ef9923396 |
| SHA512 | 3d93daad8f8756886e54c0989cec55573f90a861eca8d89464e9efc86d1669189ac15f02f30c5fa54f097061704afb3dfd89a90017567f4675b883daa555d780 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\user.js
| MD5 | 74adfd017bca6c359bc4050838d36806 |
| SHA1 | 2f094be470a8fd5957a068c1babce8e52a7abcb8 |
| SHA256 | 80fe442b9ba6d7f130ef38b3db1383770f069f6e5af902b7c87e9aa611ff28fa |
| SHA512 | f8d09dccb26ec7538c287b4d50f9f55912c0d8e847b470a1ba42eab056abe120a87b06e9eb3f1dbbceed54e109bbf48024f14e6485a606a20f26652ef1ddd59f |
C:\Users\Admin\AppData\Local\Temp\nstB57F.tmp
| MD5 | 34b29f2d0a7c2e3768a01533cbae5c76 |
| SHA1 | 8a9cdb55e37f9cc808d61f762063ff334a339585 |
| SHA256 | 458b17e77d4f24873b79ce4628e746293957a8f84fdaaa07ea9059f5a174834b |
| SHA512 | 283fe691ffbeec4c1fe63cf2fbd4fcd656419164377e5e79b2928f9bdc3917ad8c556e453ba474a70204cbd84142e216c2fb547b145e5ae66c19a33117273428 |
C:\Users\Admin\AppData\Local\Temp\nsyB59F.tmp
| MD5 | a5038c4f872a3951ab4bb0b07b75d960 |
| SHA1 | 7f7fd2b186bb08d76af672ff310c39b7779e9230 |
| SHA256 | a7045fae6a1852677f1ccdb565dadab0b6247a05db376dd2e66689a6bc466a05 |
| SHA512 | d36802b7015cf489557fb9dd35d3d2d361c656d64fe89c805f5cb80cd8d03c947d50ead9822a6e1aa3e1809e59e420ca339c0e4f8b3eb53e21bdc71a3f822ddb |
C:\Users\Admin\AppData\Local\Temp\nstB5CF.tmp
| MD5 | 5412291475c07d2cac1775668394ec23 |
| SHA1 | 08eebedb08c0a80bc569bc888a1aae364778def0 |
| SHA256 | e81338668467d2b799a98e675dfc7f65bad0e39aa2b67f006c8d439037062020 |
| SHA512 | d71ec044adf742f737851fd879fe55c89e189772cc7e19d89d490133987a6fd41236662504f8c6340564d7cccf84feeaf40832e491128db19a7b751044ebf5a8 |
C:\Users\Admin\AppData\Local\Temp\nsjB5E0.tmp
| MD5 | 00cde1e35bb43209dbf11535b85befb3 |
| SHA1 | fc212ff04843e39251936687c983e3a0af071cc1 |
| SHA256 | 4010a5883766767cb6cda9f848b73b84be11d04ecedb56625197ea5b29946c2d |
| SHA512 | afc97d8633d0471af09ff08faf409f816486ce5a2c92fcb84028549bfa59c6a67f67ea0bad0768991adf71a039b91b2920c49e7c164be06c8c73a28facf3b8d6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\user.js
| MD5 | 03189589f99d48b8ac332d294c221733 |
| SHA1 | a89140e9dd25b45b350e9502159c3a494f8bb682 |
| SHA256 | 12592c432692824efa59b723287d9f84b7d04ad7b3a3ee1b75b49ad79f731295 |
| SHA512 | a529e3a4648cac36c5714ede8371ff5047f8bc86a94769415df079c3af19c9c5e7bf3b43e75165a3c605f4077704c41c5ebf61fab095af015cd00191f0304eec |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\user.js
| MD5 | 62b99b24c526eb931f669cfb4f154bdf |
| SHA1 | 63d795bb606c761365addd64caaf86228039f1ba |
| SHA256 | 96ac5c54efc35ba78eef700530edb37731f5e392eb7426eefd13e546ff139a6c |
| SHA512 | 207e4c503e1dc403136fca6630cf0c2ea7a898a75a8e6422ff6ae42c5e0f1bbeeaddbf93c52629c4bc378ab8e9ec3657e333d0c44cbf60dfb24e5d82ac9375a8 |
C:\Users\Admin\AppData\Local\Temp\nsoB6A3.tmp
| MD5 | 20b13e7769da09ba85544d16badb33c5 |
| SHA1 | 9b357c2d38819c7eb0d4c8ef4752e3d928fc3365 |
| SHA256 | 7f37a66031f82f15bb9a6a93837084f807226a4956afdd6d3904f295477bebc9 |
| SHA512 | 71c3059b748b627a1cdca6c787c4ad78a327ea04f16d2de36c445dfe958e9456539ced6b191de3fd7be8a7b0fd245462c08daadcd8abfd2da749460579cfcc75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\user.js
| MD5 | d5a18c9ce336b38715ec1701f2ced1aa |
| SHA1 | b8b9a6d039c74f0c4df25cb68de7529645705e8e |
| SHA256 | ecba2ffb3cd011090e044db47f6df2a075a6ec294cafc6fb4a2bccaecbd8abcc |
| SHA512 | 691e875ff157851b0f005ad8ab0547ed28d5e6a79bebce4f78b5e10a9f36b7a8e1813dd624542cc9bc5bdc05fc8cb43eed87c8e7c716538e2853c9471703e603 |
C:\Users\Admin\AppData\Local\Temp\nsoB6A4.tmp
| MD5 | 20d26fdcdff73e5cb3578f7f095f8ab1 |
| SHA1 | d847ecd56650d8e5f838c104e3ef9ea427cb8eb7 |
| SHA256 | fe1fe0598a990c4b7773995924d36ac5190e144c3e0b107698e52461472a5dda |
| SHA512 | e05e7590a4761ffbf3f2c23baabb2fc86a4f71af9138aa563044ffacd10e9acd1157783bebe85c15621544756af74aa4d08f740314a4b05d9be121705b36190b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\user.js
| MD5 | 6509e18ec8a949726ba51c78388e0949 |
| SHA1 | ad798a569543d5932f52dae621637f7c97990e46 |
| SHA256 | 2a11caf1795c15a83f640af3abe5de1eebee47442dfab949cc3750d91e6cfd61 |
| SHA512 | 4a7d20fa054b792a25e61ba03f8ec21af7308e4b9f98314cfb99fcce4a293c3b3ad6fa7eb6d40c587d1374b91170ab4347d9346055e85416b9380c8903d46e8a |
C:\Users\Admin\AppData\Local\Temp\nsuB718.tmp
| MD5 | fdd1845348e840238f31593a686c4bd8 |
| SHA1 | ad3ca8fd93eabae9baa026f4ec7a49d54093042a |
| SHA256 | 9acf25b45b0a49ac00f2d219acb8f90b1f4377ae14da664ce0d1804c8a287d25 |
| SHA512 | 149f4da55c56e5724a8dae58459ae890327fc802d9682573cd823082af9bc1a44e86608afacec6af471a4bd841157db7123da4e8f0702031bfdb537f5a052512 |
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 224
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 216 wrote to memory of 664 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 216 wrote to memory of 664 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 216 wrote to memory of 664 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 664 -ip 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 224
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4456 wrote to memory of 2016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4456 wrote to memory of 2016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4456 wrote to memory of 2016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2016 -ip 2016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2432 wrote to memory of 4116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2432 wrote to memory of 4116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2432 wrote to memory of 4116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
138s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 912 wrote to memory of 3996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 912 wrote to memory of 3996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 912 wrote to memory of 3996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3996 -ip 3996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 224
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win7-20240729-en
Max time kernel
16s
Max time network
20s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 224
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2025-01-15 16:42
Reported
2025-01-15 16:45
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3132 wrote to memory of 4716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3132 wrote to memory of 4716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3132 wrote to memory of 4716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4716 -ip 4716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |