Analysis Overview
SHA256
270fb7c57f81aeac78e6728e7eb4a7f0fa5d9fec3d648f40d769df6178963871
Threat Level: Shows suspicious behavior
The file JaffaCakes118_5c2e217e59694b6e78542bec4c2599c3 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ACProtect 1.3x - 1.4x DLL software
Checks installed software on the system
Installs/modifies Browser Helper Object
UPX packed file
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 16:27
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3312 wrote to memory of 4612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3312 wrote to memory of 4612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3312 wrote to memory of 4612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
148s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2148 wrote to memory of 4848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2148 wrote to memory of 4848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2148 wrote to memory of 4848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4848 -ip 4848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:30
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1608 wrote to memory of 3720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1608 wrote to memory of 3720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1608 wrote to memory of 3720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3720 -ip 3720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 224
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:30
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1764 wrote to memory of 4996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1764 wrote to memory of 4996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1764 wrote to memory of 4996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 372 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 372 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 372 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240729-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 224
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 224
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 224
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3232 wrote to memory of 1664 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3232 wrote to memory of 1664 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3232 wrote to memory of 1664 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1664 -ip 1664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:30
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3592 wrote to memory of 1936 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3592 wrote to memory of 1936 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3592 wrote to memory of 1936 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nso76B7.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nso76B7.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nso76B7.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nso76B7.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nsj7736.tmp
| MD5 | aa942cbf080fbb2237e6897523515ce5 |
| SHA1 | 4a432578611a39f2626a0967b89febcd4c629892 |
| SHA256 | 42fe6aede59d0b4629f96288d1ab22008aca8576815f9d70fdb91810e2fed48c |
| SHA512 | ca4265c36c946f1e8c7abbff7535e3db2885c57209d7d32562e0fe399a2b17dfe95aa47956f87bb181ffe7cb71481861dbbf8423aacbd0faba354eebea78d3db |
C:\Users\Admin\AppData\Local\Temp\nsy7746.tmp
| MD5 | 2c207074a2165287ec765ee36803805c |
| SHA1 | a036597fb0c7daf298221e59293bee7a8b600006 |
| SHA256 | bc0dcdbec44211df1802a6cd88c591b7eb0dc150ebee55cec630fc2a48e2fabe |
| SHA512 | 11a57a63b8d76eee22a2cb6e6950229db884707c0266bc98a26243b1a3bd07440398bdf1e82c740a10784a03c37e5c29b94a3fa057c87f0b7935713266f3428b |
C:\Users\Admin\AppData\Local\Temp\nsd7766.tmp
| MD5 | f6f7e1be45a915b165ab339bb7bca7b6 |
| SHA1 | 815b6e16edef665be275e920be402cb2dc5865ce |
| SHA256 | ff2f04a05c44fac34725ad01e841dfa53431a78c37f8752840544f74a414b962 |
| SHA512 | 8740fcf76eea3b9ac250986403b2d1f964f47479f433e5493488626da77e3d21c1bf5c60bfda198b3caf98acbd69892dfc9fa6c8920b0e41da22a00ccbe5548f |
C:\Users\Admin\AppData\Local\Temp\nsy7797.tmp
| MD5 | a0f8a2511cff5220f0ca3eb97f0f29d1 |
| SHA1 | 8a6cfd6f73a1b370c558af5892bd9b759f8c4366 |
| SHA256 | 021d6fea3f7bb157d795a9091c48925b259ab6d5a993a5963a656fb6908df08f |
| SHA512 | 97d48b19b98df909f0a3d53e18545541e4e6049e88d4d9063f4a2eebbea5167a87e52752e5b551b14d933171dcaa41743fbf0ee3d8d11116ebcf1e0a33411251 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | c005c599d9ac296d54dc1c705d512b5e |
| SHA1 | 56b2fa6cf04f24d41989c9f36ee2ee515b7cf0fa |
| SHA256 | bf06c8e1ad22fce094184ad02a0a29caaff7cfdbc80dddd4ea7ae9a56ccfc4f4 |
| SHA512 | 30c3618c040d131ae9b6d08bddad9f6a924673deafcaf5c088285d775f2672585ca21113fe099a4d6e9cd56c9c9721b148c86eb47f530c04371c7734343c0932 |
C:\Users\Admin\AppData\Local\Temp\nst77C8.tmp
| MD5 | 590925dd055701af14d25d54274dadb6 |
| SHA1 | 7271808f30fdcfa992bfb9f8f3a37920777ed7cc |
| SHA256 | e2ccc636f98b2518ce85ff25e364622834e23ac5457886d789f6303431593976 |
| SHA512 | 3762f37edb00e9fd577f1568d7bf0a2489fa7adf28b77452252d1fbe7508973d9b50e7782e71590379110498a074d36bc73cd9fc71f8f4ee3c3484f3927ec730 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | 813e483acc24814e2a88b2f7dfafd7f3 |
| SHA1 | c34df0a4f83ba93293e9766914fd5800c15ca2b1 |
| SHA256 | 127d5fe94bf870d8f73b668c4587b5205b75202a8ad64202d82b8a89ce644d1f |
| SHA512 | b39f666237727917b74987dbe7b0f781a1635774ad5896ca2a40639e2a42d9280231132127b6535e98452e414afd267bd229276573d0c5fa1c1835060d307ce4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.Admin\user.js
| MD5 | 00766852102bf99cb64e29f9b120587d |
| SHA1 | b46aa035f333c703df93201146ebbf25e29e49d3 |
| SHA256 | 2290b87dbdbcf4bd95843e12eaefcfbe556dda8be68e0fd0cf410035a61e10f2 |
| SHA512 | 4ab0ec3cb66e77a2490d5c7cc05f95952e33b8942962e50c60755d5dc2b35f66fca671767ad6f9b25cd71d0cc594803895bec916ef36e809f4409a70f2b461e3 |
C:\Users\Admin\AppData\Local\Temp\nsy788A.tmp
| MD5 | d66b7c36887a3a1f869cd8b637cc43b6 |
| SHA1 | 2e7ad1e83bbe8ae41a119efcaaede2bc82e9d8db |
| SHA256 | d7516cb11c81e5ef2e0c7cffa7175c3a7f36f945e788a27024fdc79443fdda45 |
| SHA512 | 155ba55e437c52f3f53d27750fb8365f3489c08a00a8a842610d9d2687aaa067add493273caf5b49fe4bff39eca917eb3f4b4bcb58537119b3ce82e3ed40ceb8 |
C:\Users\Admin\AppData\Local\Temp\nso789B.tmp
| MD5 | 148af7213ebe450c968951c82d056afd |
| SHA1 | c303fcc489b69cddda1117e377fb00a683a89bdb |
| SHA256 | 8184d5e34791ebca9bed0b6803f6c9b7d363d0bbed9f523786331994cc4a6273 |
| SHA512 | 5e8d6f2cc0e4a65c33910aa6b8a50aad66fb17dbfe859150cb9c1a6f208629cc17f0deeba293582e634908bad520cb6830c30b40e6b3f80aad90995c82269fb9 |
C:\Users\Admin\AppData\Local\Temp\nso789C.tmp
| MD5 | 465a924d145465f66a17f684ebbebcef |
| SHA1 | 93123d7afbb2297639f2dec77653ece20a64328e |
| SHA256 | da5bc2be19585466c0690226fcdd41f76b2c362064725aa6a5c46cfff0bd43e9 |
| SHA512 | 0235eccca7f878d855d4cde8ce31d31fb14e77309f9fd7b5963ae7c669512323ab193385015c4261ca266c3b554ff07f69c99ef8da729f6df73102facc5e5735 |
C:\Users\Admin\AppData\Local\Temp\nsd78AC.tmp
| MD5 | 04632320e0595ae4d44f0ff5156b95e3 |
| SHA1 | 427402b5b433fb2ef7ab87b8b30879e60be432e3 |
| SHA256 | a9c0458480463466a806b23434762121a8cba6fa0a94f7983d6713187025b019 |
| SHA512 | a2bb04ec6ab57f0417218ea6451ae12eabad44a730fc00424c03f0157aceb3a04a0f5d38cd8cd858b12fa9493d10fbdb95379baa69bd5a075f10f0e605d717ab |
C:\Users\Admin\AppData\Local\Temp\nsd78AD.tmp
| MD5 | 79854ea61c9d5871c55a46a11a6f5a78 |
| SHA1 | b11cfa6b47940098b175b7073e9a3d1bfafa1806 |
| SHA256 | 3e44293a04485f074b612ef946c2cb638187c4251cb2e3336018fb8f1f8d143b |
| SHA512 | 9214be83d0cab9d768bdb923ba46cb6e23bc4f9d72ba6bb69b9b284e06a2ea87b941a739294396c4fa6915505aa10fe77239d64f419bfeaa26af993771529c02 |
C:\Users\Admin\AppData\Local\Temp\nst78BE.tmp
| MD5 | dcfd19024c9f5bc643c8fcd3476d8d27 |
| SHA1 | f358d2bb12b9937d34197eabd5a3fbc2f06bd363 |
| SHA256 | 92e1fd2f13f113318784099b5e7a9b8978d2923e9d2e52afbd33d990919f449e |
| SHA512 | 094413d325cb37d86bc0f30399d126a0fb08771c1d9f417251d0db5c0dd0403a4a364c49cb1043b1ea19d89b1ed8c9aa6129bd2cdb264bf45cadf2eeabf313d2 |
C:\Users\Admin\AppData\Local\Temp\nsj78D0.tmp
| MD5 | 8fbf7eaedcecaf949d8985bfe6a796a7 |
| SHA1 | 2597d17f5a98b7ea1d14db975f4530af5547439e |
| SHA256 | ee364b124961f4f8a2db92a6640074ef1772fd136011740f19a096f29365194e |
| SHA512 | cf119431d2cc77cebf4695198ea8cd9521b8711dd79c5667c2ad673919453b5d3c6ae8e0c38a5c7ff862e47b982163dbb81a7750d277cdbcda371335b1fafad8 |
C:\Users\Admin\AppData\Local\Temp\nsy78E0.tmp
| MD5 | 85ee0f54d3325a7fe27772052212b8a4 |
| SHA1 | 099c2fcf04bdc630328f5872f1fff871f264cdaf |
| SHA256 | b75df3c978cc919d04dd76ad8c7cf814ec395784c4d907b80fd97907973d709e |
| SHA512 | a2a89c43bc6358e9b7f619a94d13b5f3f22fa08a87b90c5799f76ae9f265df06923325b855fdd9171524f0019242c917e16dd3f0a4828befb3dfcf886b18ff9a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js
| MD5 | 9b8260445ffe58faedec3f99f71a5b42 |
| SHA1 | 2ad99a3b1fb22066373711cf2859a646e07e0d43 |
| SHA256 | 111788ee32321ecb67126c9b41a51c23263d045b2b0f689fd06e4b006efe1c99 |
| SHA512 | 1bd4b131e4ff000263b98e3615cf62caf0ce8719cbbcb6a29d728dbb6884a7bcba910c10094fa5c8ec0febbf3f140e7d2646ef4efd6b5096c7739b0030a26397 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\user.js
| MD5 | bd290d588ebd4432ab4540fb7516f2cc |
| SHA1 | 6b760218cfb2acb176f90d7c1afafb244a913b55 |
| SHA256 | cd04c71476d22621e768311d823c3f18b0340d58677b6a09cea98f04955ad148 |
| SHA512 | 351eff3d925442e0a5f5cc0f47e8df67ba46a36d9be587c6939c7d529f4be7c4799418d688ae674e1874537bca2aaa08d0e790280574bfe777b20f3454cc2a36 |
Analysis: behavioral30
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:30
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
148s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1928 wrote to memory of 708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 708 -ip 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4704 wrote to memory of 2248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4704 wrote to memory of 2248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4704 wrote to memory of 2248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2760 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2348 -ip 2348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e217e59694b6e78542bec4c2599c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\SearchScopes\{D85A78F2-5206-4D09-949D-52DD10EDCFB9} | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D85A78F2-5206-4D09-949D-52DD10EDCFB9}\DisplayName = "Search" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://start.funmoods.com/?f=2&a=down" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D85A78F2-5206-4D09-949D-52DD10EDCFB9}\FaviconURL = "http://start.funmoods.com/favicon.ico" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D85A78F2-5206-4D09-949D-52DD10EDCFB9}\Codepage = "65001" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D85A78F2-5206-4D09-949D-52DD10EDCFB9}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/FNMD/FM/1.5.11.16/funmoods.xml" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D85A78F2-5206-4D09-949D-52DD10EDCFB9}\URL = "http://start.funmoods.com/results.php?f=4&a=down&q={searchTerms}" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutUrls | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://start.funmoods.com/?f=1&a=down" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsnTs = "1.5.11.1616:27:31" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer\ = "esrv.funmoodsESrvc.1" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ = "IEvntCntr" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\aflt = "down" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID\ = "funmoods.dskBnd" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ = "IXmlCnfg" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ = "\"C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe\"" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\Programmable | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\ = "escorTlbr 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\ = "funmoodsCmn 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\ = "CDskBnd Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e217e59694b6e78542bec4c2599c3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e217e59694b6e78542bec4c2599c3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e217e59694b6e78542bec4c2599c3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e217e59694b6e78542bec4c2599c3.exe"
C:\Users\Admin\AppData\Local\funmoods.exe
"C:\Users\Admin\AppData\Local\funmoods.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.uptodown.net | udp |
| US | 151.101.67.52:80 | img.uptodown.net | tcp |
| US | 151.101.67.52:443 | img.uptodown.net | tcp |
| US | 8.8.8.8:53 | crl.starfieldtech.com | udp |
| US | 192.124.249.31:80 | crl.starfieldtech.com | tcp |
| US | 8.8.8.8:53 | 52.67.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.uptodown.com | udp |
| US | 151.101.3.52:80 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 8.8.8.8:53 | ocsp.int-r1.certainly.com | udp |
| US | 151.101.67.3:80 | ocsp.int-r1.certainly.com | tcp |
| US | 8.8.8.8:53 | 52.3.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.67.101.151.in-addr.arpa | udp |
| US | 151.101.3.52:80 | www.uptodown.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 151.101.3.52:80 | www.uptodown.com | tcp |
| US | 151.101.3.52:443 | www.uptodown.com | tcp |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | start.funmoods.com | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.165:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
| US | 8.8.8.8:53 | 165.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nslAF8A.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
C:\Users\Admin\AppData\Local\Temp\nslAF8A.tmp\nsRandom.dll
| MD5 | ab467b8dfaa660a0f0e5b26e28af5735 |
| SHA1 | 596abd2c31eaff3479edf2069db1c155b59ce74d |
| SHA256 | db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73 |
| SHA512 | 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301 |
memory/4744-22-0x00000000031E0000-0x00000000031F2000-memory.dmp
memory/4744-19-0x00000000031E0000-0x00000000031F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nslAF8A.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nslAF8A.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
C:\Users\Admin\AppData\Local\Temp\nslAF8A.tmp\inetc.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
memory/4744-50-0x00000000031E0000-0x00000000031F2000-memory.dmp
memory/4744-51-0x00000000031E0000-0x00000000031F2000-memory.dmp
C:\Users\Admin\AppData\Local\funmoods.exe
| MD5 | badf0b8e9bc8d7352fb084951255ee4f |
| SHA1 | e584634b5565fd81d7258fca86c632c9d3e1cd14 |
| SHA256 | 73db5f6b89963d6692e3c43c8f3e5265ec4512ce87fe652e9ec3a4a0bb036db8 |
| SHA512 | 3b704e3b0d440f1e580cc277c3c68223139f35156b00250ebf9a231f03d5f74bd19bbf948061e7b8be13b9c08aca9f30a0929cfce5a9d5cc3558cd187a05d53e |
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\nsbFBC9.tmp
| MD5 | 06c42349f82ace83f953695a7036967e |
| SHA1 | 3488e08a3fb81316456f6449bdeb9254c3b4f5f8 |
| SHA256 | afa2580870da87ca052d778bb13ea37bea1cf83aae932dcc575d700e1c9e831b |
| SHA512 | 272c97324cd7922a9fb6514f3b082655a09d37e70381f520c012ad285fe8f55d88c8c79dbd5b80cf6009e4934c2255c98f99c6ee97639c481330c8c9f509061e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vazdz5r6.Admin\prefs.js
| MD5 | 5a444e56a9816a8277b37fcf83f3b6a5 |
| SHA1 | 4e8eaef5f5b87eb7aaf5a2e16e0b2662f9b34a7d |
| SHA256 | 791f90eb9a6433fd6933bf7e16851605e332b7954ab79346a70dcddcd154b820 |
| SHA512 | 12446f0df879c8f407b1500def5e63bd08cebee0230e6db4eb11b9ee96f54a48b739f069ad3f3283616ff347c3f5012b2e32328bbe8a1746e5bfc8f2ce08349d |
C:\Users\Admin\AppData\Local\nsrFBDA.tmp
| MD5 | aa4d624ec6ddb4db8f587700e83fcde7 |
| SHA1 | 8ac1c3397c90be253a718dc8af9e84ee63ea4185 |
| SHA256 | 7f7fe8a15e9d52cc9bb617544ad0ed458afbd7adaaf99bb06d18b9b8da3637c8 |
| SHA512 | 0c206d53a114228c675b4d328c1bd4b297b6224e113c076353d4698bd963898f58fa4a75281db04ebdeb6051a9aed95f01ba7f3f164d2d24dfc397437106b210 |
C:\Users\Admin\AppData\Local\nslFC0B.tmp
| MD5 | 3b6f21258d6297631937ee72f3579931 |
| SHA1 | d561d77614df30f2a509df4779e35ad221ea77ea |
| SHA256 | 8fdf47f138cc0756299465efb316120580558adafce7867fc2d090cc2487c9c0 |
| SHA512 | 64b7b8793efcd26aab9f15097d57e3b89423538fefedbd501a036ac527a7eb964b344679fe4cc0e96dfcada53a5994248716615a42e20d00357a2132626c9eb6 |
C:\Users\Admin\AppData\Local\nsrFC2C.tmp
| MD5 | 263956e932a663281f70126c8ab7b72b |
| SHA1 | ce03abd9aff66d4492d2df98943df051f081b2d7 |
| SHA256 | 1f136822737da4313b695d47e5ef874af58defed029239bc91720b1cc12623ff |
| SHA512 | bc36de595c2c2caa4fb210ec15c6e46d0f1f2271cc065d54b47891eea9bbfa14f2c9aa551312379d4f06a73d7d916313290a0dd25fd11dd7741af75fef7d1f52 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vazdz5r6.Admin\user.js
| MD5 | 0c7c8a283b16e0fa47c0016069de06e6 |
| SHA1 | 56dfdd0983f1ff14fd39acf3094f38e40a221e8e |
| SHA256 | d34969a861d89c54d6a1f430cac910c32203c47def8ceb55c28065f508c3d7d9 |
| SHA512 | 4028c03372de5c43493709adbef322156fecced278707c3c26949dd54ff3f9219f8c4f405ad8f4e69cebc77257fdbe4ea5986aa5e659098e5094f0f666c1d314 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\user.js
| MD5 | a6586122c0662f36a4f26b6c3959811c |
| SHA1 | 929259027561933065e6267fe948b33bd549d2a8 |
| SHA256 | 2bce865f219fe68157cf29b115642d1c68a0cf062c14e3853321e4d7b4fc4edb |
| SHA512 | 622683523e7049eef983dfd0fa177882b1a1fe153aac634308b2ebee5b6b1d7bca93ce67327d77d9e2df13010ef7d2785cee5752dc7847435f71ba1c8d156bcf |
C:\Users\Admin\AppData\Local\nswFCED.tmp
| MD5 | 5189d973a38a68817ef06d701714d69c |
| SHA1 | 5426a71ea24057d143f6d7de53e261e9fb2ff77b |
| SHA256 | 6614dfc5ffbb3f3d80e8c751d1487df916bde3c85c79a54f3d5e20a2fbb97a6d |
| SHA512 | 22cffafeb2f398ddc4cda2c50b13ea8fa6ef16213b2894f0cd47d4fcf75112695ded25f0115b590afb1f60eb008f12ecc9c7c8db83539d324977c6e6031de60f |
C:\Users\Admin\AppData\Local\Temp\nslAF8A.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
memory/4744-1187-0x0000000004F50000-0x0000000004F59000-memory.dmp
C:\Users\Admin\AppData\Local\nshFE18.tmp
| MD5 | 21e2ca66b86e5bf3a6032fdbc45e90b5 |
| SHA1 | ea70be42630e89f7a650abb4e71852efa9893c9b |
| SHA256 | 704628eb647ff0f3e61d951bd0cb3f97f7e58a8284c4e50c71f4369aa111873a |
| SHA512 | 3757f022724b7ba2efb3c0f5da649bfa8e609752266fde6b2999de31fc01390eae20e6a65d8cbcffaf338936de5dd018b76953679e763448078e27b208b9fd65 |
C:\Users\Admin\AppData\Local\nshFE19.tmp
| MD5 | 7278e2536cdb7b7b289d1608b8bb731f |
| SHA1 | ae9ae0d8c25ca64553b56eb8fb4ed5edc5c8833c |
| SHA256 | 145136f0c0ed3502e8721cf84cb1c6f686216e1027d232202a2811141914fdcb |
| SHA512 | b4650b56ce6f7457a1783f20bce99106fbeb46d5a6b7740e165d5c9273c6337c93f1145afb00f64fcff141d082a1153a70da257d6d00562fe9479f4d8e2f45ab |
C:\Users\Admin\AppData\Local\nsmFE39.tmp
| MD5 | b804e77d692f76f6b411f020cc930dc0 |
| SHA1 | 019911c69ba034cf0be5f9ef70d9d748df9eb98c |
| SHA256 | d469d6f59a86889c7d5d0282279b19109b8f5d7ba1e8552d355805417a8c2c46 |
| SHA512 | 47978f97fe69ef35b7ffa7649f3289ebc8fb5c3a12a201d763a4607b9f63ff39d2e66be629b82f8af0521bd1930d604a981dad63d976a21d69f2be2219da7c75 |
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/1492-1420-0x00000000022C0000-0x00000000022D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | ddcada8c66d56df6e4ef2bbedf2bb865 |
| SHA1 | 059a7f8bb8ed2e99d5153d26ecf986e91c24df19 |
| SHA256 | abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872 |
| SHA512 | 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll
| MD5 | 7f8be790b6614f46adeafd59761abbeb |
| SHA1 | a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700 |
| SHA256 | b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf |
| SHA512 | 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll
| MD5 | 12be59f427297e54fef41f9bb32d4233 |
| SHA1 | 0088967a4ed52f491976136c95d43e0e1b06cc31 |
| SHA256 | e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb |
| SHA512 | 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vazdz5r6.Admin\user.js
| MD5 | 7c8d253fc550ca22596c00a982ec5757 |
| SHA1 | 40b685095b69483fcab1c6d4277ac3cb902e6147 |
| SHA256 | 27467602faa5c186a878e29e71302c4322b067aa95aeb67ea08c2471950981d6 |
| SHA512 | c614803128ffefb65b605b9084857ece56972d9b4624e2ff081259248e0f1fee226e2c9f0abb039500e8ad8658a1b5f676280a93236b7a66c4b72065f9c500fd |
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\IEFunctions.dll
| MD5 | 5a3a8d916dd0071f16d217bbcfe7d047 |
| SHA1 | c2265fa5cec491706d0921e4274c674b693f326f |
| SHA256 | 465e81022be2df0433a6e02d427a79dc733031abc89d99746b73576a976857e3 |
| SHA512 | 8908ee2e329171d2ee430aacf7f86be565472cdb9b338786188ab37d6e6a714e5bc98552a39737ff8a5f314730c9f351aa0f1fa8207eff32289d7bccb3e05a08 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll
| MD5 | d5e0f923b3ee640efd6a58ec0c70cbdc |
| SHA1 | 74f62a9acdb9f9dd0580d69450c062ba8870deea |
| SHA256 | 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281 |
| SHA512 | 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst241.tmp
| MD5 | 7deaef724c0c475f711f033836a278a7 |
| SHA1 | c59a06c98f760e67a692c9ac91e781af9659083d |
| SHA256 | 3a9a28362df5b18b40ed58d45166025a8c83657e67f0088fca35c6bd88e60d00 |
| SHA512 | a5b3befce5fe2c7bb8f267012b02daa324c7de518e525a53e43a74894f324602df3031f90d90ad924eb89d1f04bc3be4353c7f0e88f3ada81abab55d230fb757 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\funmoods.xml
| MD5 | 4572bfac1a74abe2d4d716871b2c9cad |
| SHA1 | daa25567a196e9e7b10b2bf33ba35299f2c16f84 |
| SHA256 | 8f2ac3e5f4345b19010d7dc0a7ed835727f5e7780f4c00517aadb18724dcaf29 |
| SHA512 | 285f22cea572aab5b37acb00e1e77db684e57c40361bf7eb05dc27c0ac42587b1dd9666cfaa9547862db43d5284c0e9087dd2c45247635fa22a51a6431267d15 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vazdz5r6.Admin\user.js
| MD5 | 713d905d89591770a92e5aa34467059b |
| SHA1 | e164c5bd89f507fa67963ef17551cb875a60de08 |
| SHA256 | 002ffa6acfcc8d3788ff362fe49a7d465f7f92f64785b77d7c3805faad393b08 |
| SHA512 | 4c9094e3db6bfce0a96cc4324ced13aee1568fe4ba1703b85cd25c20c96ce6de7bf60d4c1f4697e02f3b9e7fa379adfa836023552920e5244521b9e302b11277 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso312.tmp
| MD5 | 64fa01cc00e48bea9e0fffd7cbf724c6 |
| SHA1 | f2ccc3dcdaaf3b0a341d36b7e8c7e08e3d9cd00d |
| SHA256 | 415b94c7f5d997f289571dd905a96da3f69526be9c570c7591b17138551a7f6f |
| SHA512 | 265c9e0a44817b53207183b0509d549425907923d280e8e23a41ca91c65834afd714a9468a91e843b164e66f66a6059e1c4993fe71d94f00c2bdac3e16630d61 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsz352.tmp
| MD5 | 590ae6654c6d282d73b6268f74b2257f |
| SHA1 | 67d697ad7da19c03c0e4520cf18d40914ad75164 |
| SHA256 | 969011ed32f4321d755003fbd1cfc8c04fe36431d65d6c03f0393a631c1f55b6 |
| SHA512 | 5a1feddf8de6906c0aed58b6201e9df2b2a1ea5d186fd53e84375f2fc93fb22803021abe469cc1b5f1216cfb3f2111a5e26a0e45ff9087de7569e8b189601a04 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nse372.tmp
| MD5 | 46b387e06f61011502a2efd4b1520fbe |
| SHA1 | f2ce04be9484de8e99f27fa5c601a195c6c1f364 |
| SHA256 | 7d7608773500c9b2cba95bbb09325946932b4beca5a9af8ff60ed0487f125f22 |
| SHA512 | 6901235b44cf83576a85527753c9d27acb4e2caef3ce3b98ff3daf45b41f10758571bf594b2669722f5268079ef2f8c7d549703b6781cbded3bcf105b5059f50 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsu383.tmp
| MD5 | 283760fe62b91cd66090fbbe3dc4e214 |
| SHA1 | 6d367edf54b02d961e4a331f095e3f4d9bc355f9 |
| SHA256 | 97a5e88f6c11ae45d9edc2e2bde6240b6bacb82010bcb4157ab5d01270f18d78 |
| SHA512 | ffa943646bf4477159149d00403d7d947c39dfe6cdd0e579a9fd0682b77f51bb4f705c0a4a74d87fcb07cadb37194864c71dcbb52f757342146a794ee102ba75 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nse3C2.tmp
| MD5 | 821954136de4ed11704e8325d0364dbb |
| SHA1 | c5d5a8a5bbd344696490b988d8f71f0000542779 |
| SHA256 | 3c0822e62eabd513495ba3e8a26e59048c3a153e48d1ae51a3c136de24770fc8 |
| SHA512 | a5f22da7b7aa2a9b7e709f4d43a331c5fa917c9c40430cecd76e6e9dc45ca3fdb5827c3c774c03998ba8aeece6a755b3a4914f0ad408dc1a4360422d73b6d41e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vazdz5r6.Admin\user.js
| MD5 | bdefb0c33e621dd92975b784ece0863c |
| SHA1 | 82cb72467e86595fccade6b042b4826345fd851f |
| SHA256 | e35b96119df64dac6762362d33b6dfa26b63515481c3851bf4619b884b5f4c95 |
| SHA512 | bf1139de7534c8daf1a3ac6c770570db23308e414b7cc0274028af77f7152219f54c4fb4126c410532c69722c0ebf3c3c7ee179648c54eae25f9a2ee8248c7af |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsk480.tmp
| MD5 | 9f75d7a39597baef11dfa67a2f64551b |
| SHA1 | 0fbaaa4f32431ed50ead6c8ff81612a271470c83 |
| SHA256 | 5f146e2c54d427aa61748053272d044592ba5128d6e4d9790fd36c2d74da76d5 |
| SHA512 | 6c4118fb68fa5ac2e871673c8522b0b214aa170073ff235fcce9efc38ea1e04fdda0e211203117560c08114110b5f52b2cbcc5c45b00cfa02b9ca2fa484476be |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsz490.tmp
| MD5 | 3ac8563ad1e6c8191c3c195a973ade33 |
| SHA1 | 0b2a2026e898f025666a8d5801a9e1e382978276 |
| SHA256 | ac877b63873a48e53814b5e7997cd81614d7685c28dab984d2caa670124ae475 |
| SHA512 | 23aa81d535b3c45b46c68197d397a4417337c7d7cfe7429391bdeb3cabbca065d6e4f83951eeb20008e0c11859cfc6aaaee1cc57e829c433b1a87fb4b9733c2b |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsp4A1.tmp
| MD5 | 5bebe4033d8abbe5c8b452bdfc4c0535 |
| SHA1 | 98e92541f9fef746a14f5c5769852330fce60781 |
| SHA256 | 4747989746b83c8b2bf297065dae09813ac8a6cbdd96d213db035f1db3809ad2 |
| SHA512 | 70cbc62428d8a5af1e646667ac694d190325eb36c1d4ed4212fcf580e8a2a6dd5b07bf80e0068f7700917719c8472734b178b140b73e083359d03840712d93f9 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsp4F0.tmp
| MD5 | 1594a1a7a12554783ff99a3060a15af1 |
| SHA1 | 359d456c4857d100903ababa7cc6a6aad5f7562d |
| SHA256 | 16311a0edf44542dbc3481ad6cfb1da7002c60e53446f2c904b4d833b70372bb |
| SHA512 | c8b2586e8f908cd4f6f007872b99ea8cacecc23cdd52207b9d364d3a5629579c3aea2e968f6a4446bb6632d1473e46923033a827c37369a9805b15354209fd23 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsf501.tmp
| MD5 | 4e5b368a26904c7aa381943ba362526d |
| SHA1 | dec4e8270a89b104db6e440737eeadbc945a0184 |
| SHA256 | 2dc53f1096bf244594f022959542a74af57e9125d0541678eb76c578fdbd128c |
| SHA512 | 39207c66dd5a79d06c11d42edf190f60ce0c4749b8d4023ca3b072ebe2b000c376cda35e7b75df74ca54b061f7a37c5cc89fd2a79411f6fa1b87feebc2631d9d |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsp540.tmp
| MD5 | 8bab3fad3f08d3579670c0a7e255e730 |
| SHA1 | c5b3b34993062f60bc57d95e9aecfe17f5117977 |
| SHA256 | 446e1ff07f0906655f8052f94edba2e45f037640bc6841e48eb68b1b656a1bcc |
| SHA512 | 05c25038b9005a06fcea3827837526a528099d2d109cb879c9626830400e1120a9e3b6ad8cbeb31aaca6ab02719ae228c02f5c949f940d65e13ef383bcf53a20 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsk570.tmp
| MD5 | 0898e4b29458fe4f7e89157fd56151c7 |
| SHA1 | 15fc9df7ced8522af9d7a2661de860eb9a5ae65d |
| SHA256 | a4bda0046e7df8a3377665c4d00dc0d96b0bd2267a5c46b1b8a91424733d6282 |
| SHA512 | d6cb64dbff934f2c98582eb80f161366793fbec7c6683fa8186aedb19676dabacbc55ffb113ef42e188797b998ba6aaf0d225ee056d6ff53b3ec75b4f1b70a1b |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsa5D0.tmp
| MD5 | 83f92068b02d81944f30691be840a808 |
| SHA1 | b5164c8361aee21864546f916b25d137998a1563 |
| SHA256 | 41d44ac2c07139d9d6ef893a40432d54320e6d64da90cd2746782e7060bdfa2c |
| SHA512 | de7daa2a02e839d59380e0b43c5f57fbe735566b67e825532b9d5a785f646ec2ad8b6dd3e7f85d75a69b23c4b7b021635a22bd0c897366326ae87b062e7cc54a |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsp5E0.tmp
| MD5 | c1124fd3d282c4c3964dadbb28b07727 |
| SHA1 | 75058a2c645a5bc20b48be929e344816989339fc |
| SHA256 | c2455f785c808d3c7610709a82db8669a1440d3fee1dc75f3795ef35da6665c6 |
| SHA512 | 62884e6a2de795b85e925067b102871f1165c16081496ee494abd30285cffe77f750fd0d0edb581285acb2e7cc72996f1adccafa3f60119d217fb573c6d5c675 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\user.js
| MD5 | d0d37e9481f3b73e5fb5f2a5b6245a2f |
| SHA1 | d7d6f10f58ed511ddebd474a3a62fbbd34a84138 |
| SHA256 | d080350ed45eb3aa22bea5748b8b0b76762da06d47493db10cd74b1c125e381a |
| SHA512 | b2c1f0631e8785ef10d221ae9b639b4b9d87a0aa9c88fbdbe884b8ed715987bfdd9ece5ebba50a054a69ce768e113f1b8d9701a0ec6eda231f12318aa9d9d511 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\user.js
| MD5 | d64d9d9c4a547f3cb8ae8c3beb2ce39f |
| SHA1 | 5d7cc43445e5e7dd0927f468277a7e9494377d06 |
| SHA256 | d003134e3d5ddcd7a3fcbcd82afd3f94d09e6f3127a2b16fa20bf54b33af54c8 |
| SHA512 | 75992daaeca217642f0a1210794d1618458c5f05627577afccbf277e63381fa79f88a1cfda8d6501273b549693d4c11ee106294e63fb423e1c31714931bc3eae |
memory/1492-3445-0x0000000004060000-0x0000000004072000-memory.dmp
C:\Users\Admin\AppData\Local\lateral1.bmp
| MD5 | 09fbaede48cfedb759e640bed10d5dbf |
| SHA1 | e1c0a5a77042595beae53955cad72143aac61045 |
| SHA256 | e9be711645adceef7a7f55ad9b573cf67910c885ebf63024928656823079512b |
| SHA512 | aeb67c0ccfea4b5c09dcbb398be9e863c3c35eb3f9cb8c8eb666e8d69fd00ac6195024e443333ce5645a04b00c38c17182533d9f8ba7312ff446f1be5cba0d28 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 292124395dfee5b7ba7c1aaa8a41fc73 |
| SHA1 | f11d06289c9ffc3e09273ac03467303eb23921d3 |
| SHA256 | df68a33abc044da329ec2ae868e151bf65667a5b7ad591f77a5422d9b3f86791 |
| SHA512 | 322ad8f5519b35080ef16716969b80924cab8fdef8d6512a87e9332278bf9b50cd732bb23853f49ea277c0d6b8d44e746b87c223d6535b4f0a069a9efbe94f25 |
C:\Users\Admin\AppData\Local\Temp\nslFB1A.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\Programmable | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CurVer\ = "funmoodsApp.appCore.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlDay = "20103" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer\ = "funmoods.dskBnd.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ = "\"C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe\"" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID\ = "funmoodsApp.appCore.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\dfltLng\dfltLng | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ = "escrtSrvc Object" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ = "IEvntCntr" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CLSID\ = "{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ProgID\ = "funmoods.dskBnd.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.165:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
| US | 8.8.8.8:53 | 165.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/384-84-0x0000000002870000-0x0000000002882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | ddcada8c66d56df6e4ef2bbedf2bb865 |
| SHA1 | 059a7f8bb8ed2e99d5153d26ecf986e91c24df19 |
| SHA256 | abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872 |
| SHA512 | 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
| MD5 | fe768a6b82ed2a59c58254eae67b8cf9 |
| SHA1 | 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6 |
| SHA256 | 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570 |
| SHA512 | 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ckv2sw8.Admin\user.js
| MD5 | 7610b73c3ba5ad278ee36b652b26e2d5 |
| SHA1 | 6167a9a71afd65b0d2214aa5798deb0204f983b5 |
| SHA256 | f08b928346c7907e31ed8d0a41bac98b023c025be29bcfee56ef589e4349c7be |
| SHA512 | cbe445b9e27de030eb75e1ab170f402472ba75e7563f4b34fd830cd0fbc4fee77a032d6c0ba897dd71e5c04a7162d83b6d9cc1797bd1867d806de61aa9758b37 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\user.js
| MD5 | ba568c15015347d9fee36f734e6ec065 |
| SHA1 | 49a47f6fd91cd9441829fbd29bf66b6372cc0314 |
| SHA256 | 1fc7b1d3cb528bec3ac27fd5239583ac28535531ab8a52148b51ad03200d8b0c |
| SHA512 | 9fac1cfcf25950b9356aa08d2d9f3ee48578409e22d48bb899a1fbed14e30286f9a4fd75e20f3ff3d70e97eeaabf94e90cfb5faa820cc2e330de0ea279e57a66 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll
| MD5 | 7f8be790b6614f46adeafd59761abbeb |
| SHA1 | a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700 |
| SHA256 | b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf |
| SHA512 | 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsaA164.tmp
| MD5 | 388b2f1ab486015943602c88e382207b |
| SHA1 | 7808b19b88951fdd43a93cc07f9456f8008c1cd2 |
| SHA256 | 4f492ca05834a56014641dcc351e0e3dff6f6b2506e63b6eff260eced0517aef |
| SHA512 | 17504f86ddfbc128d5ae5783c93e0b78667ae17d5c2a1bcb2282bbdb527beaf19305a4ce787acfae3b75d59182ddf8a5a5836c64f88b7adf295bc178dfecbc27 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll
| MD5 | 12be59f427297e54fef41f9bb32d4233 |
| SHA1 | 0088967a4ed52f491976136c95d43e0e1b06cc31 |
| SHA256 | e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb |
| SHA512 | 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll
| MD5 | d5e0f923b3ee640efd6a58ec0c70cbdc |
| SHA1 | 74f62a9acdb9f9dd0580d69450c062ba8870deea |
| SHA256 | 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281 |
| SHA512 | 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0 |
memory/384-1600-0x0000000003A10000-0x0000000003A22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsj9D0C.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20241010-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2736 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 5068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5008 wrote to memory of 5068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5008 wrote to memory of 5068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4080 wrote to memory of 4736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4080 wrote to memory of 4736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4080 wrote to memory of 4736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 224
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e217e59694b6e78542bec4c2599c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{247FE9B4-EBA5-4182-B0BA-E211BB8021F4} | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{247FE9B4-EBA5-4182-B0BA-E211BB8021F4}\DisplayName = "Search" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001419e52522d28f4ca507a196fd5dc5af00000000020000000000106600000001000020000000827451279495f0754f438d718d30ed69f56b007eefaa58ac3fdc76e0ca4d231a000000000e8000000002000020000000578416fb84a1a6794b2b8f2285c3c1016249d8df9ad001ce1aaf017bc02e571410000000edc7f571577f4d29fedab046f864d10e4000000093aa6fc404d961a14a798b7e197f56a2d231bbca8c13df412ce9033b8550cdc8067d2b588860410b934eabad585133eebeb2c4581585d88ba8317bb0c13a6644 | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{247FE9B4-EBA5-4182-B0BA-E211BB8021F4}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/FNMD/FM/1.5.11.16/funmoods.xml" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{247FE9B4-EBA5-4182-B0BA-E211BB8021F4}" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutUrls | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{247FE9B4-EBA5-4182-B0BA-E211BB8021F4}\FaviconURL = "http://start.funmoods.com/favicon.ico" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001419e52522d28f4ca507a196fd5dc5af00000000020000000000106600000001000020000000bb8670b834811f73d1d12cf401536e227331c2682ebd02cfcea470113659e2ab000000000e80000000020000200000004383644c419384e0b468113aafd4cd6c28c474baeece5a142547063ba10df4e05000000085e339f5f448b0c34961707fe5b8bb6462094370650b5a57bcd576a6f2b1470a4277f746989f02c5001bf698de07f544f7707d99d0f96af0bed1e835a300911cf4df3d8cd370c79577066c8d1b0eb9344000000039cd78eec5dab6f530aaecbb3fea2e0e7a09e5f8ddea5d5d18a207fb93c2805895d326f9da469811ce6d7190a2fa633400abe8a713854d93df3e6aeea94e821c | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://start.funmoods.com/?f=2&a=down" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{247FE9B4-EBA5-4182-B0BA-E211BB8021F4}\URL = "http://start.funmoods.com/results.php?f=4&a=down&q={searchTerms}" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{247FE9B4-EBA5-4182-B0BA-E211BB8021F4}\Codepage = "65001" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://start.funmoods.com/?f=1&a=down" | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer\ = "esrv.funmoodsESrvc.1" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ = "escort" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ = "IRegmapDisp" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\Programmable | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsApp.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID\ = "funmoodsApp.appCore.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlDay = "20103" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsEng.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\Programmable | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e217e59694b6e78542bec4c2599c3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e217e59694b6e78542bec4c2599c3.exe"
C:\Users\Admin\AppData\Local\funmoods.exe
"C:\Users\Admin\AppData\Local\funmoods.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe /S /aflt=down /mhp /mds /mnt /stagedXpi
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | img.uptodown.net | udp |
| US | 151.101.67.52:80 | img.uptodown.net | tcp |
| US | 151.101.67.52:443 | img.uptodown.net | tcp |
| US | 151.101.67.52:443 | img.uptodown.net | tcp |
| US | 151.101.67.52:443 | img.uptodown.net | tcp |
| US | 151.101.67.52:443 | img.uptodown.net | tcp |
| US | 8.8.8.8:53 | www.uptodown.com | udp |
| US | 151.101.67.52:80 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:80 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | start.funmoods.com | udp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:80 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 151.101.67.52:443 | www.uptodown.com | tcp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.165:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nso4E31.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
\Users\Admin\AppData\Local\Temp\nso4E31.tmp\nsRandom.dll
| MD5 | ab467b8dfaa660a0f0e5b26e28af5735 |
| SHA1 | 596abd2c31eaff3479edf2069db1c155b59ce74d |
| SHA256 | db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73 |
| SHA512 | 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301 |
memory/1120-17-0x00000000004D0000-0x00000000004E2000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso4E31.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nso4E31.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
\Users\Admin\AppData\Local\Temp\nso4E31.tmp\inetc.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
memory/1120-40-0x00000000004D0000-0x00000000004E2000-memory.dmp
\Users\Admin\AppData\Local\funmoods.exe
| MD5 | badf0b8e9bc8d7352fb084951255ee4f |
| SHA1 | e584634b5565fd81d7258fca86c632c9d3e1cd14 |
| SHA256 | 73db5f6b89963d6692e3c43c8f3e5265ec4512ce87fe652e9ec3a4a0bb036db8 |
| SHA512 | 3b704e3b0d440f1e580cc277c3c68223139f35156b00250ebf9a231f03d5f74bd19bbf948061e7b8be13b9c08aca9f30a0929cfce5a9d5cc3558cd187a05d53e |
\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\nsy9AEB.tmp
| MD5 | dc4472d890f2558448c3a40b29e41a18 |
| SHA1 | cc04f66a5c5432ad4c435157ee443a231a54a03e |
| SHA256 | a691590b58f8b2db5beb7d7cc7dd869ac82098c52935583cc5f3ed23703e1b9b |
| SHA512 | 071fe13601c188cbda40b9db3ec4f96e80fc60a12d9fa1b43a45f39fa423e35fa04f6dc063a6cab5c4adb48808ab5686010ebe3b030ec9c7e555133e314ba85c |
\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\nsj9B2C.tmp
| MD5 | aa4d624ec6ddb4db8f587700e83fcde7 |
| SHA1 | 8ac1c3397c90be253a718dc8af9e84ee63ea4185 |
| SHA256 | 7f7fe8a15e9d52cc9bb617544ad0ed458afbd7adaaf99bb06d18b9b8da3637c8 |
| SHA512 | 0c206d53a114228c675b4d328c1bd4b297b6224e113c076353d4698bd963898f58fa4a75281db04ebdeb6051a9aed95f01ba7f3f164d2d24dfc397437106b210 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\prefs.js
| MD5 | aae76d3e5eb116e868aba251f975beaa |
| SHA1 | a9486f01786171d97a7196e3e1153d5acbf8a357 |
| SHA256 | ab43d2d5af74bd3cdd4e01d93ff5fe5ae7915324ba92ffd32cc9beda14f5dc04 |
| SHA512 | a1675c6ce3ef9b86090032f687e522208916950fab80de885a8a6aea5213baa64a46c8f9945fd84ad5dae80d079ae2768feb66cafca1076dd36c182436a11c1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js
| MD5 | 3b6f21258d6297631937ee72f3579931 |
| SHA1 | d561d77614df30f2a509df4779e35ad221ea77ea |
| SHA256 | 8fdf47f138cc0756299465efb316120580558adafce7867fc2d090cc2487c9c0 |
| SHA512 | 64b7b8793efcd26aab9f15097d57e3b89423538fefedbd501a036ac527a7eb964b344679fe4cc0e96dfcada53a5994248716615a42e20d00357a2132626c9eb6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js
| MD5 | 35bd49cc80393a45ddd5dfb69e92e936 |
| SHA1 | 8a235a288238d1ad253a2afed7ad8be6edd7b09f |
| SHA256 | 0689f3e70406af7fd14e5f3f25954fae558e4ed6eca8294e3ebc7a28305728ba |
| SHA512 | 8d755ff2bdd9116763a6afb465e583a43076d3d767a39f6ec46b2b3f20563d79f41a5409867ae6e21b1b0aa529806487aba21975344bd474a08341ccc0295e7d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js
| MD5 | 21e2ca66b86e5bf3a6032fdbc45e90b5 |
| SHA1 | ea70be42630e89f7a650abb4e71852efa9893c9b |
| SHA256 | 704628eb647ff0f3e61d951bd0cb3f97f7e58a8284c4e50c71f4369aa111873a |
| SHA512 | 3757f022724b7ba2efb3c0f5da649bfa8e609752266fde6b2999de31fc01390eae20e6a65d8cbcffaf338936de5dd018b76953679e763448078e27b208b9fd65 |
C:\Users\Admin\AppData\Local\nsd9BB0.tmp
| MD5 | a6586122c0662f36a4f26b6c3959811c |
| SHA1 | 929259027561933065e6267fe948b33bd549d2a8 |
| SHA256 | 2bce865f219fe68157cf29b115642d1c68a0cf062c14e3853321e4d7b4fc4edb |
| SHA512 | 622683523e7049eef983dfd0fa177882b1a1fe153aac634308b2ebee5b6b1d7bca93ce67327d77d9e2df13010ef7d2785cee5752dc7847435f71ba1c8d156bcf |
C:\Users\Admin\AppData\Local\nsj9BD2.tmp
| MD5 | 17400eab9fefbdf3d0db07c0481264f8 |
| SHA1 | 69532881a4f1c579a5b9e64fb42eb346040fee68 |
| SHA256 | 867cbc29a03389aad11777998f13f3ee1d456ea558f4c3ddacd75e1fee103e3a |
| SHA512 | 99a49d06dcdbd11dc40fc72f5ff993582e5ead719006d1f2fb4796e5ac67268688a7618ad65bb36ebf44406bcc5c398f119b43f91d6ba26927948489a51d4df4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js
| MD5 | b804e77d692f76f6b411f020cc930dc0 |
| SHA1 | 019911c69ba034cf0be5f9ef70d9d748df9eb98c |
| SHA256 | d469d6f59a86889c7d5d0282279b19109b8f5d7ba1e8552d355805417a8c2c46 |
| SHA512 | 47978f97fe69ef35b7ffa7649f3289ebc8fb5c3a12a201d763a4607b9f63ff39d2e66be629b82f8af0521bd1930d604a981dad63d976a21d69f2be2219da7c75 |
memory/1424-1343-0x0000000000480000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
C:\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nstA307.tmp
| MD5 | c64de45f256fcc317cd19cd6f2b1cdf7 |
| SHA1 | e590a613b90e053a0c2e26ee72770f286ee30042 |
| SHA256 | e1c20dfc4607a1b26c945b56174ee603b3942fe7284e02520280d6f0ddec8e44 |
| SHA512 | 9945ffd80c2e607b9b1b90a5c9e8ca08150269c34b980e0e580a984c9046bf0a39f0ad5a33e6d6d475b962fed4c407ae9d9e7fdf510ec72d6f5aac608177c4bb |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyA327.tmp
| MD5 | fa69ac8a1bc396380081cd30ec3c8296 |
| SHA1 | 06c552d73b422fa885ea763a4f655bb62beb0f81 |
| SHA256 | 45debc9b3d91428501a225cabbca0dc6bc6be639b4d219ff963fa0a00a297201 |
| SHA512 | acff231427d1111c378db7b2413cf52312e6d9afda83231b6f0cc73a0fa73d6a72230b119bf75cf5b779e8dcaebb182b33c86d5838b9d25cd9c51fec71689681 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsdA348.tmp
| MD5 | d85936104045fd104f9c94e9108c5949 |
| SHA1 | d16844b0f90f46b301f80dde2703702692707fb1 |
| SHA256 | e4829e921406b3240285cbd1c5f2c145755286c63f0ab670d1d06b20c910d1c1 |
| SHA512 | f58daaab386068888bd7f0b2e01f486a3e1eb58d31d8033266397948335fe6835516430541bfae3c0802b0654e6b55fd231062865eae6540ab9a84e5624bd1b5 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyA328.tmp
| MD5 | 2f04f6c3970812e9e1e74b89b8fc3dbb |
| SHA1 | aacb933226012cca4e691bfd7fb79bb2fe7aa339 |
| SHA256 | 4bdcc9f09a8846aad3fc575fc7ef1289da78cef882f88c9a510afb0197447ebc |
| SHA512 | 3ec6965ee5f8e84dd3b68d2d1338183d1e6f1fb03d97378d3696001518c97bcd88c6b8fc335d5571ead6961d6bc4bd587059f5ff08c49313ae260a753f5c9f91 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js
| MD5 | be80cff71e9bbb43618169520f43989e |
| SHA1 | bd827ff0c34cd04b98aa4f8ca9a68e956d28a325 |
| SHA256 | f4e5a3ab449aee2245caf6240aac46ca52b5fea71dd3ab18cfc081bed92c9524 |
| SHA512 | e2724da4a298986084848e087320d45a26c68cbeb01949c183258be26dd921c7434ad45ccb62c92c3468b8ce8c075bfc4ec184d65739330766937d5b4d7133eb |
C:\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\IEFunctions.dll
| MD5 | 5a3a8d916dd0071f16d217bbcfe7d047 |
| SHA1 | c2265fa5cec491706d0921e4274c674b693f326f |
| SHA256 | 465e81022be2df0433a6e02d427a79dc733031abc89d99746b73576a976857e3 |
| SHA512 | 8908ee2e329171d2ee430aacf7f86be565472cdb9b338786188ab37d6e6a714e5bc98552a39737ff8a5f314730c9f351aa0f1fa8207eff32289d7bccb3e05a08 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\funmoods.xml
| MD5 | 4572bfac1a74abe2d4d716871b2c9cad |
| SHA1 | daa25567a196e9e7b10b2bf33ba35299f2c16f84 |
| SHA256 | 8f2ac3e5f4345b19010d7dc0a7ed835727f5e7780f4c00517aadb18724dcaf29 |
| SHA512 | 285f22cea572aab5b37acb00e1e77db684e57c40361bf7eb05dc27c0ac42587b1dd9666cfaa9547862db43d5284c0e9087dd2c45247635fa22a51a6431267d15 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe
| MD5 | 673e6109fbc2405238429562ae058f37 |
| SHA1 | 293a96724fc0e772706f108895db321b58051524 |
| SHA256 | 4dae85611b9fd18f44c36f330762ca7dae3842604999d6a5edd3d416b4ab0841 |
| SHA512 | 0d1db02c84d2a7502af966886889a63467fdc310c25076cd1629064f9dc5bda63248ea2cb34757f9e93e341cd89833979c8bdfffab2d09c722c3a20cd244f4c0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js
| MD5 | 45941d163863240af964deae85f736af |
| SHA1 | 51f4ad653d24abfd07dcdde454eab4d19956f040 |
| SHA256 | 527d71436f2d59b345776104339914b7ecb6998bc62e5dfed4c8e556146777fd |
| SHA512 | 22db644ed59c4a4f52cf0373a30fc971c9f675c794a27002f576f82737e58bed19122412243e44f2350f3c83d1ad279fea9c6c3df809fb4758cf7f52dbb7d252 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nstA3AC.tmp
| MD5 | d2f7f28eeff5216417f78083fa94e2c5 |
| SHA1 | 2778ec700f962e8f16067e8764f38085a36cda8a |
| SHA256 | 346e289326b32e0b675e3de194a1811f425e0b1c38b8109968d305d427dde653 |
| SHA512 | d7b73c47cb21d6e05a5829f4f679efd8e786a3a19aeb6473bdfcb0449836f9d9a7873f1718c4b781bfaca9dd98c740ecae9a41857ac86f2f02f3a890d98bf307 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nstA3FB.tmp
| MD5 | 94c2014450a8dcaa57dcc24377051365 |
| SHA1 | ca44bcd469e7bf8870df151d9c48cb828786727f |
| SHA256 | 169ffe5437d806d9bcb5e5536efa0ca1fc785ade5ae8bdcc5c9d113445ba07ff |
| SHA512 | 74b800d84146544ecb1ec2fb94a9dc362089d5ec64ad1c1cad167e7d2406fb7a6a10a6dabdac925ef0adab448cb9446dd976b8d1ab7ffc24038de7c4ae1ab8e8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js
| MD5 | 69cc30e3545fcb0ee29205339f1a5073 |
| SHA1 | 448e417ac6411d336afe6e1d078ca19b2ff50144 |
| SHA256 | 8ed47ecd52ef56c07ca77b0b8798dc93baaa9baa80377562c373e1dbd20a51f3 |
| SHA512 | 2315090d115d711be21fc9c43a5feb3ee38935c0784c461de1afd3f1395164015f56528fbaabe1fbefef755c0fc85be43a6af4a61d4566dd1b85edef2f1e5fc2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js
| MD5 | 270e55b8a678d262fdd7947c71ead02b |
| SHA1 | 7eaffefaa329d9583fc5402ccdb84f0a4eb2dd3d |
| SHA256 | bcfb1170d5ee05cecb2088cca2bd317c6e71430c73dcfbd562165053c507dc93 |
| SHA512 | 0f9565d7cefb6f074ec98c2852151872b5e900fd330b214300d241817d5dc3fb49a765fe79adfe250c16360258975da97cf49c96f40474620b0e639f97ebff7f |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyA472.tmp
| MD5 | 0873bea6fef1cced976855b805b9d3a1 |
| SHA1 | f61912c723bcd4573dcdc2470a240999a351b724 |
| SHA256 | 6916735bb1c50a51c1b3e5ae18148bfc8360fe6c8eae1f5426ae4aecf980af4e |
| SHA512 | 6197af6f1db5081c7a49b3af9cf35d19275d5175fafa60a6c2018b16c55c9fd145c4b5088dba1de6f481a350afcb7a6600ff6f496fb3f3d25f61cffc9ae4776b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js
| MD5 | 7818d65a77753845cacbd63709ce9d31 |
| SHA1 | 437c6563843c8ab14c60d9c2266746c0b3d56cb5 |
| SHA256 | 07da0249c4cc0621a12340766938ff273262891f99acfec9ee1289610466c567 |
| SHA512 | dcdd97fbc0e8a48752476536325dce3abc7f648ae87a9be2e142c5cf71f385d90ba5646220e4036b1757780ea004722a3dade8ab7bc95255a4c1b997ecafdca3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js
| MD5 | 03352a0334d0c92cd597d5416dd68302 |
| SHA1 | 6b14925b94edbab344fb4b5ceac08269e11ccfde |
| SHA256 | 7d1038b18b2997d8e59552afaa66df543e87599d035f3ed938a807baf7bd8230 |
| SHA512 | 03fe46b9feaefbc6c3c7eaa5c9aa97b5ec0550eb5a5c0c79f0cfaf801225ee9adb08d0360baaad8b37e7c83037b4cb0c9dfb7dd574426527edb3edcad737deb9 |
memory/1120-3351-0x0000000002660000-0x0000000002669000-memory.dmp
C:\Users\Admin\AppData\Local\lateral1.bmp
| MD5 | 09fbaede48cfedb759e640bed10d5dbf |
| SHA1 | e1c0a5a77042595beae53955cad72143aac61045 |
| SHA256 | e9be711645adceef7a7f55ad9b573cf67910c885ebf63024928656823079512b |
| SHA512 | aeb67c0ccfea4b5c09dcbb398be9e863c3c35eb3f9cb8c8eb666e8d69fd00ac6195024e443333ce5645a04b00c38c17182533d9f8ba7312ff446f1be5cba0d28 |
C:\Users\Admin\AppData\Local\Temp\nso4E31.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
memory/1424-3390-0x0000000004410000-0x0000000004422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b4344ad1f175612a3ff23a7906c16795 |
| SHA1 | 298bb0b1717ea3654febcdb20846998e55f18328 |
| SHA256 | c232fdbba0446bc6e0f9931adc8555164dfc03e55ceb0adc0323ad6d7e84e15f |
| SHA512 | 7d8ef9bfa01cfbd59cae6318d37880335bc0055756f8a50945d07affc30d5a36336c0dde89921118a020ba779a4f865cd44d7eaddafb522420b0c52b73018f7d |
C:\Users\Admin\AppData\Local\Temp\nso9AAB.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20241023-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 224
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 224
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
146s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4792 wrote to memory of 748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4792 wrote to memory of 748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4792 wrote to memory of 748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 748 -ip 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:30
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsv6DDE.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsv6DDE.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsv6DDE.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
C:\Users\Admin\AppData\Local\Temp\nsv6DDE.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nw71jawh.Admin\user.js
| MD5 | 824e0853563f505460a2a97004089b63 |
| SHA1 | 49eac08a6bb519c4425cc1a4c30aa01dae4f0f9a |
| SHA256 | f8ec79f7a17f057402a9763b6b52ff41755539386ed969576c45ecfeee58109c |
| SHA512 | c258c978e4dbd16ddbbe8cc8a0e57b814cb7c553698b5fed0407d4c98d6f6aa5d64b0e6428e8361a6c6952b1e28936fbf875cf7675aa60d541549829c7613438 |
C:\Users\Admin\AppData\Local\Temp\nsl6EDF.tmp
| MD5 | a617e64447c3985ac31838a030a25009 |
| SHA1 | ba3a380c091d3ffa3369026e58a02c24c9a08f62 |
| SHA256 | b36d20a1a47e23be889c4e94fe5151f0876af6bc568427d0bb4c5215b021281f |
| SHA512 | a85f705b850fc38e74580860a50aa765560892048f3b5874d41771959aaf1f8047a7aa2d5de31cc36cd193e3d80283ee272028a6800b79b2a6eac5b9660a3c20 |
C:\Users\Admin\AppData\Local\Temp\nsl6E8E.tmp
| MD5 | 560a29f6508234571ad81199b4229ac2 |
| SHA1 | 7fc5c21d28916aa5bc648cfc96cdd37dbb8fb993 |
| SHA256 | d0ddc5bf4840660463aa75ee5badc84ae21ad5d46afa1e1753606bb4c52fcb8d |
| SHA512 | dc0449a6055ecc113167579fad90892442150f88900751b82e67631140581183c182cef306af28bfc9946aba5eba850133bb6c51d2365363243c5081dddc2398 |
C:\Users\Admin\AppData\Local\Temp\nsa6EEF.tmp
| MD5 | 906c8ae31044ee8b22d1d40ab8026d57 |
| SHA1 | e63538b9911d14c3f1237912b1016a2ff1b484f4 |
| SHA256 | 4fca0d8f161b7ccd6328542f89caa9556e010defba186c0f4b420716cc15eb71 |
| SHA512 | c7c606c86010d6b79c03b2f792e77f03fbbd78bc27c5f919fb8010be77616f0539421d7bf6e14796b94fe0a0af13f48d74828b70ce679e0a5133d49119ac394e |
C:\Users\Admin\AppData\Local\Temp\nsv6E7D.tmp
| MD5 | 30ca9bf65c3ae89c6cc781227774c831 |
| SHA1 | 346c210b31cd3419041d8f048fd171b57b5ca9f8 |
| SHA256 | e90c7dd33a67f0bc0117827c9f8db69269a6bd7d8068e008f663fc0867fc359e |
| SHA512 | fb770d114fd977e82bf0e993e034b5743f2da3ae923de6320fa94e62f48f9e1da105417b8ed1da156461cfcc8800700eed22d629358c63b4ac21fce9d7ae6b73 |
C:\Users\Admin\AppData\Local\Temp\nsv6F1F.tmp
| MD5 | 94279f35b60c9216175acc98c714e228 |
| SHA1 | 9499d979902cddb39050f3a22da4475bb95fd31e |
| SHA256 | a8f1359e24c149c98169382b28497d889359c907a301dd717ee1347b025e8f21 |
| SHA512 | fe6e20ea6d82a0e9b03d706b419e801c2fb08b7d853e491380e8fcef6d5b7a0a036b2473d61ffaac5263f3bc4bb9d80925dc822d5bfed9725eb134fed581b652 |
C:\Users\Admin\AppData\Local\Temp\nsq6F4F.tmp
| MD5 | 0bbe5671d34a68b448a4e832f56d7cb5 |
| SHA1 | 8cfe24006d0fce08e27885805a2433e493836d34 |
| SHA256 | 3c35ed7a0be3e2df40b319376d02be12a67a4114f57682c40c2634109a71cdf4 |
| SHA512 | c8b0eb81ad964c65bae01cee4efdea8013bf2198b2537c26d2a2f0f6631fb9d42cc984e402bc2057c9bae68bc47fd04f3f6127c4bd9a8886c43f35a0a872de2b |
C:\Users\Admin\AppData\Local\Temp\nsv6F6F.tmp
| MD5 | 7e20fef557a9d33b0541102f1df1bd4b |
| SHA1 | 770bd943c0f129239ca6752607f78e695ac54add |
| SHA256 | 0da3ebd4e2dab2e1784eb147ae5f0d0695bb2c61506a8011ca4cb72791eda508 |
| SHA512 | fbfa00e6a69281efa1a25fed9fb006ba1fbaf614c024b6e3e8c01df516bd53f1ea59a0977dbf75ebbeb3dad29f1ed72c104eb10e5e23e4e6e31365d2fa356370 |
C:\Users\Admin\AppData\Local\Temp\nsb6F90.tmp
| MD5 | 90f0689b0c00151c159b5ce293c9ec05 |
| SHA1 | 0eb0b5eb98cf4ecc78152d1a2bc3a06beccd29bb |
| SHA256 | 0eee937b8007d6e30c81381853c2e8a18329fa5611f16142fc57102d62227bd1 |
| SHA512 | df981e5086313d872c96da90aea08227fe0d53106a904d7802af8e12b238041bb14e6174d5aac167711b2f118f9ae9fa52fafb772dd34b78f40ed88cdcb8c753 |
C:\Users\Admin\AppData\Local\Temp\nsw6FC0.tmp
| MD5 | 7acbc16ae0853810657a1b51a71cb962 |
| SHA1 | a18840c0a5771a75b681e4de675179dabbe590ed |
| SHA256 | 65f0f7718625b36aaa6b29d74337db868688e6e8b49a37da3327d4593e4d132d |
| SHA512 | ebfc32c8243ffeb8b5c2c186535ff3061470837ca0ac582ddd2bb03f447a24a62ff16dce7c3abe9d999a12396172eb73837f94a4fa94d03cd9004b72e28d4bbc |
C:\Users\Admin\AppData\Local\Temp\nsb6FE0.tmp
| MD5 | 6c3cc4cc826038f86940e15ea63fb991 |
| SHA1 | 781f8f892e73bc7950fcbaf14100b612dd43e7bc |
| SHA256 | 77419c97782e79b0d958f4a6dcec1b342262866d134e1b47b780361bd9fae335 |
| SHA512 | 5ac62be4924666a980c396df29d243f8b9c36183726fdec8064133c68458a3f44da7619cdab30f26d9d0e07c5ef0843c8a2ae1c498a18c3728a6e4c08fc8c98f |
C:\Users\Admin\AppData\Local\Temp\nsr7041.tmp
| MD5 | 2f07900a025f5d8e094d500d29453817 |
| SHA1 | cbacce1e219dd8c19b45f3a975415f720744616e |
| SHA256 | 13ce21faabc211180532780441630bfce4d6757fff687bb8e621f2e72fd0ab41 |
| SHA512 | 3ffb6f42541e0dbd2814e1bc0be546b10a791722274d0921c329b66d6eae104accb1d38b3487055a703d9ffb3fb73b59cd0991f58b8d9d5825524dfb3730ee22 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\user.js
| MD5 | 1c64527bd06d8e4327bb770b1ed749aa |
| SHA1 | 972f6b6975b8d4cfbd81a3c672b0ba3ebf7d61f5 |
| SHA256 | 9cc8f21b5381b9b01207426d28ee76ee304e3bc56b892724bb38a3eeae020b4e |
| SHA512 | 9cde4ccdf17e0527686de01881f00ceafc2a0294e9b32871d68fa03aa7a9324c42f576a8371a900ac6096471ce7f12005c24b0bf63451d6fd47945b7106716c2 |
C:\Users\Admin\AppData\Local\Temp\nsg7053.tmp
| MD5 | 9f623b42b722fb836223afc20a2772b4 |
| SHA1 | c893a9ef301ac842dad421a41deb0d0d489f63fb |
| SHA256 | 2416e6c9dbf75e9f90c7f963bca150f0293dba736d673a0df3d66c9bc4fbbab5 |
| SHA512 | 5166b87370f00b01ec80683fde0951f2f1b46e740ba784cb5a0fc00dc4f5c5ea02a06b0e53caf205fcc402db01d124b1ce7dc50695009a30468eaaf26d97c0cb |
C:\Users\Admin\AppData\Local\Temp\nsr7040.tmp
| MD5 | 6e89c219056842988179c8be4bbe4bf6 |
| SHA1 | 00a7500b19388c7fd512c24713306b08d5d6bd63 |
| SHA256 | f7265569f94ffb25566e63655656a1915e18fe2d380e4de2269b971b64efd6c4 |
| SHA512 | d0fbc558e6507c165ef006297c5bc5c53a687931d2573e6a37dfeb953a66a262408163c8d56a1e548bb5b549d04c06ae2e3bb811a889c3eb3f9ead4c290a3605 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\user.js
| MD5 | 01d32497eb36d7a2567f70e6352a0409 |
| SHA1 | a00d6bffe97f078d8bf716f8eb6b70940616baa7 |
| SHA256 | 97c5107e801c2a59dad4f2d96767681a4ee1038d34dac0eeca109cbb7af92462 |
| SHA512 | 8fd7b8a33350804e9330cb89abd8cd36272a1584c2e7ba2b6df6e2efa9b9eef8d98a69f1b068ba859bcd01a9928075016e6eaad2c806a115ad1e0c36f4059ccc |
C:\Users\Admin\AppData\Local\Temp\nsm70C7.tmp
| MD5 | 5e8d2f5e4759fbcd0e56b4485ee8f330 |
| SHA1 | 266de18c8a596d8ca128ffbec59fbb41e4b95a8d |
| SHA256 | 89ec0c9a725c4f515f22367acc578935c7012f483392e8c3d0cd3412c10c7c81 |
| SHA512 | 19a2d07de92e26650abb1f0ef09c7c275c7e7be6c8b55b83fda2698d6f72692d512746ca8f62385c6ae2a0a061da336760bfef2dd931f53da3b36631fe1eb4f2 |
C:\Users\Admin\AppData\Local\Temp\nsm70C8.tmp
| MD5 | 66c786c0f2bd3aa65b019d28bd25f611 |
| SHA1 | 41860064ae9808e0832a7bcac9a4b912ac3ef67b |
| SHA256 | efa080262c0a50917f8030ddf4fe99e1806ed644365566975337b93324ff6b1b |
| SHA512 | 739ffeb8e7440ace95e7a050665331e960ad0634a22ed25ac86fb24b674b66210dca26c459cd56ba020cfdc3ab0b5ed7864cb554d7519a0488088d5003f60f95 |
Analysis: behavioral19
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 224
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20241010-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 224
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| File created | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsApp.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\dfltLng\dfltLng | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsEng.dll\\2" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID\ = "funmoodsApp.appCore" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32 | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ProgID\ = "funmoods.funmoodsHlpr.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ThreadingModel = "apartment" | C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ = "IEvntCntr" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ = "escrtAx Object" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "Funmoods Toolbar" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CurVer\ = "funmoodsApp.appCore.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsEng.dll" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsnTs = "1.5.11.1616:27:14" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer\ = "funmoods.funmoodsHlpr.1" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" | C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fmcdn1.funmoods.com | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.165:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | r.funmoods.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsjE976.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nsjE976.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nsjE976.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsjE976.tmp\mt.dll
| MD5 | aac69f856c4540edd4ef7ce6c8571639 |
| SHA1 | 2860f55ea9774d631219e66604051e90a43258b7 |
| SHA256 | 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd |
| SHA512 | ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd |
\Users\Admin\AppData\Local\Temp\nsjE976.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
\Users\Admin\AppData\Local\Temp\nsjE976.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2804-79-0x0000000000550000-0x0000000000562000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsjE976.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
\Users\Admin\AppData\Local\Temp\nsjE976.tmp\ExtractDLLEx.dll
| MD5 | ba4063f437abb349aa9120e9c320c467 |
| SHA1 | b045d785f6041e25d6be031ae2af4d4504e87b12 |
| SHA256 | 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5 |
| SHA512 | 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a |
C:\Users\Admin\AppData\Local\Temp\nsjE976.tmp\chrmPref.dll
| MD5 | 6845d147b88de1f005d9c6ebb6596574 |
| SHA1 | 64523302e2b1e2ee7a31580d2acac852db3c7e45 |
| SHA256 | c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e |
| SHA512 | cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606 |
\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
| MD5 | ddcada8c66d56df6e4ef2bbedf2bb865 |
| SHA1 | 059a7f8bb8ed2e99d5153d26ecf986e91c24df19 |
| SHA256 | abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872 |
| SHA512 | 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91 |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
| MD5 | fe768a6b82ed2a59c58254eae67b8cf9 |
| SHA1 | 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6 |
| SHA256 | 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570 |
| SHA512 | 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.Admin\user.js
| MD5 | 0d7889a328bf4c6b506dd87507ae693e |
| SHA1 | 21928a20080bb3bdef6457f0ffa1def8f35a14a0 |
| SHA256 | 1164c9ded36dbae9752329f8833729cb6b9ee0177abb8d00d1efeede0baf8ff4 |
| SHA512 | 2342d33faee44e84698e543d85798cd724123d7291e46d7df5f2bbf497353b2d8b7f8dabab515602177d4ff7892c19f1ebae099698e1dd046bb1da90b8b60dce |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\user.js
| MD5 | c27291d75a4f5fa868d9724b93f092f6 |
| SHA1 | cc3502ad6d278b9ac1ea109e43216d9d5678d336 |
| SHA256 | 907f6c2451426037df2c016e51e6f4ce047698eb2baf5bfc633fa1f7a10da2d7 |
| SHA512 | 1d9aa1dbf75e91f34d196f9f451036e23666250912182bdc357f91e10f1d6efca99c89b71dff0c35a3ce31ecaee49f362b3a22f8c61b184dc0b08a1f1778931a |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nseEBCD.tmp
| MD5 | 754ed45a2bb93f9372801b70c062c886 |
| SHA1 | 7d01aa62fb309cf73456babd2701ed5c358661f2 |
| SHA256 | e46866073821d91b3b8d1a2420a071b1f3c7c23be805d7737590385d85d43c2a |
| SHA512 | 4f646e63ce16462d8ce8d62e33f5b8bc6b0e3c11b42901ef94b6b63e306e75acbcd9ba62c7a5ff660b82ff0c79b4af187558dff7ba0864af59b58f6819da2a9a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.Admin\user.js
| MD5 | 6b454ea8ff14790c0c7bf963ad46d33f |
| SHA1 | ea16090b527e4cb998e991bafe75e25a5dd5bc0e |
| SHA256 | 3088acbe1488dc0e3c91ceb7ac004c9519893a497912ab1efd791e86cd807994 |
| SHA512 | 89a765f9b5f0edc819ee41a54c0e6db829c05655c2e5b187522b5209c5f85fc00a6ae4d784d49ab31d25f79569650b4e0ef379d2f1c70dbed3c4f5d184af145e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\user.js
| MD5 | cc7d00c719aba21ad598c6eacbdd510a |
| SHA1 | 4538583bd37441cb0f903ec027425cef28ec0fa6 |
| SHA256 | c509fd919c5f3ad525727211e43a7b81fa17a5664f2ba7f074b7033845d366bd |
| SHA512 | a92098527bc2de097056a40d515ad549229c6c931a12e20bee067545dfd121bc5d74742063398d60eb2e1cfbc00e5806799d3d699d59df2ea2daf05be0b916db |
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsjED39.tmp
| MD5 | 0de155016bb44ced4e07f37c45e30dda |
| SHA1 | 991bb88d5d27a0ab2f1dfb8efe5e84b05ce865bd |
| SHA256 | 414a98e70cd3a5c0b3f8d4d654421b00248ae3f21946ba6383e0b26c1d64f73b |
| SHA512 | 5a578a34ef9f32a9721c0d84ebb819df6d3b7f3eb9df8b4b9bd3aa2239c747f15e24c07bf1972233763113c84bb42ee5f7328b64921f420a6ef8345edb03ecc5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\user.js
| MD5 | 7bd258933996f392b7ad71ce75897f1f |
| SHA1 | 398ff2f45923958daaee397975df5c9823cec665 |
| SHA256 | 62afc81acfba5c2e47ce71b528f10d678318689bb8e2fde916f6c6064d20596c |
| SHA512 | 6ae0233f31320c170cc0d800318b7250773f0535d2adcf0a7bf85ab448339d7598a6d88992bc8b215bc8722f68b7233c46384681b670203d97af5dd3b8255d10 |
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe
| MD5 | 673e6109fbc2405238429562ae058f37 |
| SHA1 | 293a96724fc0e772706f108895db321b58051524 |
| SHA256 | 4dae85611b9fd18f44c36f330762ca7dae3842604999d6a5edd3d416b4ab0841 |
| SHA512 | 0d1db02c84d2a7502af966886889a63467fdc310c25076cd1629064f9dc5bda63248ea2cb34757f9e93e341cd89833979c8bdfffab2d09c722c3a20cd244f4c0 |
memory/2804-1584-0x0000000003530000-0x0000000003542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsjE976.tmp\NSISdl.dll
| MD5 | a5f8399a743ab7f9c88c645c35b1ebb5 |
| SHA1 | 168f3c158913b0367bf79fa413357fbe97018191 |
| SHA256 | dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9 |
| SHA512 | 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977 |
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240903-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 236
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2025-01-15 16:27
Reported
2025-01-15 16:29
Platform
win7-20240729-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 1412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2112 wrote to memory of 1412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2112 wrote to memory of 1412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2112 wrote to memory of 1412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2112 wrote to memory of 1412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2112 wrote to memory of 1412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2112 wrote to memory of 1412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1