Malware Analysis Report

2025-08-05 23:32

Sample ID 250119-xc88qa1mfr
Target JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b
SHA256 117579afcfe94e144396b9f62b4e7abb3b9120ee4380cd1a1d065a30aba7f44e
Tags
discovery adware spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

117579afcfe94e144396b9f62b4e7abb3b9120ee4380cd1a1d065a30aba7f44e

Threat Level: Shows suspicious behavior

The file JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery adware spyware stealer upx

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Installs/modifies Browser Helper Object

Checks installed software on the system

UPX packed file

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 18:43

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1328 -ip 1328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 162.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 224

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 1388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 1388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 1388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1388 -ip 1388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 29.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4208 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4208 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4208 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5052 -ip 5052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ = "IXmlCnfg" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ = "escrtAx Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ProgID\ = "funmoods.dskBnd.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ = "appCore Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS\ = "0" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsni = "1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\Programmable C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ = "IxpEmphszr" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ThreadingModel = "apartment" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2036 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2036 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2036 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2036 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2036 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2036 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2036 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 1804 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 1804 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 1804 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 1804 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.165:80 reports.montiera.com tcp
US 8.8.8.8:53 r.funmoods.com udp

Files

\Users\Admin\AppData\Local\Temp\nsj649E.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nsj649E.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsj649E.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nsj649E.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

\Users\Admin\AppData\Local\Temp\nsj649E.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

\Users\Admin\AppData\Local\Temp\nsj649E.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2036-79-0x00000000003E0000-0x00000000003F2000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj649E.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

\Users\Admin\AppData\Local\Temp\nsj649E.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

\Users\Admin\AppData\Local\Temp\nsj649E.tmp\chrmPref.dll

MD5 6845d147b88de1f005d9c6ebb6596574
SHA1 64523302e2b1e2ee7a31580d2acac852db3c7e45
SHA256 c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e
SHA512 cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

MD5 ddcada8c66d56df6e4ef2bbedf2bb865
SHA1 059a7f8bb8ed2e99d5153d26ecf986e91c24df19
SHA256 abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872
SHA512 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

MD5 fe768a6b82ed2a59c58254eae67b8cf9
SHA1 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6
SHA256 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570
SHA512 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b

\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll

MD5 7f8be790b6614f46adeafd59761abbeb
SHA1 a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700
SHA256 b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf
SHA512 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca

\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

MD5 ffba0384096f7a6c2189009b3c54c8db
SHA1 e1e883b9345bd74b0c7e158751c60b0ee2139677
SHA256 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b
SHA512 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc

\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll

MD5 d5a9ec59fbf50e576b1d3b60ccfb7117
SHA1 cc22b0aa6f4b5367865b75f3c0afa788c7f97d8e
SHA256 ba6870cd06e5700f918c30ee92391d8a77c99b3fda06372c42b35983ee88253c
SHA512 60b4965d7f4ff6df4aedda7ec87a074e1d2c13860a3dea325eb551191e643ea9cbed4efe13c3ea2358a3b896c010b773c1c76ac52be81c0a171796fe988be086

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 0bca66f2603c680153724cdd0dc6a258
SHA1 ca29fe07ef83a0bc02a02d5837c5518e161b4f3d
SHA256 fd64a0a2b9cd05cbae9df7742027664f94707f9257952b3b912d3c36b8c290aa
SHA512 3499f94bb0628cda3288f6ec83f246814c41a8f50ef67a6fa35fe794eddf13ddfa93fb00358df0ee6ead0d1cbd4b6ad5e00c380ef818160dd01dfbb6bb186de0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 877eff4bab965c393f68e4de0573c20f
SHA1 9d5e1ffae96b999fd528a12e92ec8f71950636c2
SHA256 9e8c1b914d96c2acc41844ff944bb86790e176f3f9124d07c4ddfdb71ecc2630
SHA512 9487774e0921c87cdc4470a5c6fd0e9c672d6ebad248224db300851873c46eab48a46ed26e7cd125032754aea786f91e569f4c7ac4c927d55d098d1aae9d6061

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 1dfac73b8db244e3d1bca1905b075ddb
SHA1 18b3ae1d33827909e75d78bf774b9863e9dc3bf9
SHA256 85dc5cdca06c1ca8fc9731b431d0b9c92f39d7e8b9b2916f9defc6889148c078
SHA512 f0cb9a6a7a246387928c773296a0632c142c27536b9e39e9d77418c24d65dc6a84d67e98a4a6a70388fbe13bb348d9355b8805ccc3d9e908217ced09d46db5ab

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe

MD5 673e6109fbc2405238429562ae058f37
SHA1 293a96724fc0e772706f108895db321b58051524
SHA256 4dae85611b9fd18f44c36f330762ca7dae3842604999d6a5edd3d416b4ab0841
SHA512 0d1db02c84d2a7502af966886889a63467fdc310c25076cd1629064f9dc5bda63248ea2cb34757f9e93e341cd89833979c8bdfffab2d09c722c3a20cd244f4c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 9f1f140967562984c8218b56733e6826
SHA1 55c298138889dece1d5231d61438aafab17c5752
SHA256 bd637c2cbb6fb5221a446cee65053a9723dd2e3481c8c2af3119be14f3dca5ed
SHA512 3861e7621a5f301d6fa8cd3238af937282d1d6d763be5d469727812a68c57f39cc22b4c28f2482347db2140e3873bff20fe000e8ddcff604fbdea2f77871083e

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd6748.tmp

MD5 3e185672f6b9553f32628f2edc60a416
SHA1 268bfaaaa64df5a4991d424aad24a18e69a15bf0
SHA256 ff121deda875a14d5aa4d64ae5a94ba8b5b1d6ee3e4535c2dfd7d86fb0db9e98
SHA512 48507679cd0c9bd47ac48573ec683e4e648bc32d685ae0dbeb51e4ba53ead5d2d9ba53711cbf4d1b1aeae647335bd0c9d0ff01e0155cc6be8295618a588e565d

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst6759.tmp

MD5 fc694f25081998be0c61dbd0a006760e
SHA1 37438c13fc6977785d478729dc854ab5941dccc0
SHA256 a8eb2397e4cff7497bc4b530a56ae6738edd4964ae4267c48bd1c74850bd1ce3
SHA512 c988560e19f617d1d56017f161a0969ce85b6e33f9fe57f2c8d9645b5ec9c49492b60fa0479b0e5382dc3db07ef86ca7be12f76f885455768df4e34eb6b6ad25

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsj676A.tmp

MD5 ddea18dcee5916785f819539a0450bf2
SHA1 f047fd1692d084348d8a464e15e28c08bc434d60
SHA256 7cc722b22d7b562b4b589bac3c7edb2a77f5a9d144e128cc7d52ddc2a732e082
SHA512 737919a160f752335f297263487903421c39cd635fe31de67a335e192e930d838483841cfadc600ad9d454b709a97985a9624f846263abaf15f4740f25e015ed

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst67AA.tmp

MD5 c357f207642f912eb2137382f6a5c4d9
SHA1 d9e690088578041107d1c945639d1d907085c1f6
SHA256 70a1f136522b2aa72ba60732e51c4211a5eacc626e0d8bfe4052559d4e79431c
SHA512 9720b28f09fef6b0b4c3d9061889c3c1721bd51d3216c3ae05198ee69b8e40a67205474532fa53af457e4da75dc45d7089b3ff5f1ffc99fa13affb9cc24dc81c

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst67AB.tmp

MD5 056233599aff6b62930f4a8ef642ed4c
SHA1 e0ba83036f599b989043324a669b17bf67500488
SHA256 d991cfa854723a3d35554624df103fd690ab345973a927519ef8b2619654a246
SHA512 a5a2ac2bf5982a22f75c6b3399cce6535bf77439eb4b467de166c96ecdd1654c366e90b69294e7113d19cdf9c35d64c653528ba0f1270502172d908a97e3d09d

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsj67BD.tmp

MD5 9e38ebc47fc7a6fc538f320cc86db677
SHA1 6f987af3fcf33993cfb78ff69a274f4dd8b6777e
SHA256 519befa8e828ded7828c125fcc87b0b2043bce12ba8c9fc53524c453c672b6de
SHA512 abc7a759434f9f5ad7d2d3e5d2a917cd55c84532a3d31d0c0089584bf7f30eade27f5becb977cb5b0725028a40313722dec660e7529ca5551cbefc7f67fcb1c3

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst67AC.tmp

MD5 97b6abf77d2f1ecb81d8a76db8e6fa9d
SHA1 ea800669d2b65dc79cecc45cc033a8416d4afa4b
SHA256 187b4bfbbff4e2e6c074549679426fc498ae733905ace0c4ae94fc51eeed25b8
SHA512 80882a08d41bb7a0143f494bb9e562f47935744ef2637577240e2e57fdd2ac9d82aa1dcd24306b2a43ffa2c76d461e6c1a6d01a70a9574207ee83f6977d1a14b

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsj67BE.tmp

MD5 7a27f62f6bbacf599738f532ba00edbc
SHA1 a2c64964fdc0c36586f9f30bd0eb443e7d9d13fa
SHA256 c357c19e9bfcc893cedccc212e3ee57a6208142eb32c24e228bab2b1e6a92645
SHA512 64e1f99234537aa4c89617adc41365c840154232ca52dc789657bd79f60a0c0bc28679b2c92fca537690bbd564aa189ee4e6d19dbf5b1429dc3f5e64bc80d6bb

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsj67BF.tmp

MD5 f6f3b314a81fe9ccc8d5a79f717b420b
SHA1 f49b986a521febe430cb451c8e0c828f15c13c9d
SHA256 5b75ea01b411651a11b39272cbad7f727f7a842313357b7a98937ab5b9d0ce91
SHA512 eba533ca4685733bdaa74a22614444a683f2e9658aed7428758de8512610dd95bf2a9e63b3b7f349b070c5ec9c306cc025881085da38b8b882494809ffe29be8

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsy67CF.tmp

MD5 ce20d062b1e0e25730bc2edd421fcb6b
SHA1 8cf0ecff7857297ed5546cefdd1215a83dee7b52
SHA256 7a5598d1a8a7bfe47225cfb4f89190f8763cdd6d8fd8b0ec39ea05fcee9d2334
SHA512 e0c0481e63e1fee938ef6b66b08ade51befdd46b17d2a4f41101c0833c7d177af77af474c2929810c8af49d56db2c12990e81c3e7d571a0b551c91fd054df1af

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsy67D0.tmp

MD5 4f0075bf40dd1d6fcb9d22634b7f6ac1
SHA1 ddf7389365de108e55f3a711e123d218cfb60ec9
SHA256 832dba55d5b5afa934b677a8b998c2e385267253d5cec643487986866567f370
SHA512 7a46a9763ba4c2df4716418a59a67defcc052be3f7007407e671b75048425cb41166517edc7098dc2741144708135c9cff8b57b8c07fb140f01f01fc91ea8668

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso67E1.tmp

MD5 a4355b5c95ad83beb493c39a2a10db76
SHA1 e3b2e6ba59a0be7eea516fb81fe136e2179e4224
SHA256 76eda8cd6387a9be0933002736368ed0af0e1cb9a8410314121e69f39003f596
SHA512 142f973ab35789a954976c025c5807cd0ee3e346bf7aab1ed5e85fb9f5f9496e4e6cd175a484a1f10a56f1b263068659bb7c44d551fc6c70463335ae89fad6b0

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nso67E2.tmp

MD5 02ef1d6825d5cf1c657b2983f375d36f
SHA1 53969cb23e950d1dbaec5d82145a4b3ce5988c46
SHA256 d1c8ec183baffd8dc80e0f1392698bdd91e6bb079be48fa2ca7ece90e0290626
SHA512 fd8361b46876200ef0fbcb306b0001a606cfd1c454809c8c8d380773aad071fb1b6ded78e14de5ef61ea4c35b06d20e0de77dadc07ad7b3a22795b3d29b9d54c

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd67F2.tmp

MD5 b2ef823200e219430f675f8111d60e33
SHA1 a18fc58e0c79bafcb73d82dee9f68700f6d286c4
SHA256 3e18a760339181ba0a4d3fd964f1accf4425b1fef0cbe2eda599e93ae43754d2
SHA512 e29b7a8e3d20328925761fab00609e06eb97d8d33564f3d5ec3d69a4100581369083c80f07da481082ebe40000ce50921c521f9e5b4f7e660b5d5ef5693e2a44

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd67F3.tmp

MD5 5234123026f317b431f0dfca9730fa87
SHA1 3b18a2cd5dc32e373d6e4671afa6257e403463e8
SHA256 b8c6700324a62dcd3a102762c859b2f33234d93462ad947bf107f4e99976bc46
SHA512 32541dedd4eb1ea4d841fe86fddb5c3dfd62f17cd44e926ba026f93f441303a085fe06fd08277773965cba44ae9dbe84aa6ab22e820b89f5c394336e82a3c65c

memory/2036-1584-0x0000000002CF0000-0x0000000002D02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsj649E.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral32

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:48

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 2696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3172 wrote to memory of 2696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3172 wrote to memory of 2696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2696 -ip 2696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5040 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5040 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 3736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 3736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 3736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 162.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsfBA48.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nsfBA48.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsfBA48.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nsfBA48.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nsgBAEA.tmp

MD5 11ac5af2392becff7b55231636738d41
SHA1 feea079ef606ca88246294ce90131ca33261f7aa
SHA256 af7c8be029e207c465b60d1e36fd5ea02cdd6b02d4dc7007ce0362613f956fb4
SHA512 f07af33d0f202d155079c59789559f379aa1af90dcec4dd8a2d14b84a5ecf9acd620ac4983560f32dba63114b5588508697297b54a0759783ea06f945a14ce0e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 ec12441ba0aacf41fade18b2db8d104a
SHA1 f3fae88fbf731f7512b2002bb93e7a522e087932
SHA256 f8602642b5b66b24a76c9dc44142b844c0b6b0ded13532a951fe47e4755b0ee6
SHA512 28737503c7dd598e5b362029a54add41c66cd1c64b05f3a896709e2b5703c2d496e965f8ade9d4fbacf258e0eb0f34f610d9271d2c8654394871d56681993591

C:\Users\Admin\AppData\Local\Temp\nsvBAFA.tmp

MD5 29666a5784635e45f867cd7893744dc9
SHA1 e077f2794f5014af3f583627ae6af012372e0954
SHA256 f55abead3966c8be72cf080c99b789cc1f0e3dc6e3cb90bde66862b0798de7f4
SHA512 5d47f70867179cccec9386262dfac245fe3dbc2f15efd6b1dff5b9732127118b0d5d3f8da928128398f192acaea7902820fbfa282dfda2db7795d9539d2298dc

C:\Users\Admin\AppData\Local\Temp\nsqBAD9.tmp

MD5 babdc2d45dfbfaf95a4dca12c4eeb499
SHA1 147ca5e52818166dff58213bb1e006be117a022e
SHA256 dffd0d7dab70b41f4cd839dd4fd426672378f234abf1c7663d6316df7daf749e
SHA512 95d742b6ff658244a5a09ae9c11712e254f9664557ff8b5653cd1db88ccd8e34c21d2243846a6533fa58002e45dbc9f755e222bcdb71b3ab147abce3c58061a3

C:\Users\Admin\AppData\Local\Temp\nsaBAC8.tmp

MD5 2aafcc9f2af5e093e8e63b61ab72b2a8
SHA1 feea750dd09498c95b5b73ac15d599a0bdea5c6c
SHA256 21e219ddee3b9fc7a32fb441d41edce22a5dcd67832865c087228265e93962c5
SHA512 8a2493572a3d3b651f943efe0b51bc0bdfcc163ae52d3cb9ba7e8729bf34574c306a0a1ac559f7496ffe83cc46f0fca29360c94ebb2a76f67c08f562863c2ed6

C:\Users\Admin\AppData\Local\Temp\nsvBB4B.tmp

MD5 8abfd3ecbfe388766cfa9a05f59ddf16
SHA1 33e9e7ae8c0530a4c33fbb1395124e038360d2ef
SHA256 240803f9148a8a7106379ae0106465e1436da315e8cbbb3b680ca6cca0f7e69a
SHA512 bab9f5f3f366d42c89581e989d4d366e739c3d18035248ef5139a6d3a7e41b4fefbae3f4068f121894460777745cf700d810c83c557d8845648da432d4486b0c

C:\Users\Admin\AppData\Local\Temp\nslBB5C.tmp

MD5 35a712d9c54071b726f175a2fd3e59b6
SHA1 b64f78ea35a7112669d282681240aa90dc8ee4da
SHA256 abb1152d119daca6d9d36170d30a16d8b7d68bb2c1753d088cc0ed0414c7bd53
SHA512 ccc834c3f96c389e2ff8e14c29d898134c2a738bb9c8f289de64c2652da6fe527e884d8be2c0cf30570c8725c584e855a0e81044c564bb479961121639c62076

C:\Users\Admin\AppData\Local\Temp\nsgBB8C.tmp

MD5 438093665db213dcee85e208cc3d38ce
SHA1 24ebd4827c268632582bd631aa9547b57bf8cef3
SHA256 eb087d71423ae58226529655d58bd8d15d8bff3ae2861d718183cd6882bf6bf9
SHA512 424eceef8edd7e580c3a7424ebd2bb5b377fcc3a556e99b67af500839674f4c5807421c3431046d1dd71089d8f09ba6377de315bb9f1754b63e05d5c06d22b1b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 138470fcada0e4e43d603c39355df265
SHA1 27dca800817a097cfec45a3587a1c072c5ce8676
SHA256 72d00357e5ad20b68d3063c52f6fe0b1320f2ca2e6bc95b0fb04791887ea9302
SHA512 c519837b41237dcbb846a0c4e6aec1ac5464c831f03d70840fc6643fa6fc13f96b60b6c00f07a4447675b5b8b81f323dcbc71a3eeb71f4cd44ede9a030622fa6

C:\Users\Admin\AppData\Local\Temp\nsqBBCC.tmp

MD5 967a92d9baacda49b77703f4cf7d66e7
SHA1 cb7fea99189cc2397b3b324a71cd15cf061cb0cd
SHA256 2fec90c910bc196f02d0f2e86b7432d07a80a4b70d88c655bf0624648b788ada
SHA512 c746bce5669cf182354d00618a122f07970ef4d2059019dc47a2769c6fbbf8483608b0c0e5dcbbb814cf9d6f8936e735b6fc3a177c6d4d75ac3011e4c18964e2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js

MD5 ce0220ef06d5a62881bf4fef8bb3df4b
SHA1 0352ccfdcbae80a245f0432c5301bd8961033fab
SHA256 5794978bf16b8a46d15cbbd5f9162004372a33d8294a34fa1c8d97d01ef24a88
SHA512 ed991799030d385ad2a41faf123842ea7fee9d5a4e7f56a1848af2da1ee49192d97e5782c362619ac8bd63d57e462c543bde7f8ed4c7b07bbdfd302fbfbd7b5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js

MD5 ae05d7cb42ea43c24c4e2a24be013c63
SHA1 3b85d6687be240a15b782089d8f700f7a292f84c
SHA256 d72ab773c5d548009d7772c4fcae0ea55eacddd855d53388a3e8c139573ee31d
SHA512 590f46525196c15538a779a75ad8c3a87a8588f708c35d28fcd6062a473f7a1ecdc5e13ad15cf3f31c5d66e1cfb62103f09ac78532e5b6e9c9b0bc16684e2f33

C:\Users\Admin\AppData\Local\Temp\nswBC8E.tmp

MD5 358ff4facaa2866ffcb21618d05119aa
SHA1 907ba690cd5af3dec5cd15b09b19e250988710d9
SHA256 bbd19ef17161f858923693577894c243dd5e0cd665cdc4cb7bc3976d9760bd6f
SHA512 b2003a0b3210814514d1cc8fd06b718088189d22f8fda998d512b19a4c0888f065f1498d12dadb328828644e8736d0c5db925f3a9dacc62c97bf2d90ca3e32d3

C:\Users\Admin\AppData\Local\Temp\nsbBCB1.tmp

MD5 bd06869820a524f379e6d9855f794dae
SHA1 6d6e40a2ac9a22a45b8fbebae5f39071f150de38
SHA256 4669b7e9892078534e01779de41c18b56ca1f18b5dbf106680a0316c8b192701
SHA512 632a62b82d45515827a101b997fe95d55d40e3a291b5c6b667a5d2618aaff7efe4cf536cb8f4bb626fc2d9bde7c35005369df5ac6f49e4cd722f0a9181b81da2

C:\Users\Admin\AppData\Local\Temp\nsrBCC2.tmp

MD5 a96c61425d7d5fbd82caedfc27250c29
SHA1 d34bf018cc12641db81acec106a0c4ca6f332312
SHA256 e0f834c6ed550dbc84785b4b25f7c679b69ba9b9342572c08e466c343e770986
SHA512 3dd63f9ee678b783cb04d00423ca89b73fca1c28ea00e2b804b400b910519c2ddb203aa187ab58802e2f44ffbf3497a2fff3b783526a46941aba18e8f284f3ce

C:\Users\Admin\AppData\Local\Temp\nsgBCD2.tmp

MD5 3d407f3b68e8e1074b76651f9a78e2b1
SHA1 3c33761c34abfc73d7ac6c8c68b8b8680f5d84b7
SHA256 3ec1b1413d1290f4c6dff27065c7a74c87c124baafb5428e481c89a62db17c70
SHA512 fb53b9352a7f2da8124d349d6b0cdea2cd64667da67d3d8369e17a82ad91e5ee568c5606830dbcbe525957e9771a7a7d0066c92553481a9e4ee2f7cccca982eb

C:\Users\Admin\AppData\Local\Temp\nswBCE3.tmp

MD5 8d00db69a56bb6d389774748af519b1d
SHA1 6ae3ceadbbed69e3ef7ad0621c96e567dcbc06fc
SHA256 69ac561de54685b04135c6ed620a6cf5ff7995f366b0f87b4715b072108362cf
SHA512 0bdeff65e2c1d74af957d995066669837d73e67a69b6e8dd3bdc35461b7afc42a527e36c8742e4e58c3e760b45a42709a575d3d4b3c575a0c8c320435f7740b1

C:\Users\Admin\AppData\Local\Temp\nswBCE4.tmp

MD5 2ccc411bb7945b349f1c6a05c4f2859b
SHA1 ccac166c52df09359c3b63771c14f3b364eff7b1
SHA256 fd05925766783119cee0d0809ab5bf0192b92efe6f1c7ce2ea4dd7ebdaca23db
SHA512 f710a19603aab63f8d66516ca3ec9be4b16a2054ea6d1f9a9231b456640c0a2fd552281283635c084e2818b0d77d425008d4192c2f6732c6a941e892e14e29d5

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20241023-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 2480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4100 wrote to memory of 2480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4100 wrote to memory of 2480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 29.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 162.50.123.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 240

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 3372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 3372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 3372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3372 -ip 3372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 29.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 104.78.173.167:80 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1388 wrote to memory of 760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1388 wrote to memory of 760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 760 -ip 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 224

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2704 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2704 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2804 -ip 2804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 224

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{645EE289-D33B-4707-8417-3A26E52B2D50} C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b698fd6e3d866c47a5468190a8fdb685000000000200000000001066000000010000200000000fe3594c37abcd07f137f31a2b888116070fdd642eadaed9ba15bf16049d3dbd000000000e80000000020000200000005011a1d4799487dfd36b2248c32e1d4a7dd14d72efd0dc8c5476ec871441ee1050000000faf6eafb8ca2cf5e050586672ba0cee748fb14ca5860bb32cb8e5f39a25bfd2d8b41b3321d22ddd0d6bf1b01ae41f865e16b75ac20832185eb7a817dbee52b03d632302601a52487c5dbd76582a7517a40000000bcb2b8b26d8f891ec10d500d1663c6d9b9040dc0ba12515b6d15a718f999f209cd269eb0ed4fffdaad77036d75b1050454a508c2e5993e0fbd800dab70f6c737 C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b698fd6e3d866c47a5468190a8fdb68500000000020000000000106600000001000020000000b940d0c9631fa68aa23900ff1579d18c557d4695ac29fb77913cd47d184f0de3000000000e800000000200002000000061be25b65e5b622d50ecbe498a96c90689a0ac54a69d0cba1bdd8c5b3bba91a9100000009cd048845eb3cbb36d3df6e1b77c765540000000f21895e6071d74c3bb5f80176dd3699f7762d90532c4cdef3a28d95d36139fcc2e4e7ed9b03ea5253e001dd3d82b6490452b8ca1b0358d071a82782dccacb950 C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutUrls C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{645EE289-D33B-4707-8417-3A26E52B2D50}\DisplayName = "Search" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{645EE289-D33B-4707-8417-3A26E52B2D50}\FaviconURL = "http://start.funmoods.com/favicon.ico" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{645EE289-D33B-4707-8417-3A26E52B2D50}" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{645EE289-D33B-4707-8417-3A26E52B2D50}\URL = "http://start.funmoods.com/results.php?f=4&a=down&q={searchTerms}" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{645EE289-D33B-4707-8417-3A26E52B2D50}\Codepage = "65001" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{645EE289-D33B-4707-8417-3A26E52B2D50}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/FNMD/FM/1.5.11.16/funmoods.xml" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://start.funmoods.com/?f=2&a=down" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://start.funmoods.com/?f=1&a=down" C:\Users\Admin\AppData\Local\funmoods.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrId = "base" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID\ = "funmoods.dskBnd" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer\ = "esrv.funmoodsESrvc.1" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\ = "escrtAx Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ = "escorTlbr" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsnTs = "1.5.11.1618:44:07" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ = "IRegmapDisp" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlDay = "20107" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\Programmable C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID\ = "esrv.funmoodsESrvc" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\CLSID\ = "{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CLSID\ = "{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer\ = "funmoods.dskBnd.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\Programmable C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 1668 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 1668 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 1668 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 2056 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2056 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2056 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2056 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2056 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2056 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2056 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2056 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2396 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 2396 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 2396 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 2396 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe"

C:\Users\Admin\AppData\Local\funmoods.exe

"C:\Users\Admin\AppData\Local\funmoods.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.uptodown.net udp
US 151.101.195.52:80 gstatic.uptodown.net tcp
US 151.101.195.52:443 gstatic.uptodown.net tcp
US 151.101.195.52:443 gstatic.uptodown.net tcp
US 151.101.195.52:443 gstatic.uptodown.net tcp
US 151.101.195.52:443 gstatic.uptodown.net tcp
US 8.8.8.8:53 www.uptodown.com udp
US 151.101.67.52:80 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.195.52:443 www.uptodown.com tcp
US 151.101.195.52:443 www.uptodown.com tcp
US 151.101.195.52:443 www.uptodown.com tcp
US 151.101.195.52:443 www.uptodown.com tcp
US 151.101.67.52:80 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.67.52:80 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 151.101.67.52:443 www.uptodown.com tcp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 151.101.67.52:443 www.uptodown.com tcp
US 8.8.8.8:53 start.funmoods.com udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.165:80 reports.montiera.com tcp
US 8.8.8.8:53 r.funmoods.com udp

Files

\Users\Admin\AppData\Local\Temp\nsoE32F.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

\Users\Admin\AppData\Local\Temp\nsoE32F.tmp\nsRandom.dll

MD5 ab467b8dfaa660a0f0e5b26e28af5735
SHA1 596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256 db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA512 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

memory/1668-17-0x0000000000880000-0x0000000000892000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoE32F.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsoE32F.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nsoE32F.tmp\inetc.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

memory/1668-40-0x0000000000880000-0x0000000000892000-memory.dmp

\Users\Admin\AppData\Local\funmoods.exe

MD5 badf0b8e9bc8d7352fb084951255ee4f
SHA1 e584634b5565fd81d7258fca86c632c9d3e1cd14
SHA256 73db5f6b89963d6692e3c43c8f3e5265ec4512ce87fe652e9ec3a4a0bb036db8
SHA512 3b704e3b0d440f1e580cc277c3c68223139f35156b00250ebf9a231f03d5f74bd19bbf948061e7b8be13b9c08aca9f30a0929cfce5a9d5cc3558cd187a05d53e

\Users\Admin\AppData\Local\Temp\nst3016.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nst3016.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nst3016.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\prefs.js

MD5 aae76d3e5eb116e868aba251f975beaa
SHA1 a9486f01786171d97a7196e3e1153d5acbf8a357
SHA256 ab43d2d5af74bd3cdd4e01d93ff5fe5ae7915324ba92ffd32cc9beda14f5dc04
SHA512 a1675c6ce3ef9b86090032f687e522208916950fab80de885a8a6aea5213baa64a46c8f9945fd84ad5dae80d079ae2768feb66cafca1076dd36c182436a11c1e

C:\Users\Admin\AppData\Local\nst306B.tmp

MD5 3b6f21258d6297631937ee72f3579931
SHA1 d561d77614df30f2a509df4779e35ad221ea77ea
SHA256 8fdf47f138cc0756299465efb316120580558adafce7867fc2d090cc2487c9c0
SHA512 64b7b8793efcd26aab9f15097d57e3b89423538fefedbd501a036ac527a7eb964b344679fe4cc0e96dfcada53a5994248716615a42e20d00357a2132626c9eb6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 0c7c8a283b16e0fa47c0016069de06e6
SHA1 56dfdd0983f1ff14fd39acf3094f38e40a221e8e
SHA256 d34969a861d89c54d6a1f430cac910c32203c47def8ceb55c28065f508c3d7d9
SHA512 4028c03372de5c43493709adbef322156fecced278707c3c26949dd54ff3f9219f8c4f405ad8f4e69cebc77257fdbe4ea5986aa5e659098e5094f0f666c1d314

C:\Users\Admin\AppData\Local\nso3048.tmp

MD5 06c42349f82ace83f953695a7036967e
SHA1 3488e08a3fb81316456f6449bdeb9254c3b4f5f8
SHA256 afa2580870da87ca052d778bb13ea37bea1cf83aae932dcc575d700e1c9e831b
SHA512 272c97324cd7922a9fb6514f3b082655a09d37e70381f520c012ad285fe8f55d88c8c79dbd5b80cf6009e4934c2255c98f99c6ee97639c481330c8c9f509061e

C:\Users\Admin\AppData\Local\nsj30CE.tmp

MD5 a6586122c0662f36a4f26b6c3959811c
SHA1 929259027561933065e6267fe948b33bd549d2a8
SHA256 2bce865f219fe68157cf29b115642d1c68a0cf062c14e3853321e4d7b4fc4edb
SHA512 622683523e7049eef983dfd0fa177882b1a1fe153aac634308b2ebee5b6b1d7bca93ce67327d77d9e2df13010ef7d2785cee5752dc7847435f71ba1c8d156bcf

C:\Users\Admin\AppData\Local\nsj30CF.tmp

MD5 44727454e1ae2dc317ab2f512ae78f2c
SHA1 5eac4d8734f84b07a0643459ab6da4dcd5c47640
SHA256 d749dcbc8d4850dc2cb0eca6148f142f8efdf6621e96cb28c8b0f177553c6d82
SHA512 8af904081dba3126ae653dd2e3f2d290c89792dcbc778191c11df238fd36c8b6273b088c0bed5a6612ef30d9121699227e2664b3f7acf1a1890e7abc05861eab

C:\Users\Admin\AppData\Local\nsy3037.tmp

MD5 dc4472d890f2558448c3a40b29e41a18
SHA1 cc04f66a5c5432ad4c435157ee443a231a54a03e
SHA256 a691590b58f8b2db5beb7d7cc7dd869ac82098c52935583cc5f3ed23703e1b9b
SHA512 071fe13601c188cbda40b9db3ec4f96e80fc60a12d9fa1b43a45f39fa423e35fa04f6dc063a6cab5c4adb48808ab5686010ebe3b030ec9c7e555133e314ba85c

\Users\Admin\AppData\Local\Temp\nst3016.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nst3016.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2056-1343-0x0000000000540000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js

MD5 9f75d7a39597baef11dfa67a2f64551b
SHA1 0fbaaa4f32431ed50ead6c8ff81612a271470c83
SHA256 5f146e2c54d427aa61748053272d044592ba5128d6e4d9790fd36c2d74da76d5
SHA512 6c4118fb68fa5ac2e871673c8522b0b214aa170073ff235fcce9efc38ea1e04fdda0e211203117560c08114110b5f52b2cbcc5c45b00cfa02b9ca2fa484476be

C:\Users\Admin\AppData\Local\nsj30D0.tmp

MD5 62848707b9f3a9777d62a88676dc6b40
SHA1 5b2c286c6095b7e0702a291da80b756c7bf53f5f
SHA256 4a8cc6e74dc515205f64e1680d7dba7c9967e600b7ca715f28b412b297e66403
SHA512 b722e848f2e0373af4dbbe61f14b14fde6b8a09d3e4487803f4c225e202b69f4f7aff7c5a5b2cf677a671c77d0a440996b2a9d8dae83d8ed6257ea93d7024ce6

memory/1668-1358-0x00000000038C0000-0x00000000038C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst3016.tmp\chrmPref.dll

MD5 6845d147b88de1f005d9c6ebb6596574
SHA1 64523302e2b1e2ee7a31580d2acac852db3c7e45
SHA256 c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e
SHA512 cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fbe9b177eafac05d197af765f6b3cec8
SHA1 9315b0b9268fb54e5c2174fe47592b03191fdaa2
SHA256 d674c35cb33b251c6a6d4e9b0bc1a84519ee4d134a9ee31071edcac0d2b53894
SHA512 12d4b180afe19a78fbe3cc1af3a5e9e61e7871a3a65e36d26dc3a21e2b8648bbceae12e951da4e11c7557515a2c486e8e7e95be5ffe8c6100baefdd44a41a441

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe

MD5 673e6109fbc2405238429562ae058f37
SHA1 293a96724fc0e772706f108895db321b58051524
SHA256 4dae85611b9fd18f44c36f330762ca7dae3842604999d6a5edd3d416b4ab0841
SHA512 0d1db02c84d2a7502af966886889a63467fdc310c25076cd1629064f9dc5bda63248ea2cb34757f9e93e341cd89833979c8bdfffab2d09c722c3a20cd244f4c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 ca7c3d69fdba3ccbe322cea3261f33f0
SHA1 bbb650f80c1b40521f88f4fcda078fa2d3833768
SHA256 bec96fdfa03d203b3fbec4a399a1246590fd57fef5a85585f199b59e89ce75ba
SHA512 e1e0a6c82abe55ab8c099529a1fc794b68f24b802722246abff01793e9efced6d883c10c9db0fdc8d6382762c67d605c94a64666b884ab47b1b1fa65b13c2437

C:\Users\Admin\AppData\Local\Temp\nst3016.tmp\IEFunctions.dll

MD5 5a3a8d916dd0071f16d217bbcfe7d047
SHA1 c2265fa5cec491706d0921e4274c674b693f326f
SHA256 465e81022be2df0433a6e02d427a79dc733031abc89d99746b73576a976857e3
SHA512 8908ee2e329171d2ee430aacf7f86be565472cdb9b338786188ab37d6e6a714e5bc98552a39737ff8a5f314730c9f351aa0f1fa8207eff32289d7bccb3e05a08

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\funmoods.xml

MD5 4572bfac1a74abe2d4d716871b2c9cad
SHA1 daa25567a196e9e7b10b2bf33ba35299f2c16f84
SHA256 8f2ac3e5f4345b19010d7dc0a7ed835727f5e7780f4c00517aadb18724dcaf29
SHA512 285f22cea572aab5b37acb00e1e77db684e57c40361bf7eb05dc27c0ac42587b1dd9666cfaa9547862db43d5284c0e9087dd2c45247635fa22a51a6431267d15

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsj341F.tmp

MD5 c0c5693c4e1c7405c9f56d5ac76e4c91
SHA1 d5cc427f33b0718719b7818b257d0a388e694912
SHA256 fab6e2f51f23342edc708bb2b58aad098bdaaa2ff83d0fe14c659b09d5399bae
SHA512 dc182cbd564e2ba63dbfce24ca6b75ec6ed5139e5c12667c0e79b6dbf9036e1e9aa1bc49e9c4aca233beccf3e2d2b359ebdfa0f16fbcb0a376d71aa2267b457e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 b524a94d749d4a6b6e9e498348207687
SHA1 6d6bae2d097a52d372796ea22ebd1aadb683a6b9
SHA256 03d45feb367bbbad69159aa8fecec176aee5be2c824712e60e7fd666249c8ba4
SHA512 09687432f5648b9259f80b1bbd7f874403bda9264b0067f1d093378a605ff5060f5a6d2355159c94a567d5586d12b6bf88fce884f287b22e99190d98b654c226

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 98707d9a760c01751be0aa7c92fff7af
SHA1 3ca984951101d8786b6a9b0e0e0927fc3f87a7ae
SHA256 b59fff7628cde070443dc98c170e9c0a6a201cb6df129dc0c5402180e5aa99fc
SHA512 7e9d6b83fc169dcab221e28dad12f7049b8bb0f58f429735b03944909acd822ee2fe38e9623feee4ad05b590cfe4caa8e6616fdbd960d9c21022ac24dcaa796f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js

MD5 c12fde141cbd127743b2cdac807d0bb0
SHA1 34b6f9ccdc77929a62702e46de9051b8e40871b6
SHA256 8339029bd0f64eb136ff2eca3684e6adb8a7ac84d9e2638ac1f9b87699ec7b89
SHA512 c6681e4a6a3d12cfb59a3b0594e823ebda89aab83d9a72d96251a969cc153ad908b7b116f6499038ae35da7a2e5ca4d959145e2e82e4158face7be9b3933bdfc

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nst3555.tmp

MD5 e7ff0a4e1d887a4355493026be1edd52
SHA1 8e65978659352e0fee7a6a0f501adf501d7f8e79
SHA256 12df98e74f024c33459534d7ee3a0ef4e0e741a45509238b028058a77d341f12
SHA512 92afbd0c1a47bea947ebaef5ed8ca6e1b737459fd897d03fbf8f05efffe4b901f915d203a1ebe446b5365750809a80b707c00f13042c53b4c825f6637f767190

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js

MD5 4fc05f0ef3f8d948329af41d96e907f9
SHA1 62464ec23230092a068b6c567916f5b1d70b48e5
SHA256 1c06de2e7b04038f34d78f1cd9ceaa275f782207815f7cc555663ae935170498
SHA512 d7f548e537d4cca30bf5fa5dad561d689dca0b5bdde27f80be07ecca8d520c0ac0685c745706fbdc5e1c11af84ebd4c4bd51a1dd4e59f8be75ecae23ef42db09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js

MD5 3818b7c7440a8638294c6d68c2122f78
SHA1 52ec9ab8428ecb7286307b1d2a87d9b3045001e6
SHA256 c2903626a2a802b362f1714481ec21a41aca3ba83fb514cb08a4d9f89c20b313
SHA512 dc2e53b27fcf1251aec16caaa8f1fbf08e7a69ba06421d58b39368b8a08bd8a05c18f6e50ffb17da9dd6f7d1c116b067702eaebf9337123d142cc28f6b68e245

C:\Users\Admin\AppData\Local\Temp\nst3016.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

memory/2056-3364-0x0000000004610000-0x0000000004622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst3016.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

C:\Users\Admin\AppData\Local\lateral1.bmp

MD5 09fbaede48cfedb759e640bed10d5dbf
SHA1 e1c0a5a77042595beae53955cad72143aac61045
SHA256 e9be711645adceef7a7f55ad9b573cf67910c885ebf63024928656823079512b
SHA512 aeb67c0ccfea4b5c09dcbb398be9e863c3c35eb3f9cb8c8eb666e8d69fd00ac6195024e443333ce5645a04b00c38c17182533d9f8ba7312ff446f1be5cba0d28

C:\Users\Admin\AppData\Local\Temp\nsoE32F.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\nst3016.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CurVer C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ = "\"C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe\"" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\dfltLng\dfltLng C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsni = "1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS\ = "0" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ = "esrv" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\Programmable C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\ = "escrtSrvc Object" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32 C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer\ = "funmoods.funmoodsHlpr.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrSrchUrl = "http://start.funmoods.com/results.php?f=3&a=orgnl&q=" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ = "IRegmapDisp" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 972 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 972 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 972 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 972 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 972 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 4252 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 4252 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 4252 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe

"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.165:80 reports.montiera.com tcp
US 8.8.8.8:53 r.funmoods.com udp
US 8.8.8.8:53 165.230.16.69.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 162.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/972-84-0x0000000002420000-0x0000000002432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\chrmPref.dll

MD5 6845d147b88de1f005d9c6ebb6596574
SHA1 64523302e2b1e2ee7a31580d2acac852db3c7e45
SHA256 c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e
SHA512 cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

MD5 ddcada8c66d56df6e4ef2bbedf2bb865
SHA1 059a7f8bb8ed2e99d5153d26ecf986e91c24df19
SHA256 abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872
SHA512 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

MD5 fe768a6b82ed2a59c58254eae67b8cf9
SHA1 3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6
SHA256 3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570
SHA512 3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll

MD5 7f8be790b6614f46adeafd59761abbeb
SHA1 a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700
SHA256 b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf
SHA512 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

MD5 ffba0384096f7a6c2189009b3c54c8db
SHA1 e1e883b9345bd74b0c7e158751c60b0ee2139677
SHA256 93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b
SHA512 7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 a5e9c0e59f9584883003aa8796ef6cb9
SHA1 3736cb548e0f1f41d59d4e4c8a5089c06e959e85
SHA256 4a8afb3075001d33167af700871cf39da0524eb949c4f0cd7cbd89eb2f37aca8
SHA512 8fbebe8af55054036b12cd7482ae272c7b907bb09a7e633a9d85d9eea886426fefc04b39490121820479f824f115d13e48663e141242924149fa91557d1ccd23

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsl7D15.tmp

MD5 2b239e1133d24caa8364187633e0036d
SHA1 c3aae97cc6b3ad5fe6637b84cc7181621a4ce827
SHA256 6df0fe62a1eca1afbf05019507819bb32b06a1bcafcf81e4a549192a25ae5581
SHA512 0c98f7ed869a6264780432a0d9013ba5444f22b6604bc604f46f879cbd43eaab59f6aeda2c1b20a6b8def0c24be21137383a869e2c04684acf9be720f8af5f88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 0d7889a328bf4c6b506dd87507ae693e
SHA1 21928a20080bb3bdef6457f0ffa1def8f35a14a0
SHA256 1164c9ded36dbae9752329f8833729cb6b9ee0177abb8d00d1efeede0baf8ff4
SHA512 2342d33faee44e84698e543d85798cd724123d7291e46d7df5f2bbf497353b2d8b7f8dabab515602177d4ff7892c19f1ebae099698e1dd046bb1da90b8b60dce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 b85b693a5e78f4b279bc80e903393e2a
SHA1 56286899250a98578fe2b426a1bff870bbebda67
SHA256 504bc239b887b668d71dec22d14385476eee6743855556c920de527ad2f1b064
SHA512 593eb1046e07433678ca32abf50bc3ac0d1b5ff429e33fad1ecc18a238067da30d2e86516cef1e3929573639b86836f1f9ab2c8fb0778c2039e6ab59ab1171f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 de2485f6f166437a07d987a1a7008e4a
SHA1 c010f464137fe782c1becc21f4f12c9b330334f4
SHA256 be4b4e834b09002edac1264998bcc934702c96e67f3dd77424b1e495702b70a6
SHA512 be345bfd5da1ebff7b4e4f62cc2b17beeba8a1da14c91e031359d8e5635d1f10303b34f4cfc92c3a7ea652587d4c130aedfedad61d793e55f0291d7d47f09fec

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll

MD5 12be59f427297e54fef41f9bb32d4233
SHA1 0088967a4ed52f491976136c95d43e0e1b06cc31
SHA256 e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb
SHA512 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 459e4f62b20b0801fdaf3d145efc5377
SHA1 bb9c516821f2c857a14dc1de08b33bec44eab0cc
SHA256 0b19cc82d6d04c7c88b87ffb6217fd2f8310e4afa726f1b890996c12ee6c416c
SHA512 9926f00ec281698d3ebc95abca7bc6fb19e697d2844bc46b55030bc11576b7db6b5fb4be84d76d312286c001b48ddc4389b5eead865748bebc04bc4c2ad0479e

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll

MD5 d5e0f923b3ee640efd6a58ec0c70cbdc
SHA1 74f62a9acdb9f9dd0580d69450c062ba8870deea
SHA256 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281
SHA512 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsr7DD6.tmp

MD5 1ff5a9673c9cc4a3e699c0116aed138e
SHA1 f161d2ebf0b5c211010f27186b6ed515feafd9aa
SHA256 1b9df38bc05786c5c3d1f68963cdf7092abb13b3634c5fcf7c496bfdcac736b9
SHA512 a7c38d81d8afc3c80cd6841d034d2f4cf3399e858294018e2747900fc6c4a68dc3ac589b8f152682f8e2794bc60ba43dd14d460a4c1d0813bd927b306cb42426

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsm7E57.tmp

MD5 d677e2a1be6ce9cb99688123c1a9de04
SHA1 c0f3b4c210bffdc3dcde8c6e73a1d7d29a8b8c11
SHA256 435dcc1ed05e9d6e550162418ce697ce713fae1888d2948e19eab200a71856b2
SHA512 d0374772673a0df9b0cb4936ef8451552d0af8f84637865b957f8ce52549e95d079a78418219eb66e088ff914d3dd2a5a71cc54b89b2c1e45c919f77ade208ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js

MD5 c260aca72260a641394478da8e0a35d3
SHA1 7bc552fb94ca228d168ded76aa1d05eaa68618b0
SHA256 2c49541dd2dd845d3f711fba1a5c9894639e09e11408de796318764d56c4e662
SHA512 45349ce96c5e236b3fd4834ea7184ef1095f899703f3093bfa7666c594699b49c92ad994729d74819313ee07ef140669c7736335a0759cbb3a5f848a581e3f76

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsw7E98.tmp

MD5 adbd0d3003f6c0ed63a16aa003e21cfb
SHA1 d1cd849f9c39f34deae246ee83df9205af2c65a4
SHA256 83f10037bce94b0c120e2d562f8c577980c2c420faa3fc85f6ae6738999ff427
SHA512 cf28d133157904a6706672cf3eeff369ba2c8467a1f002278de7a4235e57d770dc887d4c18242f8a432a07b96c5996709d2b0d6c8d9c14d084f04e77eb8817e1

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsh7EDD.tmp

MD5 2b27918bc8b251ba8d4f8c678599503d
SHA1 1fb430022f80690cc0a60cdf1256fbb2dd04d81d
SHA256 8197c362e35b4667b5ad48c36fcf62b814ffdd25fbc7a890a35a217d90134d8c
SHA512 c757a59069c9d0f8e12f043b11ed546ac64d78a011ea98e416de288ec7cdabfc1504831c2b939c309e92e08e9df4a24b2c8f4be865c91a859861239cf02c4962

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js

MD5 18e45af8e69846cb9ef9cb1b6490bda6
SHA1 5dbd7c9a235633233f05de65c93333ca2025993a
SHA256 3d55255d93eb238b7ed20d1c6e6bef3eb87895b31524763f40a3fe45d1fd2c93
SHA512 0ad8aeef94123fbee11379a9648edc84afcd7f3fa74dc8749f7e53b85ade097d0a174b682537f087d8061f37ed8c35c6c790bb37fc3eeef2f114aaa75aef20fe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsc7F0E.tmp

MD5 2a7669f33c30f66ba4a4071da2d34a2d
SHA1 80239cde100f76a87933c3490c2ea0a581831a02
SHA256 e47d6b0f47239879fba63ed743d3319e875c821e5494604812e9139731297c87
SHA512 f414dae11f2b037238e7e7002a74148edb7599a9434df5acdd012e59438eb5da200ca0e386c097de3d6231fbae84ba4c8eacda8399020723b00b15b8c563ab65

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsx7F3F.tmp

MD5 18c5559db29997a353ef73f2b85ab4ad
SHA1 79df111c18967b93f68b69ca69461dc6f8c762cb
SHA256 1f97ea5b8d8bcca03e257b6850ee1b252cc412c9cd4ddc732a936ee49fe54c9f
SHA512 f100d94de40c6fad666081fa7f8d940b39856c11e6e381883b81047dab0bef847f571f9513059bd954a628e27179bc9478e77ed972b6086600d481b7dccb051e

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsc7F5F.tmp

MD5 8bc793298651399e35ba9f07101a9c61
SHA1 eb281f4379313ca2a802cb6f16197911805428a5
SHA256 01f5038903691b61da89ffb09bdc50557bde13c32b9fdf36e5f2459cb156b5a3
SHA512 a1d5cf98263140a749d4418b72e02daaf2d9526779fd0c78da97edb6d6856d3bd5c7d2c7e42abe9a4085f943b05474a7a3fdade1bfd2313e1e983dd8322f840c

memory/972-1600-0x0000000003B50000-0x0000000003B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu7909.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 1728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1608 wrote to memory of 1728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1608 wrote to memory of 1728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1728 -ip 1728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 29.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 224

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 162.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20241023-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\FM4ffx.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsoC331.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nsoC331.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsoC331.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

\Users\Admin\AppData\Local\Temp\nsoC331.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.Admin\user.js

MD5 cf4866433341f8eb5c17c23854f94f38
SHA1 d7920dc91a718c9f905ed149f290ef5ada485c18
SHA256 1ad08ff14e17fe420902a50f8d3f27e0987c1f3b835b525c86599809ec4dad4b
SHA512 eaa2ef47b0cd952d4fd0c6b8999fa2b2ce2516bb03790c369e6f45af2a935e1f415502458f5e27dbbf1a6b21274e988b632e019c9abbf0c2296e182265edda6b

C:\Users\Admin\AppData\Local\Temp\nstC48D.tmp

MD5 6c9fdb796d70286364826c1e486ee9a1
SHA1 cce84dcae5f34567f5cf411794306bcfc1a99caf
SHA256 e2b00238c862cca564f7ae153406213f4034bc9b14f9138a82e66d71f6ac0e0e
SHA512 fda94aafb18d3072d294ff01a459393bd29018de6a6098b7ad573081e6c1c3e2f4e410af07a4265b80b95bbcbd93cc85549ee98152f62276264cfaaab5c63551

C:\Users\Admin\AppData\Local\Temp\nsyC4AD.tmp

MD5 62011d745e0ba66fb4cb2542a85c6e79
SHA1 75c4303e9d6bd397005e4a03ef225286fc2e6769
SHA256 dc413f774479e3a89b3bf60fbb0676f05c0500acbe75519c06fa94d3d8298f27
SHA512 c1ff6939e32262f2943c52d295815e12aa6fd0a9d154fa81a4006483a38dd59fb1ec813d695c51b76b95c9abaa7748d68803747ed43041f2c914f58c717e27c6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.Admin\user.js

MD5 6353d988043818d81955355eb7c22948
SHA1 83af747e86d6e765a190ab0d6e230e4e6d6ba3ec
SHA256 6860b61b5755c87168d3da710188ce2b1f1421ebb8383ca989db120f70e7e118
SHA512 7c37a95b7797ca7cac268154be6bf05033655ead91bfe4cd32e50df3748c82a7e6acb7d3f8fa87f2b592ff2b86d801a6ddf1f1f3cd19c00bb90f342eeff1945b

C:\Users\Admin\AppData\Local\Temp\nsyC4FD.tmp

MD5 3e5b2bd3e7efc93053677961b7828aa9
SHA1 e8cf45ab1188f73575db5f7900669e20dcdc44a0
SHA256 b9c860a007a95f328acf245ef9ce0f3b008e51e99fb69aeafaaf2dbcfc8155b4
SHA512 e8c894094ee635e177161ce6bfed94b768b7ead2a7bed89c31ad26b35b871e54969ec6f1a5c67a11f23ea79a7ecce7430e807b7e762904fc55bb4b36a72cb9f5

C:\Users\Admin\AppData\Local\Temp\nsoC50E.tmp

MD5 04560bbf0d37eadb465bf629daadf17a
SHA1 31a9024fbf7ac598711ec6775acfa84dd25b191d
SHA256 d07a40b284fe30078d1ec11ac904feae3eb7397276614d6019a482909e3d643d
SHA512 be16596464e307716a25bd2521c4d4272dbd083830b271a219a363a2d19352867bb008bae20e3abbfae9de6a68827cf8a47716820d82afc32982bdcd8b7eb205

C:\Users\Admin\AppData\Local\Temp\nstC52E.tmp

MD5 d87ea4212a333dd727cae183a70a7e30
SHA1 2721029cbd50ba298def06c1f8f6129e466350c9
SHA256 ebcaf8c0b46280b54762f5b93c2282a6ea4aa71cfcd05e7b0d55145916053292
SHA512 5f27cd4f61b7f201475704fab9061679b0586b5abf7092763e33268c3e1d1adff97a8556a19c174c7bafe5e980284d4b78db6b9d17a179b682f2a7c28e5c2fdf

C:\Users\Admin\AppData\Local\Temp\nsoC55E.tmp

MD5 079b3f0544271be026683fe1ce733ce8
SHA1 42fd2588f7dc91b0ba3bbe9861ffc49b7e1c016e
SHA256 a151a29302afc8dff6f00ea340e4ee86672451aae15abcd5367fd9d9dec6ef0e
SHA512 d9b38fc31ff59ef0d56bc0c68ba90e83629a1c7a23e935570865d7893e41499c8a89e0c1e4550bdcc7540539b1a4d909d19dc5acec71ce15a4ccb2ef055f3775

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.Admin\user.js

MD5 8a071abcd37f0d158178cf454001d899
SHA1 b734db3ddbd0ed1642981aa9c4d071c7fc40507e
SHA256 34c0ae1c3da06cbc974a08cec5533df4a6fbbf2e906904e08b18e79bcb5e9208
SHA512 b76b929a346a4527c32bc88f5a962468acdb51aa980c64bd58ff14d4bc093d56783a6d5e835775be9aa0b333045399cedf19fd1a4f7d928435f956c76bb7101d

C:\Users\Admin\AppData\Local\Temp\nstC5CE.tmp

MD5 2894f293743e52e89472a2a7f1949dd6
SHA1 a7b01222426755a6955ce772542ff13d82ff988f
SHA256 009bc7b5a7e8825c9452d58f56d5b6cf7ebc1677a03da6ba6ced5170c5e41d67
SHA512 b105fe79608a096e8a46334a435f0f519fa1f2c16a49409275901c62e6c301b4b1007b54822114cd84702030892aacb5e8adaf7f62a0de64d8255aaab9a9652d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\user.js

MD5 df7290a66caed5d59ee1cf3265c02aa5
SHA1 22058636eb1534ebace4b00f4db619615bdbd8e1
SHA256 45b54c9677d7d2b745ede9ce97b174d4335864618b73de65f04f1fb0dbe78000
SHA512 74eab2bdefed69a3b7eedcec98d5d1571bbc7bc7abf0bd23d622da5ba6476378d360a3dca28ffb89f30f16f679e49b7dae61cef5ae09e6c26d38453854465284

C:\Users\Admin\AppData\Local\Temp\nsyC63E.tmp

MD5 f23000f6c5e74bf3da77c72d173923c2
SHA1 90c9fd1c737e2d2312453ede82fccbffe9fcae08
SHA256 d25bf8d340711b557789a9b47e10301ebf45a11a6539771a68667debb7bd43a2
SHA512 262371df7bdcd487879a51284d7a43417746ba94524286b6149ecde9874f4599afb09bd1def4898d39bdbec44d65709bdbcdead5c30825b43e1257ed2dba8e00

C:\Users\Admin\AppData\Local\Temp\nsoC650.tmp

MD5 c888ccfcc8810b5cb1a448dcf3dc2910
SHA1 d7c438eb23a48a5b1b5e0c91946aa09976559f30
SHA256 43548791fe0d2ea6ff5ca32da15d8a698667af383d9ae7fa3a528e9b84191bdf
SHA512 c0252a80d66c8aec1f0d76d7d236db184d70f05604d58432a471638f4b93500584ff376ca2d2b28558a5cb5f7de0647fbf00495362316999b1cd66762f63f38e

C:\Users\Admin\AppData\Local\Temp\nsdC660.tmp

MD5 90a90356584c8deee4a7c94511a7190b
SHA1 42c9d13fdf929dbfd868f1f3f669c3b9012d3537
SHA256 914fc2e6862782b15992ee5895753d01feab79388ba4c399cab6ffa39565b934
SHA512 1ef381326626c58059d4c5f455283be498a78f4034131b427e31d4eb402061b36287c09fa41aa84082b177c6623be11123b34f85f0f4b83829bb5ea662eb860b

C:\Users\Admin\AppData\Local\Temp\nsdC661.tmp

MD5 6aa6bee839b4029504502bd29d44d34c
SHA1 c519445ef489ab292821e915a0d4dcad51d4ce6f
SHA256 3fb19a16dd36542c13f4937672290eae706ba2f7384aa7266a6b744a27079b6a
SHA512 2c91700d4068fbe3587e202745a9b12d02963b2f9a30d30f794df841a9c0c95acb02d68ad8ff3d1a5ea24cab69e87e98412427b76f0ae1d9fa2dda5f9adce7fd

C:\Users\Admin\AppData\Local\Temp\nstC672.tmp

MD5 849b7fccdf5a1561dced828477e451bc
SHA1 9b8fe6863a60984894b0c68c7e345021ed1914bf
SHA256 7808dae5cc3ad3acce24e7c1910fbef2ce7cc291bc391d55e46ee0ac125a64e4
SHA512 1150c5579d3cd888913951fff4f18f8f461b20c6f4888a9e7b203a7ac40d52de9d58a3beef618368b4a6cda0f1b71a70f1f44dc46effa20632890c441f7674dd

C:\Users\Admin\AppData\Local\Temp\nsyC692.tmp

MD5 5a7d11a7cf849e0462633f6d421fcc89
SHA1 64e55990aec40e8996a36524e73f629d2a01fce5
SHA256 2d76f0c80bfd2f10f13bb68b95f1dcbba3871e6e8b6e93b09fae78a7a730412f
SHA512 b6af759603da3a8af9f511338acf78379c799d4f7146826e9370092168e2791ace08d639dd1da4549190eb1f89075e4604123f3efba2215f03bab7aa688c2b1e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\user.js

MD5 f5a63991a2a0342d6ffee13e72c3942d
SHA1 edd524b24d74c3785d2e1e2937bb4ebb8850d750
SHA256 09a991f0f3b574dc23cd231a5cd264896f81ceb3b59cfd4ff4842adedf789933
SHA512 f6f2469f4994e1785b1ef765c554b6ecc72be802721328c3892ce8ec499b985ae64142895093ca720367377a0989bedfc6f8e578c4f92b9ba75418ec483d7628

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\user.js

MD5 70557275e077d61aa86e8cac56fe1040
SHA1 27bdff16c865e274caf00df8363b04285cfd35c8
SHA256 bf4ac5534627c2fd7aa730cd8b6c83059eb107fa07f7b6e2687159ac685436bf
SHA512 98329ff46a13076fe29bcfcab27dfa59f6c2a00558b80e0dff23b364dddd1fd0e06fb7d7094fb4f853c8e6d935263335f79a8fb59b9c4403e1630db9f30a1418

C:\Users\Admin\AppData\Local\Temp\nsdC703.tmp

MD5 c75c1ca82a388f226afa7b3fb20eef1c
SHA1 88110fedfff799cc1f81a65e5969cfd1b62709c7
SHA256 df467c3fd48c50c9a5a3d3d4913bc7a8bf19cdf57aa16941d795d3a4aac32a4d
SHA512 2226313fe115e20f5d688d75a68679dea3317d32fe03119969f16bbe6a86d691e28692e3eed8e3cf6d4deacaa12d2cd4f2c3e16f81d574bda694a1349e8a85e0

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\funmoods.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\funmoods.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutUrls C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F9DDC2A-399D-40AE-A321-C02A8668CD10}\URL = "http://start.funmoods.com/results.php?f=4&a=down&q={searchTerms}" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://start.funmoods.com/?f=2&a=down" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F9DDC2A-399D-40AE-A321-C02A8668CD10}\FaviconURL = "http://start.funmoods.com/favicon.ico" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5F9DDC2A-399D-40AE-A321-C02A8668CD10} C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F9DDC2A-399D-40AE-A321-C02A8668CD10}\Codepage = "65001" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F9DDC2A-399D-40AE-A321-C02A8668CD10}\DisplayName = "Search" C:\Users\Admin\AppData\Local\funmoods.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F9DDC2A-399D-40AE-A321-C02A8668CD10}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/FNMD/FM/1.5.11.16/funmoods.xml" C:\Users\Admin\AppData\Local\funmoods.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://start.funmoods.com/?f=1&a=down" C:\Users\Admin\AppData\Local\funmoods.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\Programmable C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f\CLSID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ = "IIEWndFct" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ProgID\ = "funmoods.dskBnd.1" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\ = "appCore Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsApp.dll" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\ = "CDskBnd Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\CLSID C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlRef C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\CLSID\ = "{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "CDskBnd Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\ = "appCore Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\dfltLng\dfltLng C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ = "escrtSrvc Object" C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID\ = "funmoods.funmoodsHlpr" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID\ = "f" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\data C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\dfltLng C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ = "IRegmapDisp" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\TypeLib C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\funmoods.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4876 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 4876 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 4876 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe C:\Users\Admin\AppData\Local\funmoods.exe
PID 2216 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2216 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2216 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
PID 2216 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2216 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 2216 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\funmoods.exe C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
PID 5084 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 5084 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
PID 5084 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe4e2914eeb43cf09a993c82311273b.exe"

C:\Users\Admin\AppData\Local\funmoods.exe

"C:\Users\Admin\AppData\Local\funmoods.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe /S /aflt=down /mhp /mds /mnt /stagedXpi

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 gstatic.uptodown.net udp
US 151.101.195.52:80 gstatic.uptodown.net tcp
US 151.101.195.52:443 gstatic.uptodown.net tcp
US 8.8.8.8:53 crl.starfieldtech.com udp
US 192.124.249.31:80 crl.starfieldtech.com tcp
US 8.8.8.8:53 52.195.101.151.in-addr.arpa udp
US 8.8.8.8:53 31.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.uptodown.com udp
US 151.101.131.52:80 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 8.8.8.8:53 ocsp.int-r1.certainly.com udp
US 151.101.195.3:80 ocsp.int-r1.certainly.com tcp
US 8.8.8.8:53 3.195.101.151.in-addr.arpa udp
US 8.8.8.8:53 52.131.101.151.in-addr.arpa udp
US 151.101.131.52:80 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 151.101.131.52:80 www.uptodown.com tcp
US 151.101.131.52:443 www.uptodown.com tcp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 start.funmoods.com udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.165:80 reports.montiera.com tcp
US 8.8.8.8:53 fmcdn1.funmoods.com udp
US 8.8.8.8:53 r.funmoods.com udp
US 8.8.8.8:53 165.230.16.69.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 155.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsg88B9.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

C:\Users\Admin\AppData\Local\Temp\nsg88B9.tmp\nsRandom.dll

MD5 ab467b8dfaa660a0f0e5b26e28af5735
SHA1 596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256 db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA512 7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

memory/4876-22-0x00000000031D0000-0x00000000031E2000-memory.dmp

memory/4876-21-0x00000000031D0000-0x00000000031E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsg88B9.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsg88B9.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsg88B9.tmp\inetc.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

memory/4876-56-0x00000000031D0000-0x00000000031E2000-memory.dmp

memory/4876-55-0x00000000031D0000-0x00000000031E2000-memory.dmp

C:\Users\Admin\AppData\Local\funmoods.exe

MD5 badf0b8e9bc8d7352fb084951255ee4f
SHA1 e584634b5565fd81d7258fca86c632c9d3e1cd14
SHA256 73db5f6b89963d6692e3c43c8f3e5265ec4512ce87fe652e9ec3a4a0bb036db8
SHA512 3b704e3b0d440f1e580cc277c3c68223139f35156b00250ebf9a231f03d5f74bd19bbf948061e7b8be13b9c08aca9f30a0929cfce5a9d5cc3558cd187a05d53e

memory/4876-81-0x0000000004F30000-0x0000000004F39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsg88B9.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\mt.dll

MD5 aac69f856c4540edd4ef7ce6c8571639
SHA1 2860f55ea9774d631219e66604051e90a43258b7
SHA256 6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512 ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\nsqD527.tmp

MD5 aa4d624ec6ddb4db8f587700e83fcde7
SHA1 8ac1c3397c90be253a718dc8af9e84ee63ea4185
SHA256 7f7fe8a15e9d52cc9bb617544ad0ed458afbd7adaaf99bb06d18b9b8da3637c8
SHA512 0c206d53a114228c675b4d328c1bd4b297b6224e113c076353d4698bd963898f58fa4a75281db04ebdeb6051a9aed95f01ba7f3f164d2d24dfc397437106b210

C:\Users\Admin\AppData\Local\nsgD538.tmp

MD5 3062047a2880b6809f9f5e203a624692
SHA1 6ae308f3d7b8c4d30f85a8e6288f88f1500f0d4a
SHA256 eb8861bc4c152c0c8fe13e9ee53b4fcb84733ac5539d0e86c98e2ec3015d6184
SHA512 066e4a0cb8c06ae1c96d7d0d9b39a5abac8e5fad258ec8c8841bcf81293fc9a727f275813836a0e41c1b34bd67f0f33532a701bbc888aa3f1edcede970cc64d3

C:\Users\Admin\AppData\Local\nsvD4F7.tmp

MD5 06c42349f82ace83f953695a7036967e
SHA1 3488e08a3fb81316456f6449bdeb9254c3b4f5f8
SHA256 afa2580870da87ca052d778bb13ea37bea1cf83aae932dcc575d700e1c9e831b
SHA512 272c97324cd7922a9fb6514f3b082655a09d37e70381f520c012ad285fe8f55d88c8c79dbd5b80cf6009e4934c2255c98f99c6ee97639c481330c8c9f509061e

C:\Users\Admin\AppData\Local\nsgD53A.tmp

MD5 3b6f21258d6297631937ee72f3579931
SHA1 d561d77614df30f2a509df4779e35ad221ea77ea
SHA256 8fdf47f138cc0756299465efb316120580558adafce7867fc2d090cc2487c9c0
SHA512 64b7b8793efcd26aab9f15097d57e3b89423538fefedbd501a036ac527a7eb964b344679fe4cc0e96dfcada53a5994248716615a42e20d00357a2132626c9eb6

C:\Users\Admin\AppData\Local\nslD55A.tmp

MD5 263956e932a663281f70126c8ab7b72b
SHA1 ce03abd9aff66d4492d2df98943df051f081b2d7
SHA256 1f136822737da4313b695d47e5ef874af58defed029239bc91720b1cc12623ff
SHA512 bc36de595c2c2caa4fb210ec15c6e46d0f1f2271cc065d54b47891eea9bbfa14f2c9aa551312379d4f06a73d7d916313290a0dd25fd11dd7741af75fef7d1f52

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vazdz5r6.Admin\user.js

MD5 35bd49cc80393a45ddd5dfb69e92e936
SHA1 8a235a288238d1ad253a2afed7ad8be6edd7b09f
SHA256 0689f3e70406af7fd14e5f3f25954fae558e4ed6eca8294e3ebc7a28305728ba
SHA512 8d755ff2bdd9116763a6afb465e583a43076d3d767a39f6ec46b2b3f20563d79f41a5409867ae6e21b1b0aa529806487aba21975344bd474a08341ccc0295e7d

C:\Users\Admin\AppData\Local\nswD63A.tmp

MD5 44727454e1ae2dc317ab2f512ae78f2c
SHA1 5eac4d8734f84b07a0643459ab6da4dcd5c47640
SHA256 d749dcbc8d4850dc2cb0eca6148f142f8efdf6621e96cb28c8b0f177553c6d82
SHA512 8af904081dba3126ae653dd2e3f2d290c89792dcbc778191c11df238fd36c8b6273b088c0bed5a6612ef30d9121699227e2664b3f7acf1a1890e7abc05861eab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\user.js

MD5 a6586122c0662f36a4f26b6c3959811c
SHA1 929259027561933065e6267fe948b33bd549d2a8
SHA256 2bce865f219fe68157cf29b115642d1c68a0cf062c14e3853321e4d7b4fc4edb
SHA512 622683523e7049eef983dfd0fa177882b1a1fe153aac634308b2ebee5b6b1d7bca93ce67327d77d9e2df13010ef7d2785cee5752dc7847435f71ba1c8d156bcf

C:\Users\Admin\AppData\Local\nsmD64B.tmp

MD5 52dd49dd0d40376cffb6a3e45e6db6b8
SHA1 cac8a58369f8a5c4636447688601ee9e6654a8b0
SHA256 397ffb0e3566d50f831a1083f60ee1ada5cea780f767b37720c1475d05ddb585
SHA512 eb5e50aa536fe32b17dd2682a011be25eeda8d5a4739e77438f5ecba422ce1b1a80d0c19d77e1b8f37892410d61c75bfc4d2a9084a7a02b38c4af177dfa8754a

C:\Users\Admin\AppData\Local\nscD747.tmp

MD5 21e2ca66b86e5bf3a6032fdbc45e90b5
SHA1 ea70be42630e89f7a650abb4e71852efa9893c9b
SHA256 704628eb647ff0f3e61d951bd0cb3f97f7e58a8284c4e50c71f4369aa111873a
SHA512 3757f022724b7ba2efb3c0f5da649bfa8e609752266fde6b2999de31fc01390eae20e6a65d8cbcffaf338936de5dd018b76953679e763448078e27b208b9fd65

C:\Users\Admin\AppData\Local\nsrD757.tmp

MD5 7278e2536cdb7b7b289d1608b8bb731f
SHA1 ae9ae0d8c25ca64553b56eb8fb4ed5edc5c8833c
SHA256 145136f0c0ed3502e8721cf84cb1c6f686216e1027d232202a2811141914fdcb
SHA512 b4650b56ce6f7457a1783f20bce99106fbeb46d5a6b7740e165d5c9273c6337c93f1145afb00f64fcff141d082a1153a70da257d6d00562fe9479f4d8e2f45ab

C:\Users\Admin\AppData\Local\nshD768.tmp

MD5 b804e77d692f76f6b411f020cc930dc0
SHA1 019911c69ba034cf0be5f9ef70d9d748df9eb98c
SHA256 d469d6f59a86889c7d5d0282279b19109b8f5d7ba1e8552d355805417a8c2c46
SHA512 47978f97fe69ef35b7ffa7649f3289ebc8fb5c3a12a201d763a4607b9f63ff39d2e66be629b82f8af0521bd1930d604a981dad63d976a21d69f2be2219da7c75

memory/2216-1420-0x00000000023D0000-0x00000000023E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\ExtractDLLEx.dll

MD5 ba4063f437abb349aa9120e9c320c467
SHA1 b045d785f6041e25d6be031ae2af4d4504e87b12
SHA256 73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA512 48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\chrmPref.dll

MD5 6845d147b88de1f005d9c6ebb6596574
SHA1 64523302e2b1e2ee7a31580d2acac852db3c7e45
SHA256 c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e
SHA512 cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

MD5 ddcada8c66d56df6e4ef2bbedf2bb865
SHA1 059a7f8bb8ed2e99d5153d26ecf986e91c24df19
SHA256 abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872
SHA512 63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll

MD5 7f8be790b6614f46adeafd59761abbeb
SHA1 a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700
SHA256 b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf
SHA512 4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsiDB50.tmp

MD5 34468a11b08fb29d962ef721ca37d789
SHA1 0d40b4cc3969a0117c7cb9b91f3cac6aa05242dd
SHA256 5f9c3874066e13521659da18bdf2445372b2aaa818ec99274ef4c849fd44ae78
SHA512 06711b0d49ce80dabe428d6cb22b2c88776043cbae91561ff3309fdb3ad080fd0645836ac18eabc1cf6786e07be3ae2e3cf7a4e04ae0c1c53492a37ad96d9d60

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsiDB51.tmp

MD5 a38d4554fdd8f88484212930e0ed5a62
SHA1 03df6df152a9a5cff8a97aa8739c230791d279c9
SHA256 1d1fa5f877db99afa6cc41b72148dadda4b427ccf25c0621f70f79070bef45e0
SHA512 f8aedbf689e2f19f20ddeab1bd97f122e108498d970be1e550f6f5f0125649f7fbdcfa3e746eb1d0d14dd268e340f8f4d1219a7eed65f1a8699d7205e4fd22bf

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsoDB72.tmp

MD5 861370adf832abf87394b5f5c81123f7
SHA1 57a6c84e328d6e568b63db9ae7c4961fe2cad700
SHA256 2a7f71f716eae8a053b6316827191b1b9234bf389ce57e5788d237a3419bac2b
SHA512 d298cd8eaa1cab66fb7bb9d0e890a2af0446bec37a7f8aad0e501adb1a76215fec0d7328dba6edcd6ef8e47a41a645caafff085de26406ef46aefa115fc7c051

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll

MD5 12be59f427297e54fef41f9bb32d4233
SHA1 0088967a4ed52f491976136c95d43e0e1b06cc31
SHA256 e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb
SHA512 0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\IEFunctions.dll

MD5 5a3a8d916dd0071f16d217bbcfe7d047
SHA1 c2265fa5cec491706d0921e4274c674b693f326f
SHA256 465e81022be2df0433a6e02d427a79dc733031abc89d99746b73576a976857e3
SHA512 8908ee2e329171d2ee430aacf7f86be565472cdb9b338786188ab37d6e6a714e5bc98552a39737ff8a5f314730c9f351aa0f1fa8207eff32289d7bccb3e05a08

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\funmoods.xml

MD5 4572bfac1a74abe2d4d716871b2c9cad
SHA1 daa25567a196e9e7b10b2bf33ba35299f2c16f84
SHA256 8f2ac3e5f4345b19010d7dc0a7ed835727f5e7780f4c00517aadb18724dcaf29
SHA512 285f22cea572aab5b37acb00e1e77db684e57c40361bf7eb05dc27c0ac42587b1dd9666cfaa9547862db43d5284c0e9087dd2c45247635fa22a51a6431267d15

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsdDBD2.tmp

MD5 3a1e96e6a80ba3f80124ba5532955106
SHA1 44c451c0f19ddbea7231352018b23894cb30090a
SHA256 7a0dce3f34ccac3385fe89fd62429fc0a3675019459471810f48666540bcd588
SHA512 d549a94da63960719f8c399ec5b2fd6c32b3575a0171dd91d41ace80f2f23f894ed3402ce7015372b6495d18feb9a78051009f79b4098bfea0279938896e4ec1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vazdz5r6.Admin\user.js

MD5 e3830b89b4b0fb4a38ff58c9361e5a31
SHA1 1fd33bd0ec523523d4bfe124fc42e667e1030c77
SHA256 44d63faff376ca76608fee233032208698e380510abb4e222bf8af71f8739b37
SHA512 0d646265c52de02cf0897cb55e4a0446987a905fb198bd28900a0b51dfd23939029d13fc184b9f7ceddfd9bd2a607a5a934acbe2149888003d19a24c13fa5e6b

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyDC03.tmp

MD5 2fd04e6da41a1b3052b788dca20791d8
SHA1 f9e664d75ade913e024eb3480d6866fd19588ff8
SHA256 363c95c8b648e3bfe68fcaae645c4a90e59785a2b46fa3bdde0028b165a271c1
SHA512 ba5a514297890111a448e5559ac71e723d681a6feb5cf89210308322d065e878c3562dd2123015cc0fa024198d3d2dff13baf2e6a6809cd875fbca2060b424f2

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll

MD5 d5e0f923b3ee640efd6a58ec0c70cbdc
SHA1 74f62a9acdb9f9dd0580d69450c062ba8870deea
SHA256 3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281
SHA512 471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nstDB92.tmp

MD5 25ce57875327d41d22521079c7be9fe9
SHA1 66444ecef44ad9a2563f9b3e65efd66fc62433d1
SHA256 bd9ecc570e3161e1f3839f30f5d348d5df0f2944f76be9e9704440bb7bbaf502
SHA512 f069d3c35a0dc62ddf3e815694930b86b4ff02913016e70f07433ae974dec076eaf3139116e7abf05e61291f7ce108201634367f7da5ca3d3d3f1a34a4fc6bf7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vazdz5r6.Admin\user.js

MD5 72ada004ce2589b5c7d1bb71ce1d0204
SHA1 fbf8126dff789d73aeb9d82824b892017be67c57
SHA256 fefee789cd8ae595d5e07ca7cf0a46bd280101853d644efa0f465f1b3e5d90d8
SHA512 ffa6681dbd0bcd79a7c41922d528518f55120718094ec4ae43afff16963f6eb253c7bd48d39024c2dbb6670a4ce316033117885faf3ae748dc47a9cab124c74e

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsjDC44.tmp

MD5 063ad54b8d4fc15775e3093944c01998
SHA1 71b2cab2b47ef225690d7ce18f2f64ae1d2a3139
SHA256 610f94094b4fba12bcf30b050fd79d4d273c9a38118beab886f287fe4df7b1cf
SHA512 b8a1921716a57122da69e3b6b883a6fec390c4e50dad49cdc0e2ea5fbcf4e0089136aabb51fbe413efcc88a8ee040b47f053d0735f1d03b164149f6b5540b280

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\user.js

MD5 d23f78d6f87b688bcdd6daf67cc79f96
SHA1 fc8169857220d164de83389d6c2669bdc20005aa
SHA256 a574ebd537d19d24cbc597c9231ee230f1ce4291642161b1145ea158dbf59023
SHA512 979d43be0b068c27f5dd20d8067311835d17c93a1fd85234b7dad8933ab750c3ec24cacde2fb87a725731846704062d8e4a5dfe98d5fc2220a019ad26174b2b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\user.js

MD5 20adc3035b7d24c912ffeb21e2c2f5b1
SHA1 6331bf1713869bdc1265bf90ea012accf94e8fde
SHA256 b46639ede22114d534295e48c7132f78aad023fd52d1d781b283276c16cd19f4
SHA512 3adae2f722862cbe6dd2d0fa716c395efe092ed1f0219178f333ad8d38f0a1b483ce90dcee6bc24a6d2b8dd313b71d6577dcc93d0d7943017984be998e8c9b94

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nseDDB3.tmp

MD5 cd160e9c42b262c9673fbea8af78e906
SHA1 20e7ed8b900a5952829eb9cd45a186513e928fc3
SHA256 b0b3b68a39cebe36ce210b48a7ebcf836b568f8ff2b9ec659951cced0ea0adb2
SHA512 33ca0962aa5ce7092a26075b5cb4cfa7bf8695b90a46885753370bc1295ceea11a037228f50f1fea93360caa8ad310828196c811c9a48b3a729ebfb0d878858d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\user.js

MD5 ea1936827e6e5e8a38dc89c1310948b8
SHA1 ab3c4661a70978f19ca24b7c372c09e0aaa33506
SHA256 be376ccad89f9095061d15a0468ac0c073312939133e245287157e92d9d98824
SHA512 05e93ecf268fd4ea1e526337b6ed53e7c0870987d885c6e64439785ca1382e1f6915de6058b19225f3bae892c1926d6e0f41650a173d50cb041229276c9d76ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\user.js

MD5 4c071681d8facf3f26e6e5917f634ce4
SHA1 ef8e6f8b7d1631c170fd2cbc9bed0fdde73be2e6
SHA256 ada0d5ceaf14ff332b6a433f53baf18a38d38cfee53104b849a28171ecb4aa29
SHA512 7368db342859e8eaf750b5c4acaf1e251c50eef57e766b15d91f8c41f9ae090ecb1933179302d02671de1e8161e9045124fc82c98c3a852f6c4bc8cb60cb1f74

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsuDEB2.tmp

MD5 e2a06b79ed209cd1a890bfd481e0d350
SHA1 115c2fea912b85796a46fd0720ba9902d9a4dc54
SHA256 33641fd3e72feeb569168daadc50f7eb6f152c2d4979ae58919cf08e29935f45
SHA512 93221bb5afc7efa2039dfa3102ec7915f40511e0360cf8fb479eedd8c580db455b9c4a0af1c3626065f83ce2181f04642ad340951b304a81c1cb3073583f764f

C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsaDF22.tmp

MD5 0368ac24e8b0e972aa8b5f7a05cd1444
SHA1 2cc60f8c0a8e4bd425ebbc77098877e591e8b4a8
SHA256 3d85704ec048eb468b527d8d1c755c3a1f52416c10bbb1ccb86cc2fbb2c5e855
SHA512 1d2cb30ed48fcf44f8cb02ecdfd36da4d8855a134832721b7efdeebc4db3dbe1cf73678b6e34548b5d5b0f72f728a8c5d0468934f54739fa56bbf572cc2e2159

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\user.js

MD5 82b24535fbbf6bbb9a3b201a8a9fd0f6
SHA1 2ce3e8bd50f55cba5011266e43938ef097f76179
SHA256 7696ed0b3c440cbf14cb595f2552dc9a4801d6e2a5f0a7694cbc06f3f8557286
SHA512 3297558f826ba0bffaeb69ac0ac2a2974fcf4cb6b271126ba9a630af01123138ac4aac0b60597b7f961e40fce9e9dedccd575a1a251628fa68614318663f98e0

memory/2216-3445-0x0000000004170000-0x0000000004182000-memory.dmp

C:\Users\Admin\AppData\Local\lateral1.bmp

MD5 09fbaede48cfedb759e640bed10d5dbf
SHA1 e1c0a5a77042595beae53955cad72143aac61045
SHA256 e9be711645adceef7a7f55ad9b573cf67910c885ebf63024928656823079512b
SHA512 aeb67c0ccfea4b5c09dcbb398be9e863c3c35eb3f9cb8c8eb666e8d69fd00ac6195024e443333ce5645a04b00c38c17182533d9f8ba7312ff446f1be5cba0d28

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 53621bc9f118737ce0c82a2257dd3362
SHA1 3a0491780b728c494add894c5dd4954325345a3b
SHA256 e1d4404ceb047a8d2b0bc93a4893fd17845f98226af1ba69a3bfef1af35713b8
SHA512 8c1ead2edeb553dbe47049702ef701050c6effe69f9ca46e857dc7f09fb977be6369b095589bd5a8eda9ac578bbdba5d9a541c690a15623012e7cc514122ad5b

C:\Users\Admin\AppData\Local\Temp\nsvD458.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExtractDLLEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20241023-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 224

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 4428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 4428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 4428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4428 -ip 4428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 162.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2025-01-19 18:43

Reported

2025-01-19 18:46

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 228

Network

N/A

Files

N/A