Malware Analysis Report

2025-08-05 16:42

Sample ID 240204-wcv6esfed9
Target 8fc562f8ef3b09ecd7bc9e710e809564
SHA256 4b75e62a4209caf08492f07cba4e96e35d8b15866614559f50285332bdf2b7ba
Tags
adware discovery evasion spyware stealer trojan upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b75e62a4209caf08492f07cba4e96e35d8b15866614559f50285332bdf2b7ba

Threat Level: Shows suspicious behavior

The file 8fc562f8ef3b09ecd7bc9e710e809564 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery evasion spyware stealer trojan upx

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Checks installed software on the system

Installs/modifies Browser Helper Object

Checks whether UAC is enabled

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 17:47

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 228

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fc562f8ef3b09ecd7bc9e710e809564.exe"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\8fc562f8ef3b09ecd7bc9e710e809564.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8fc562f8ef3b09ecd7bc9e710e809564.exe

"C:\Users\Admin\AppData\Local\Temp\8fc562f8ef3b09ecd7bc9e710e809564.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst3FB1.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/2096-19-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/2096-23-0x0000000074930000-0x0000000074EDB000-memory.dmp

memory/2096-24-0x0000000074930000-0x0000000074EDB000-memory.dmp

memory/2096-25-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/2096-26-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/2096-29-0x0000000005F80000-0x0000000006080000-memory.dmp

memory/2096-30-0x0000000005F80000-0x0000000006080000-memory.dmp

memory/2096-39-0x0000000074930000-0x0000000074EDB000-memory.dmp

memory/2096-40-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/2096-41-0x0000000074930000-0x0000000074EDB000-memory.dmp

memory/2096-42-0x0000000005F80000-0x0000000006080000-memory.dmp

memory/2096-43-0x0000000005F80000-0x0000000006080000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:50

Platform

win7-20231215-en

Max time kernel

122s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 228

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4536 wrote to memory of 3908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4536 wrote to memory of 3908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4536 wrote to memory of 3908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3908 -ip 3908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:50

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1608 wrote to memory of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1608 wrote to memory of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3924 -ip 3924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:50

Platform

win7-20231215-en

Max time kernel

120s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 228

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:50

Platform

win7-20231215-en

Max time kernel

118s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 228

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\yourface.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\2YourFace.crx C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\install.rdf C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\uninst.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\bho.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\FF8Installer.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d6000000000200000000001066000000010000200000004a3387d18b2d78a27f8fe4a9f1c3aec6b1e5e412cdf8d3744bf498e975c4034b000000000e80000000020000200000007253b663b23c1dd3905eb1bd9ddb9d4eb2ee5f1af0a943667965f3164b778df25000000067b1e49c893a1736ca54139c755206f6d5f21c750836626f70d123ce38877927e96cf9791c138ffc684c9bcda3d8c7a87d278fca5e16c7909b8a96b17347d1b9d0841b1f890dc540f74414458eed776b400000004d3764a9f86eeecc78be1d6c4886386c561fd5e3c99fba6b2289361c51d744efba015181223ca928c6f138d44b2f44f6ab05cd7c9d733bb6b0ce816954e9be66 C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=4a04029300000000000042df7b237cb2" C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=4a04029300000000000042df7b237cb2" C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a73230343175373035d37474b475d134723435d4b5303375d430b43531717571373730bb35a06010181a3b95631001b190b75 C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2896 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2896 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2896 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2896 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2896 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2896 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2124 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe
PID 2124 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe
PID 2124 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe
PID 2124 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe
PID 2124 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe
PID 2124 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe
PID 2124 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe
PID 2188 wrote to memory of 2580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2188 wrote to memory of 2580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2188 wrote to memory of 2580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2188 wrote to memory of 2580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2896 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2896 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2896 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2896 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2896 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2896 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2896 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 1972 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1972 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1972 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1972 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1972 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1972 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1972 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1972 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 1972 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 1972 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 1972 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2896 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2896 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2896 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2896 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\yourface.exe

"C:\Users\Admin\AppData\Local\Temp\yourface.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\17CAEF~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\17CAEF~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

Network

Country Destination Domain Proto
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babylon.com udp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 www.outbrowse.com udp
US 8.8.8.8:53 www.outbrowse.com udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:443 www.outbrowse.com tcp
US 13.248.169.48:443 www.outbrowse.com tcp
US 13.248.169.48:443 www.outbrowse.com tcp
US 13.248.169.48:443 www.outbrowse.com tcp

Files

\Users\Admin\AppData\Local\Temp\nso149B.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 def5da19a727e52b56d117b1d679d21a
SHA1 16767972bfe64f81c10dee1117b9b978b550f4c4
SHA256 e7e855b78b7fd01c8d1802367e079948e47bfae457fc103172b0d88d3aec914f
SHA512 9a0643b429433707ef2a39342d71cd7852f5ac18e39ade1197b78f036b1a472181fe9f821ec806d84b395b078ce39acdc3d9572c506463d54fb5422ed4a1345d

\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe

MD5 47028736ce2500e448eae7f671c415ef
SHA1 6a1b029c508d2798ee7439bf2fadd9916eeae29d
SHA256 0c3c9cfcbf170139453067f9063baa57669c47a047202d62d4a0032aa31afe18
SHA512 b71a77b19d83546b97eb8d04bbb6ce129464312e6661b0b4e816f3e730e44737834a9a6eeadff230c436e4c265f3cf120f283dce8bdc54b4e6d1c4cdb4e819b4

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe

MD5 843ac8adbeed76e13201d94148930a8b
SHA1 47231e1a61907f61e8af3b93ebe52e998691a2be
SHA256 a90afdf7bba69bd85cc2fc00448eb7c108e7a9780ec2b6ff4c23fbc75d2b5fba
SHA512 0a53829c559e9042bef97336dd7385b424b61ea7096469783cbfead055736aa8aed80a9a4e285142556fbbb8a92b4797a314dfe5f779cc81ef02a7feafb15fcc

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Setup.exe

MD5 1feeac6160ec19b8428882772f44849c
SHA1 f1a7d9db1b71bf723ce76f60b32b66e7bb81dab9
SHA256 ac5107c5c8f89121947fd5a2f17a172e44b4026fec035252a64753868eb4b070
SHA512 5eb7a6223838a54c67ad26e4e3aff5475fb5b1fd6bc00717bb3924dc6b2b36d598397883ace80b53d4293bd88708e6c59ef81a7b53bebb86b5856cf7516c0a39

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

\Users\Admin\AppData\Local\Temp\17CAEF~1\IECOOK~1.DLL

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

memory/2188-51-0x00000000006F0000-0x00000000006F2000-memory.dmp

\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

memory/2580-50-0x00000000029F0000-0x00000000029F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe

MD5 ef85bc362438b26d332d86b76d524856
SHA1 aea7187b72d4f14f3e104726024526841d72ca0e
SHA256 3a25476e90601ce0d3b446fc53a3ee5882cff2f562a4fcf7b94c1fe15c282eab
SHA512 9e0da800dc655ff444c53d9af0441e75e7edaa3db671bc74f0ab2cd3e1ff9709a78f801de3e7b9ae9f544289e73568d248db50236633e8a53b88f3217f2970a1

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\Local\Temp\Tar19DC.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab19CA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

MD5 5e6230b3b16798e23720958756ac6d9e
SHA1 c7bcb001c48a67d4c9d6e70e92473ebd85b30585
SHA256 d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2
SHA512 6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

memory/2544-197-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2764-192-0x00000000039C0000-0x00000000039C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Latest\setup.exe

MD5 5790a04f78c61c3caea7ddd6f01829d2
SHA1 9d783d964338a5378280dd3c3b72519d11f73ffa
SHA256 726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606
SHA512 9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

MD5 fc9840fcaa2e5fff1ef9e6ae0a4d3e21
SHA1 f2a36b01e398f8f9b88cfc20af192ea261f3e13b
SHA256 1f45d393032b375fbc42b2620f2e3b74644454ce9929183dc44de4da7c21efe2
SHA512 38e4dc995a640492b3c150f43fd5af3607b771a4405d34ef117269caf2ca9d79ba6198eb85d7d8f08f5ba10ff5dad88993b80c7402fbd118dd9e021bd3634e13

\Users\Admin\AppData\Local\Temp\MainInstaller.exe

MD5 67f3af0f873bda19ae62300b5eee1d95
SHA1 9bdad86b7517c87757a159bdf36b7cead3410227
SHA256 44304e2706f1e7f3c6820182e81ab90aec8cf7d8546cc42a6313d8a004d33ba5
SHA512 de6450021a383de4850b86714d844e5d804fed9ace6478ee79929a57018dcbb4f67753d325d385b3b3077898f5e48043aefac7908ac61b8fc717d4ff70c8108d

\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 0d5d22387d4d22dabde00eb87ebdb792
SHA1 2de7fc3b849b17fe20d2fda0c9a168e29af7e951
SHA256 e7a1faed0775f8586644cf342f4863657aea2c3f39d669d11457beec6f937a0c
SHA512 57ac1377d9f2cebf393ae8e848b0a734c1ad1a301564e11f20a3d970be90982846576361b1d2be4234d2ce31b3fce674b59b4a6e7835ad10b3309bdca875143c

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 51aa79fb2ac192889e5a2825bc47bae3
SHA1 f15f934301c799ab36ab165fcd7214de8e746c81
SHA256 d244cf3c085edaeff07066f5c728b2398f5852417276f5db8a9d1cf26bbcff8d
SHA512 cd79c5bcefb3dc6d77aeda3c449567eeba54dd3955b5a3ce4d9f38ee24082077b597490492821f60f89fed7f124f51e55570665519a30bd9a1f499a8b24df583

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 dda73d73e8749954417b6a044da7220e
SHA1 c3e994474cef173dba2f374fa6a219bd3b3c77c2
SHA256 32de84128155461df018a1e2892f9f82fa78880376f67a51a488e3f2196d8639
SHA512 1e25e7cf4ec11d746f2b3f2d660611b600d6ba88c455fe9d25fc68e2cffdea2fad9f15747877e1179f2ee66d2e43a75b901ebcbb91711f5aaa22538e7b6ff13a

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

MD5 2ef66adf0887fb8211c35de947e5164b
SHA1 ca68972aeac125d1e6fc854250bb170432264233
SHA256 693991289d3624741a77a4606f941c04100b1376ee317b49c7cee5ea1cd92ab3
SHA512 5133417b034054a10cff98b7f029b2f6f2c9dc2887787705157ce408eab45d3f4024609e83a46488b67700629a3243790e7d5d0f56df982848e372336fbebd73

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

MD5 991cd458830ae2008be0c2d8e26c8bd0
SHA1 d519a7ffd8360a47450e60b7d665e666d9df89bc
SHA256 f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71
SHA512 e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa

memory/3048-245-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/3048-246-0x0000000002090000-0x0000000002110000-memory.dmp

memory/1620-248-0x0000000000B10000-0x0000000000B90000-memory.dmp

memory/3048-247-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/1620-249-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\Latest\kstp.txt

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Temp\17CAEF4D-BAB0-7891-B151-D2661E7D56D4\BabyTBConf.ini

MD5 4eca81aba515d5d3042ca0c4ac0e76f3
SHA1 9b0284290248ac9236c53cc81ac8853e65063df7
SHA256 101ae6aa1c69446975fae3f4e72562190223a5526efcaf3940dab873adf5bbc3
SHA512 1e27efde5257d911fad1e66860efab978e8e5c4080ee7bcdc85b6cd25a00ebcc92640802de201d90fc1369fbaedaf0ee19878a350fca9721af60222f731ab612

memory/2764-199-0x0000000060900000-0x0000000060970000-memory.dmp

memory/1620-250-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/3048-251-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3640 wrote to memory of 372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3640 wrote to memory of 372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3640 wrote to memory of 372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 372 -ip 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3440 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3440 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp

Files

memory/3732-0-0x0000000000270000-0x0000000000284000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1108 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1108 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1108 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1108 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1108 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1108 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

C:\Users\Admin\AppData\Local\Temp\nst3A82.tmp\ioSpecial.ini

MD5 0425c6de1e37002a274d15e6a43d37a6
SHA1 6f7bd3725d0e1cf4be43631c1cd39608842b4eac
SHA256 6ff53a647ee3e315d57b2a79f882f11e86379b979c37828d33d7125a87d24766
SHA512 9294e10ad735706cdbd5d10d68ac9108f8a393e1b71e376e9624e18e4370d8470e20e88e7c2dcbc5bbd1625997f41313944005e1790645fb82067d15ede95a7e

\Users\Admin\AppData\Local\Temp\nst3A82.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:50

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

C:\Users\Admin\AppData\Local\Temp\nsnBF4A.tmp\ioSpecial.ini

MD5 4fa16a921ba6832a1445776615385066
SHA1 676bf65fd355e3e5ced8e7254db0a8de01be4d5e
SHA256 61bf7888565d2250b1d8488f442f91af997f060686a08ad942de46c16850bbbb
SHA512 2bfa2dbf0161338ecd61de19e1b077029dc97645086d651dda837c15c92a95852dd507a7fb872df6024fd83b6fdc9c24dbe8e76a0b729f27dd855b71b6ac7fb7

C:\Users\Admin\AppData\Local\Temp\nsnBF4A.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Analysis: behavioral21

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsy6681.tmp\ioSpecial.ini

MD5 60414c90f6b94b987a6ddcb737ebc37e
SHA1 2ed7147d4ae1ecc44d73b29408ceb2dbfe57bbd1
SHA256 097d1268d993d7a4309c84880e644ecd8d76abdbd0bb1c879161379af71e0236
SHA512 447ee8a00cb220d8fb98869d97ee2fe99e74910bd1d3e4707e1bfb9384ef470a90a6154c9552b9e59f6939ada916d414350e5faa0a6215e0973a60d536155966

\Users\Admin\AppData\Local\Temp\nsy6681.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Analysis: behavioral28

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231215-en

Max time kernel

132s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 2840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4492 wrote to memory of 2840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4492 wrote to memory of 2840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2840 -ip 2840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 3600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3344 wrote to memory of 3600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3344 wrote to memory of 3600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3600 -ip 3600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 244

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231222-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\yourface.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yourface.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\2YourFace\bho.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\install.rdf C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\FF8Installer.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\2YourFace.crx C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\uninst.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=4ef744130000000000006a4e6723ab77" C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=4ef744130000000000006a4e6723ab77" C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a235703030b5757735d432357535d134b37135d47174b575d53632317234b2727372353e35a06010101edc8afcf0120380c3e C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingMe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingMe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2064 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2064 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 1528 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe
PID 1528 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe
PID 1528 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe
PID 2064 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2064 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2064 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 4424 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4424 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4424 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4424 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 4424 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2064 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2064 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\yourface.exe

"C:\Users\Admin\AppData\Local\Temp\yourface.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CF60F4~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CF60F4~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 235.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 232.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 www.outbrowse.com udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:443 www.outbrowse.com tcp
US 13.248.169.48:443 www.outbrowse.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsv494E.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe

MD5 0e56ecfd0d6d1d5ea164c844c1878c99
SHA1 6cfc72735f2bdce4d465cd0334d99ad804489762
SHA256 95f0f598952f9f68176a35597a5ee8a9011b9c69a5129d487389396d61439cb2
SHA512 2eaedd660f9291e2543e5a434b0703aa477e38812501a9359b3fbe67a4b24e07db576f02e393e3447e8b3ee2c5c89ff9cde94f2a14c7d704b850d1be4768b1b6

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Setup.exe

MD5 69ac77c9cd4b1874664b457220b2da23
SHA1 c906b4a6f539b70bd8579fad9d3ac4d841262f4d
SHA256 e71f502cb1eaaf13bcdf657683b5300a0c7f2aa0d738cb855a0a18282b283525
SHA512 ba3ff353edb0171e53274c39ea6b1925f3080a79d19b6a50579a7af04edb43fe1673fce054d5a4d4389968d68450bf908aaec503124cc412b7128d9b3e30c041

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\IECookieLow.dll

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

memory/1936-118-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF60F4CC-BAB0-7891-9969-2CB1A94FB27E\BabyTBConf.ini

MD5 a3db9076b8d74a7a3649826acf72bbb5
SHA1 0dc16df6f90b4ba784c6ca76e08e3fddcb852177
SHA256 9f8aa6ffebd4186329850a9a7fbc8cfa3b0373457464a1c526386ffa90a8d007
SHA512 43c06357f99d7029486df0a9b1f49ea00a0532c0c2563ae2bac605ba038b15ce45a09c5ff62a4df2aab7c84bd6a38178bf23d0a4a0bee3479f1dc1d9436abd5e

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

MD5 9ce448dcd7cf13dd950725957361bdff
SHA1 5831ff31825ea82d90a2989e0fc0a33b859d5f97
SHA256 3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80
SHA512 b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

MD5 991cd458830ae2008be0c2d8e26c8bd0
SHA1 d519a7ffd8360a47450e60b7d665e666d9df89bc
SHA256 f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71
SHA512 e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa

memory/1308-165-0x00007FF86BE30000-0x00007FF86C7D1000-memory.dmp

memory/1308-166-0x000000001BBE0000-0x000000001C0AE000-memory.dmp

memory/1308-167-0x00007FF86BE30000-0x00007FF86C7D1000-memory.dmp

memory/2212-168-0x00007FF86BE30000-0x00007FF86C7D1000-memory.dmp

memory/2212-169-0x0000000001960000-0x0000000001970000-memory.dmp

memory/2212-170-0x00007FF86BE30000-0x00007FF86C7D1000-memory.dmp

memory/2212-172-0x00007FF86BE30000-0x00007FF86C7D1000-memory.dmp

memory/1308-173-0x00007FF86BE30000-0x00007FF86C7D1000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1440 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1440 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

N/A

Files

memory/2656-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2656-1-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 228

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:50

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/1224-0-0x00007FFC9F070000-0x00007FFC9FA11000-memory.dmp

memory/1224-2-0x00007FFC9F070000-0x00007FFC9FA11000-memory.dmp

memory/1224-1-0x000000001BEE0000-0x000000001C3AE000-memory.dmp

memory/1224-3-0x0000000001260000-0x0000000001270000-memory.dmp

memory/1224-5-0x00007FFC9F070000-0x00007FFC9FA11000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231222-en

Max time kernel

136s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsv47C8.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsv47C8.tmp\ioSpecial.ini

MD5 c530a93f428773e35a41c28456ff27a3
SHA1 b8a22d0c47ba4639d57c1bad03171d0475691fb2
SHA256 ab72923553a1d025069eaf0c94cba6d40f42cf1bba610ee49a858b9eab7410e4
SHA512 8b8869e3f8bfdff9ce359a399bd60ffc9755b036933ea847232f379da1818de036b5731a698ea6706c56ef3749e827f1b30de34b61816b2c82ab27bad4ddf7f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:50

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fc562f8ef3b09ecd7bc9e710e809564.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\8fc562f8ef3b09ecd7bc9e710e809564.exe

"C:\Users\Admin\AppData\Local\Temp\8fc562f8ef3b09ecd7bc9e710e809564.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsdDA06.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/2784-19-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-20-0x0000000073E00000-0x00000000743B1000-memory.dmp

memory/2784-21-0x0000000073E00000-0x00000000743B1000-memory.dmp

memory/2784-25-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-27-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-29-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-30-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-31-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-32-0x0000000073E00000-0x00000000743B1000-memory.dmp

memory/2784-33-0x0000000073E00000-0x00000000743B1000-memory.dmp

memory/2784-34-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-35-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-36-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-37-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-38-0x0000000003320000-0x0000000003330000-memory.dmp

memory/2784-39-0x0000000003320000-0x0000000003330000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3512 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3512 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 4216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4468 wrote to memory of 4216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4468 wrote to memory of 4216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3700 wrote to memory of 1252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3700 wrote to memory of 1252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3700 wrote to memory of 1252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1252 -ip 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-02-04 17:47

Reported

2024-02-04 17:49

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Network

N/A

Files

memory/1060-0-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

memory/1060-1-0x0000000000BA0000-0x0000000000C20000-memory.dmp

memory/1060-2-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp