Malware Analysis Report

2025-01-18 21:28

Sample ID 240321-tw61xsfd63
Target dc14aa6eed5fa5bc83640fc9a9343ac3
SHA256 6e0f34bc46ee510f405902e7c098c1832f3503cfeae48b5133db2bfa2dfb55c6
Tags
upx adware discovery evasion spyware stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6e0f34bc46ee510f405902e7c098c1832f3503cfeae48b5133db2bfa2dfb55c6

Threat Level: Shows suspicious behavior

The file dc14aa6eed5fa5bc83640fc9a9343ac3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware discovery evasion spyware stealer trojan

Reads user/profile data of web browsers

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Checks whether UAC is enabled

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 16:25

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc14aa6eed5fa5bc83640fc9a9343ac3.exe"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dc14aa6eed5fa5bc83640fc9a9343ac3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc14aa6eed5fa5bc83640fc9a9343ac3.exe

"C:\Users\Admin\AppData\Local\Temp\dc14aa6eed5fa5bc83640fc9a9343ac3.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy1354.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/2364-19-0x00000000038C0000-0x0000000003900000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy1354.tmp\tools.dll

MD5 7b7c761c466b2d940ed2cf0253f4f6cb
SHA1 0d38ac030c2642ee31ed2fd1bc8ef4d6e0079de0
SHA256 cbbeeb4415178948f71dccd02072276366f6ab828f85f417c262002999185e8c
SHA512 f6481e7003b170694a3dc734f4f7c8d8fad87d03afeb014887172f2f327702eefb970f1fd420881f749763f9312853c0dbbe220b1a8dab5eec090c7883bb5d48

\Users\Admin\AppData\Local\Temp\nsy1354.tmp\tools.dll

MD5 dff9b875140e78ac2fb0eaee596b45de
SHA1 0239101321f2c5e341b9aa2141c251e38a9cdabd
SHA256 0d4e99704376a6f60e54dd1e217bf61defd4d227c8ec3ae7947582a89da5d164
SHA512 70bfca028361f52c39aa706302436f47ba83031ac1eca56245354c3f91b93d6af50afebe0346c284edffaf8392aef277da5bcadacb90c9730105270348b68fdf

memory/2364-23-0x0000000073FB0000-0x000000007455B000-memory.dmp

memory/2364-24-0x0000000073FB0000-0x000000007455B000-memory.dmp

memory/2364-25-0x00000000038C0000-0x0000000003900000-memory.dmp

memory/2364-29-0x00000000063D0000-0x00000000064D0000-memory.dmp

memory/2364-28-0x00000000063D0000-0x00000000064D0000-memory.dmp

memory/2364-30-0x00000000063D0000-0x00000000064D0000-memory.dmp

memory/2364-41-0x00000000038C0000-0x0000000003900000-memory.dmp

memory/2364-42-0x0000000073FB0000-0x000000007455B000-memory.dmp

memory/2364-43-0x00000000063D0000-0x00000000064D0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:29

Platform

win7-20240221-en

Max time kernel

120s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240319-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe"

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2132,i,4018525042804461719,1997165676266557055,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsrF0AA.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

MD5 ff0198fd1f59b71c1deec34b6b0b0c07
SHA1 cae622ad91a3bab0996589e3bf905c9d4eeb6059
SHA256 f552d818f17841efb7f06803ecd2479fe5c9b2a0d3c4dad2c9d90b42e2e9d7d5
SHA512 96795276eefcde81b0ad4ac85f4aaec368cb93bd9e9912c343316912f1502f3a22d845af3ba75ea5aa92b1936028558d48c11a77d331d49bd77f58b886868ccc

C:\Users\Admin\AppData\Local\Temp\nscF1D3.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nscF1D3.tmp\ioSpecial.ini

MD5 f1352feaf0f4e62ee471768f662d90c1
SHA1 e244e0b705524ace3ede07f7866d0b88dee1e1e9
SHA256 bd5dcf82d608d12e4ef14ffbfbe86c275dddcd292e256617d5ff4d9d2e772a6e
SHA512 5f1893745fa04c158d3f0d693b4ebcbab6b9e5b3169c4e7186888ea8c99494b88e01b3e46e1b3731da5dd7cc034f27e412543d3dce1b8750d892adbd6ad1cfb1

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5108 wrote to memory of 5004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5108 wrote to memory of 5004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5108 wrote to memory of 5004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5004 -ip 5004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 184.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 128.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:29

Platform

win7-20240221-en

Max time kernel

121s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 228

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 228

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc14aa6eed5fa5bc83640fc9a9343ac3.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\dc14aa6eed5fa5bc83640fc9a9343ac3.exe

"C:\Users\Admin\AppData\Local\Temp\dc14aa6eed5fa5bc83640fc9a9343ac3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 195.98.74.40.in-addr.arpa udp
GB 96.17.178.187:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nse3848.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/3740-19-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-23-0x0000000074B50000-0x0000000075101000-memory.dmp

memory/3740-24-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-26-0x0000000074B50000-0x0000000075101000-memory.dmp

memory/3740-27-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-29-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-30-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-31-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-32-0x0000000074B50000-0x0000000075101000-memory.dmp

memory/3740-33-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-34-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-35-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-36-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/3740-37-0x0000000003190000-0x00000000031A0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240221-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 228

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 492 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 492 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 492 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 492 -ip 492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3736 wrote to memory of 836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3736 wrote to memory of 836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 836 -ip 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
GB 88.221.134.64:80 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 1552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4844 wrote to memory of 1552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4844 wrote to memory of 1552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1552 -ip 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 184.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

"C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nst376C.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nst376C.tmp\ioSpecial.ini

MD5 f2c2ea1519e8417888354705b84332e1
SHA1 98e1146b1d90deb833d0c6d91aa8d8e2d029d6b2
SHA256 306af93c173dab1e01879427fa345133a23b0dc08c81c4ca5adff139bc87bd52
SHA512 222e79f9ef8e7ac6a31f3eae51bfa262c0bb13fa7e7d1677b7e9a2be308daeaf16ad84c8c5f1198453575b3bb0dd4af1add972e6696fd0eabaf181c9a3bbe73e

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240220-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 220

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20231129-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240319-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4440 wrote to memory of 712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4440 wrote to memory of 712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 712 -ip 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2276,i,5672504106535478802,17394903851940863593,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2YourFace_Updater.lnk C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D} C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=112042&babsrc=SP_ss&mntrId=280e06380000000000004a65e849a069" C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\AppName = "Updater.exe" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=112042&babsrc=HP_ss&mntrId=280e06380000000000004a65e849a069" C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433e39789c636262604903622146b36a035327434b7313275d2313570b5d134303735d4b205fd7c9d2d5d9dcc9d9c9d4d5d4a996414040c04762d909001ae00ba8 C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 3536 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 3536 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 4984 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe
PID 4984 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe
PID 4984 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe
PID 3536 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 3536 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 3536 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 1700 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1700 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1700 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1700 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 1700 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 1700 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=112042" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe" /aflt=babsst /babTrack="affID=112042" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A0A74B~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A0A74B~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 info.babylon.com udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 232.27.154.184.in-addr.arpa udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 235.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 www.outbrowse.com udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 197.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss3549.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Setup.exe

MD5 14c2d4576d528ed76fada4f4fa1a5952
SHA1 3a9d7d4639b5eb8bec42df972c44493690eaadfc
SHA256 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52
SHA512 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\IECookieLow.dll

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

memory/4100-120-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A0A74B6B-BAB0-7891-876B-6AF52029ABDD\BabyTBConf.ini

MD5 a4645cbcae06583be8b5c4572510c487
SHA1 9d52cfb463c198ee0ccd3c1d31c527e3f2435994
SHA256 1ad918a127b84b7fff7a45fad882bd7b98aa4a4e8c3a740d2fecca2e650c6100
SHA512 518f08fb4658aea0a3cab5b395975e949a4d9a937901a338c4737eaf5ee9c4ae8e5615b96537a21b69b737b33d3dc471349e2965d80be344a33a1ae866b687e4

C:\Users\Admin\AppData\Local\Temp\nss3549.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

MD5 7fc6bc14a74dc69773587af10132d8c9
SHA1 9d98b268eaa7f4ad208bde39944fdb1ab201e076
SHA256 e288d49f6011dcd3f893e54ceafda9b6b491543966521c483064a7df43e5bdd2
SHA512 a738205fb26bf259e70b1cacfd10f9168d381778ef90a49847b8d332d93b471cbdcf6357a3d2dfb2e41a4666cba98dd9dc2867a20d472636e5fc8080cc073742

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

MD5 ff0198fd1f59b71c1deec34b6b0b0c07
SHA1 cae622ad91a3bab0996589e3bf905c9d4eeb6059
SHA256 f552d818f17841efb7f06803ecd2479fe5c9b2a0d3c4dad2c9d90b42e2e9d7d5
SHA512 96795276eefcde81b0ad4ac85f4aaec368cb93bd9e9912c343316912f1502f3a22d845af3ba75ea5aa92b1936028558d48c11a77d331d49bd77f58b886868ccc

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

MD5 2fef4da41b5f58e66d6de6b318bf3004
SHA1 66ef30ff290e8615cad27abb884cc8a2d250c3e7
SHA256 7c8472e322a87d039c22e8f48ab55107508898102b17a011222b2b0da9df4790
SHA512 8e6ee8e5660a10f227a9690822f278f393e865665c6d63d0a625241d58c6d48292964c3a30b594afca775de75d06604742925cb4fc42fd18c0cd14dd46cc9f1e

C:\Users\Admin\AppData\Local\Temp\nszB854.tmp\SimpleFC.dll

MD5 d38543fc9ae37d188a23e06ee11d3504
SHA1 174fe778f66db4a527fddf21b1c23e1bc1ceceeb
SHA256 72f33da081b8d579f437e7aa2ba8d9cb9602270b88093ff9411ac6316b52fc6e
SHA512 43d1874e5821d8e5530eaa34d42b76aa867528368779fadcfd2691825297accf04e94bd34867442a76c25d4729edefba9469de6500acfe6f665949f11878c54b

memory/3972-180-0x0000000002190000-0x00000000021C0000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

"C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\ioSpecial.ini

MD5 acd21ed02575df0c4b1aed2dd71a43dc
SHA1 c4d50cd8f4917b1c69f942d972341c6fa2a0c58c
SHA256 0fba7bce88f50bfea0298bed67e4a0ea5ac3d16dd17c83058a7157b65faf0746
SHA512 adda923f607b78176f81aabc8492e367557627364b78cd98e310e715840808f4a230d518e5cf0d5a0c4dc6480c89f3d2e6d0a8ed9875dc9c353acb0e7b1ed331

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20231129-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 224

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240221-en

Max time kernel

122s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 228

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:29

Platform

win10v2004-20240226-en

Max time kernel

176s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 4548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4816 wrote to memory of 4548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4816 wrote to memory of 4548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4548 -ip 4548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 612

Network

Country Destination Domain Proto
US 13.107.246.64:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 128.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
GB 96.17.178.174:80 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 5008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4648 wrote to memory of 5008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4648 wrote to memory of 5008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 172.217.23.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 244

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:29

Platform

win7-20240221-en

Max time kernel

119s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 228

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

167s

Max time network

185s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 4592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1132 wrote to memory of 4592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1132 wrote to memory of 4592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240215-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2YourFace_Updater.lnk C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=112042&babsrc=SP_ss&mntrId=5cb4d1cb0000000000006600925e2846" C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000fda43adeb7c3f473f1ba80ada8c979a96300becefde1553185d3719b14bfd874000000000e8000000002000020000000cae50fcc592504a18630c8338446574dbb8c41cfd05cda3ab84c7b3cfea3311750000000b5ca327138066edea4b18da0c69c6102e5aa625ab029030e8f489ab2e3fb34d18ef1b9f0cc942b1072dac80bc8c8db5cb2ec4760e5c85be86f37e56455cb04f6aaf9c3cc5b5b7f4fe32d3c65609ec0eb400000001f9a6ed750e2e850b6b0dae0250458452ec3437c010854e4c0e64cbd8fd5167cc1c872b236bcb0b0e02b840f6fc3f0d624a460e0ac2a2a6a5be8fe471b7dfda5 C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D} C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\AppName = "Updater.exe" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=112042&babsrc=HP_ss&mntrId=5cb4d1cb0000000000006600925e2846" C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 43404039789c636262604903622146b36a53376367034363135d27370b235d135753535d474b43035d1763376753377347434b67c35a060101815339531f010020840c81 C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe
PID 1800 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1800 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1800 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1800 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1268 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 1268 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 1268 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 1268 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 1268 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 1268 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 1268 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 876 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 876 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 876 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 876 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 876 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 876 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 876 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 876 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 876 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 876 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 876 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 876 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 876 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 876 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=112042" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe" /aflt=babsst /babTrack="affID=112042" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0FC8B3~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0FC8B3~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babylon.com udp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 cs-g2-crl.thawte.com udp
SE 192.229.221.95:80 cs-g2-crl.thawte.com tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 www.outbrowse.com udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp

Files

\Users\Admin\AppData\Local\Temp\nso1009.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Setup.exe

MD5 14c2d4576d528ed76fada4f4fa1a5952
SHA1 3a9d7d4639b5eb8bec42df972c44493690eaadfc
SHA256 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52
SHA512 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\0FC8B3~1\IECOOK~1.DLL

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

memory/2596-50-0x0000000000420000-0x0000000000422000-memory.dmp

memory/1800-51-0x0000000000210000-0x0000000000212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar27D3.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

MD5 5e6230b3b16798e23720958756ac6d9e
SHA1 c7bcb001c48a67d4c9d6e70e92473ebd85b30585
SHA256 d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2
SHA512 6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

memory/2568-207-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\BabyTBConf.ini

MD5 8e441a64d7a291d03baae5718f98f1ce
SHA1 fdf6e05fbbbdf030218120e4d91e7aacdfea65d9
SHA256 93e7d89a96092a6b2bb4d8c5c142463ae5375e173d3bd256d8833902ae215337
SHA512 4bb568d35310b669ee19487e7fe77c8cf86ad12bc9c8dbb6ab53ba44a0310454544feee21a7bc99777b02dd8102ce4c34108484f1de71f0625a22d675c9737b5

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Latest\setup.exe

MD5 5790a04f78c61c3caea7ddd6f01829d2
SHA1 9d783d964338a5378280dd3c3b72519d11f73ffa
SHA256 726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606
SHA512 9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

C:\Users\Admin\AppData\Local\Temp\0FC8B317-BAB0-7891-ABC9-341709004397\Latest\kstp.txt

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

\Users\Admin\AppData\Local\Temp\nso1009.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

MD5 7fc6bc14a74dc69773587af10132d8c9
SHA1 9d98b268eaa7f4ad208bde39944fdb1ab201e076
SHA256 e288d49f6011dcd3f893e54ceafda9b6b491543966521c483064a7df43e5bdd2
SHA512 a738205fb26bf259e70b1cacfd10f9168d381778ef90a49847b8d332d93b471cbdcf6357a3d2dfb2e41a4666cba98dd9dc2867a20d472636e5fc8080cc073742

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

MD5 ff0198fd1f59b71c1deec34b6b0b0c07
SHA1 cae622ad91a3bab0996589e3bf905c9d4eeb6059
SHA256 f552d818f17841efb7f06803ecd2479fe5c9b2a0d3c4dad2c9d90b42e2e9d7d5
SHA512 96795276eefcde81b0ad4ac85f4aaec368cb93bd9e9912c343316912f1502f3a22d845af3ba75ea5aa92b1936028558d48c11a77d331d49bd77f58b886868ccc

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

MD5 2fef4da41b5f58e66d6de6b318bf3004
SHA1 66ef30ff290e8615cad27abb884cc8a2d250c3e7
SHA256 7c8472e322a87d039c22e8f48ab55107508898102b17a011222b2b0da9df4790
SHA512 8e6ee8e5660a10f227a9690822f278f393e865665c6d63d0a625241d58c6d48292964c3a30b594afca775de75d06604742925cb4fc42fd18c0cd14dd46cc9f1e

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\2YourFace\Updater.exe

MD5 61a75fa584626ad7236a5e0ecf0ce806
SHA1 28b1b5548e12d56773d3fcdf252617e94f07da96
SHA256 b7c83ce96df6a282fa18e8551d5c6de87a08f4e256ad0e1105069155138ed5a2
SHA512 2f38d0d06ddcd4d4506623120902a194f33f84e87a6260d08e55a2658e40edf959d0fc83c37561db7002b3e43a569fd2bcc3b70328ab37efe39b9b9b8d2cc4d8

memory/2520-275-0x0000000001F00000-0x0000000001F30000-memory.dmp

\Users\Admin\AppData\Local\Temp\nstAF34.tmp\SimpleFC.dll

MD5 d38543fc9ae37d188a23e06ee11d3504
SHA1 174fe778f66db4a527fddf21b1c23e1bc1ceceeb
SHA256 72f33da081b8d579f437e7aa2ba8d9cb9602270b88093ff9411ac6316b52fc6e
SHA512 43d1874e5821d8e5530eaa34d42b76aa867528368779fadcfd2691825297accf04e94bd34867442a76c25d4729edefba9469de6500acfe6f665949f11878c54b

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240221-en

Max time kernel

122s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe"

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=0

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst6308.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\SetupAuto.exe

MD5 ff0198fd1f59b71c1deec34b6b0b0c07
SHA1 cae622ad91a3bab0996589e3bf905c9d4eeb6059
SHA256 f552d818f17841efb7f06803ecd2479fe5c9b2a0d3c4dad2c9d90b42e2e9d7d5
SHA512 96795276eefcde81b0ad4ac85f4aaec368cb93bd9e9912c343316912f1502f3a22d845af3ba75ea5aa92b1936028558d48c11a77d331d49bd77f58b886868ccc

C:\Users\Admin\AppData\Local\Temp\nsy64AD.tmp\ioSpecial.ini

MD5 af834e2a3219676b8f9783ddcc699699
SHA1 6d0f5b570f8472315f21d74afc0643341bb9b1a1
SHA256 49a55fde5a8e088cbaf3e2d40b1d9d93669336bec3bd326769b878487133f8b8
SHA512 61e43f9eccd0a6f0556abd79a31097391016db45fd1c3e76998aeaa235c0e37f98d356544e68b77a665c0715b0d58ec057a8e9cb411754f0f1ab8fc806bd0fdc

\Users\Admin\AppData\Local\Temp\nsy64AD.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsy64AD.tmp\ioSpecial.ini

MD5 24edced680d4cf2668217abb9b17bb53
SHA1 51d1dece4cdd1af5082a02fc2b2d73c7b9edc588
SHA256 3f33a902db18285ff4740f993c97b265f7833f01b49e8bfdfb015cdce17d2001
SHA512 ea6c59daa98c939bd1c234a913086f2fe36775cf04a22a765342ecae4d12e842dc37bb2507ef4cc4bfa52200b7c8a261f0112a21bc776b47a44dea6638996f73

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 2320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3376 wrote to memory of 2320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3376 wrote to memory of 2320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 184.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
GB 88.221.135.217:80 tcp

Files

memory/2320-0-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win10v2004-20240226-en

Max time kernel

162s

Max time network

181s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-21 16:25

Reported

2024-03-21 16:28

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 224

Network

N/A

Files

N/A