Malware Analysis Report

2025-01-18 21:33

Sample ID 240414-3ag94sgd77
Target efbe3097a7ebe750bca91a377880ca05_JaffaCakes118
SHA256 3dd2935bc3f6c6fb0c3f27013c44d01ef090f5801651cd9d1b9d36e359c079b9
Tags
adware discovery evasion spyware stealer trojan upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3dd2935bc3f6c6fb0c3f27013c44d01ef090f5801651cd9d1b9d36e359c079b9

Threat Level: Shows suspicious behavior

The file efbe3097a7ebe750bca91a377880ca05_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery evasion spyware stealer trojan upx

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Checks computer location settings

Reads user/profile data of web browsers

Installs/modifies Browser Helper Object

Checks installed software on the system

Checks whether UAC is enabled

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 23:18

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 884 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 884 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1652 -ip 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1

Network

Country Destination Domain Proto
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

C:\Users\Admin\AppData\Local\Temp\nsr328A.tmp\ioSpecial.ini

MD5 f9d65fcac8c472d8393c0c331956a38c
SHA1 9c089bef5ba044186b6c02331b05109ea48fde8e
SHA256 bd6fa148da35f9f3981f5422253bd0698241ff08b261a43902f0ddbfcdbb4909
SHA512 6d5e079e4433a5a9e26f7931327357c3548bf694d5b70417c86b2c509c0aabd1f300062e609e4a88f0e5dd19e75a25fbc0f33cc4ae6bbb71de7d4966b3670e96

C:\Users\Admin\AppData\Local\Temp\nsr328A.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 248

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

140s

Max time network

141s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\background.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bd7224c28eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000007511f66a7181751dbe82ccc9c3c6d9e9a1b5bc7087830c7a8571de97824f524c000000000e800000000200002000000091a18338217d5192f267aa095ec4000a5dc4f09ffa0671feda874ab8dca588db900000002dffa4d8cc3b99f82eb376d752fdb32ebf2f0eef8a149d9a6ab5429adbe877d07377da57fd9b8c6144db344dc14d7518d120241774fc968925cbf0e2f4b16c217fb5e1459a6282bee2241e38c2139f62a75208f2fada96ab5d4be4ccd947ebe1fc4f605d611c877fb600bdf94d0c7466a6dd10880e03d4a66a43174f6cb47256ab843291fdf5fcd95a59259eeb791afb40000000aca8a924b2597fe29ab3a15d9d90f7491c7bdd15f447f3d1bf33bed19495dc9a5e6ad6687772e5f23c4a64301cdf8448b3c042074b70c65ea7f63d6653424bf4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4FFD3961-FAB5-11EE-A7F1-FA5112F1BCBF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419298581" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000e1cd384a116a405c480e2d8acfcc52685edc24cbf0c8a5a48b75ea7dc21b0e1d000000000e8000000002000020000000baa20d486bba757ba3982108cda48601a229e05bc85d019c645e0e379ecfa07520000000aed5d3d72e9ed82cc8105eeb331c3faf8318d0e85bc2c063a0117d717c69d048400000009288b42df8e838ecc49513ce3bd3971ab7c04e03fd06184dfd450652f35f7ad8f776031e065fc7a313ad107f580cf200d698b11e51e8d3d7848cce1a0c6fa4ea C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\background.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 static1.2yourface.com udp
US 54.161.222.85:80 static1.2yourface.com tcp
US 54.161.222.85:80 static1.2yourface.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 172.67.70.191:443 www.hugedomains.com tcp
US 172.67.70.191:443 www.hugedomains.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 861255e9a644b075bb3d71f494cacc33
SHA1 b7ad78ff269d1b2a90815e9e157f444b8c1a120e
SHA256 0a3e7a735dad33d07da0604ab7c8d9093d2c0683963fac8a1e33bf7e9676ef0d
SHA512 367c8eb1061e1a8f1dc0f85e55354375ab2ff75c0aa1ae4ac3656e0599ec1426fb13f8c849e47ae0ea93b2693fdd61d4d1eaae809db839834159b00aaad6fe12

C:\Users\Admin\AppData\Local\Temp\Cab2425.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2437.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2518.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaedce6feca3c51a6c7e1e939bf487fc
SHA1 8489672e894eddbea5c87e28c47119fbb3f99806
SHA256 177d74cd1752db6813007e0c68ac3083723242298736ec046d6cc7f896a1271b
SHA512 bd5b5babb1fbb68127bfb8891a6ca7dc6a534604776128e7d5ec3e61bec7da6102c6f846438a32c833f55960ff3627aa945f320b976cf4e8f5b746b21f5eccd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e54f8d6b80d42b35d5c80128d27e784
SHA1 4421ac8a067fef386e86c75530597d57d4125e5e
SHA256 e08a31e6727e817e7ee82e5103abe3d879dc32e0f35fb160f7603c3159e91d9e
SHA512 2760f074e73c0894433071fae05b6306aba9644071ed14350769e6e3a80c4c625044adae1506944e362b12cab7610bf2045a8a49b1acdf5b5310451eaf14f9af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 591e5c9bdd73e2a04c4961ea025df094
SHA1 d17133d649be8804c133b04c6f14a49fa1a94acd
SHA256 d6c1227dc26de4d502773781db15992e980528d6d2e0483adfb7583cad079356
SHA512 2d981484665ea402b7f5973046bd2b3f316ac60c127322ea250d8d2dba30679538727b326451e353ee1bf209824d390b38b61462d8e78427823ae2ac7edfc40a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 318c7d28128dcc51fa3c4c1a30abcd9f
SHA1 d8bc6dcd81dbb970248fab0e865196ea6a24dd22
SHA256 86022b057ae73b0a73af4b24b4ade1e0c48bda3a0359394a3db53b63ee62a77f
SHA512 40ccbdf51fbd842244fd88a3d4d53e6d1234047ff4d08015050d55caeb638d3caa5fa420573117adda3970fd66907723c82bed83ff2ee7d0e5eec892fb71a088

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 996d82f7d9c358f2c92b08b793c571ce
SHA1 39e15fbb91d83932f614c57b2532d6e3c0fbdbd4
SHA256 1579cac594d0d522e854fef9ed8048e387e5415b3d2109e60782cd2abbde33d3
SHA512 090e5ae8febae695c0a2981db3b8aeed840b4f3de14568a5fd47098df3df198b874092cadb3340c05d0ae1e65ccdf591492fb88a0661cd46df30a4f4ab5d5b25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95ae9fc5ff79abd9d66adb7d6c0b7d3f
SHA1 92c46618a57f8b5cc667f36bc0ddf2e2821b1a8a
SHA256 e17302b65e99a39811d117b8e67164a841399fdc0a18f3c19668653a83fbbb79
SHA512 a4da0106f6ce210169a234c2aa4a4616007260a7aecf765513af9e6e62185eccbc944793f2de48f09babfa9be996e39510dd4e24a776bada30d4f3c8ec2c1ba6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0038031fbbb7bd8b2fb46c335868fb64
SHA1 eb0de8cce2bf7e7ec90f628e079f5ff693dc2560
SHA256 e443b6d6730cae0e1103ab41613cd3277a5d03cf9aa60d8513d182b559e97553
SHA512 af7a5ff8979da26b4432b1d4dc5d3efb9bbaa07dbd67cc0d189c38e671918db96924a837d870ca277e4ae77163ab79973eea51af2ec16ae43df8f7a7d77aba76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62af71d03b9b398a3877563d33cb215a
SHA1 14929dc150e8e3e3abc8a1740a2b2c10301434b8
SHA256 86f8a2303534835954f40bb009188e8e5e08ae2f62a2baf7cb9e1e068703d6f0
SHA512 70bf4653bc1ea3568c0da66cf9da0503745f5d38f043267af28135ea2a97e6de4e243e845308ace0a2a2549f402332c04181822c6e95c517513e7a00fa5472d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1003a75c0c3bad33eab340135a3abd22
SHA1 ee5c544ffb1963678d2cd69853b868afbb631794
SHA256 b811ebdb980bb0cf09e1cfabe937a688bcc46590fa6276780103cd9f16f305d0
SHA512 cefc50e79bd4763c9951c8581a2dc8f15db18a36343b64c78c7f3c38425f89934a30ec657788dd51ab21afeda71754d58b5232e19000646ed23477b24b71e1b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2ee5bc864328bd0e1fa39bf4a634fd0
SHA1 19bc447d07028486aa4b7043348138cec44fe8eb
SHA256 95705ab9275137bea20eb3bbeb378c4ba8fba08e440895dd4791e432e7f09865
SHA512 49c214874cedffac44123b0ca47c8253e5ca2961b70f043fca84f37bdd57fec73a0abc5c94c62423faec412fab999a1cb9484b20763f34c9828029b62458a1b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 91aaf8a9a2c33934fd83ab4248686d70
SHA1 08b998066c22367795bda1c13e17deebb4c7a915
SHA256 46384901e280cd7de59225ae89e13ea7792b1ab313bd30fb5fe9c5491b84e2c2
SHA512 3625fc735ab0b314e4dce0ea4b40d3759c7d2f7d34bde67b7253b79815816ec312fdfe61ef4b50ec790df361c5013b784fe83ebe9e34db1d6b70f0522ba8c97a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6af9673bb0454b1457465729cd733138
SHA1 4bd877a60db9f7c8a84d567459748d428804f078
SHA256 3015edac196617a68ac76120d49cabff9a5c019bc2cd0f46edd3f44b52a0af0f
SHA512 242fc06d207551fe777c21dad1576c077678e0ea2181ad63f19d1da34516c3f373d11bd49c12f2e8b2e833d4c5c1f847ffc1dd6eadee7fbd55d0f9e6908f56b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01f9ba9b54acf8069084cc7938413520
SHA1 7342b53c0401cf5ee3d4b49b6a1f9571d681d058
SHA256 515a3dfcfe9cbf216526f0425dc51120ba637b7c2dc103f7d22febce05990292
SHA512 4a0fc6dcd705b3e41c0ab528dad3056888309692bd944383e03ef655d5c89276e281771a82bcf7efd9238147feacfdc2f5fb5ce7acb70f7175b45c29af956ac0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd0cfbca1725b7bfe10dd2ba9e176c49
SHA1 a45446831d309c844ddcd0318a81fa400fa1b88b
SHA256 b494469be24bfd7f2395fb505d2554bc583f37367670433e11d1d81cef7a4541
SHA512 363e1c605630eeb1b3490f9eec8e797c6363665f5386295df99fccb402e67dc9b46b41a93d5fc6d825ed6666b1aed7214e419e29100813417f10c17a26406a44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d68fd993e6513eb9b3c4d6cab006ef4b
SHA1 66da8dbb9fb680833cfbdab4bb577629e1bd8f26
SHA256 52e1f090d1e09d05e5a46d938c1324a0deb9175eb11813158915c6ebc08b9f96
SHA512 354bea91247578e6a05958d64f6d8c4efd7743ea00e6142199a39ba0abae4a0cc0b8666e16a507fa52c7f260d8da24f2ab90d6b871599c20194a0b482b91c063

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ea627c871e9cade8707328b4506227f
SHA1 5c05792a608b82d62fc8c839539e42da24e44bac
SHA256 da2ba8a3515a61daed38628a3b0a7b3b7af124ddede515e3409897b8af34f494
SHA512 837f3ce8b9a8e1cd1fcdd53402069a0075027265628747dd5e80553f8a4a93b3a2ad91a1cc8b26ecc0a8480c467e3afd98e810a313dae6b7221f9cda2450907d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12cedccffeb66ba16eecc872f481dc97
SHA1 a4a8631971cc64d92696bd3a1847f751f94ccabf
SHA256 8a616860d25916c4f367d138cb7f5f0a1832d0c71fa23012a49cba26c8c79d83
SHA512 b9c323cbca699d0e3bb18092a82d1c99db10be0524a4821f969e5cebb5638f5a0b2b568d1d88712a88e4699ecd6731b63ea8c5ef7250c3f18a46694858653c31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 26bb8e888d88998d8976f5fb40f1a7e0
SHA1 dea90613073f5539cc0667a295fbdf8c194083c1
SHA256 8de7269ca2ff7c17eb8de4332916466594376e918afb9d2aa1352226fafbafee
SHA512 ac9fa3714e72425963c6eb57a9a90a72446843f43e1f203acd2c4461a12ce8da949a3982c592a397cacd4416a8e9bed00696203fdcbff869eb51200b6d7050ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e27993c0e9656dbb04e5830cf5f52cd
SHA1 9309b4e710e7ee18310bf4d495f7f2a4f08f09cc
SHA256 7bbb9103254c913de1334555961104a719f432628a8f5884c89f545b643e602f
SHA512 550a33ab364b40336bf8ae8b8474dc475405e9e504649fd2824be40e92a20c608e47f0b8884d92d43598550de104ed096e88df0d835991b18dc319f591dd4d11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6419bb95b9cf9aa0a756d055713f2d6
SHA1 eee088a690d4df957ee520bc334328c0cd2e0577
SHA256 96bb7c5d95891c86809b70ab9c96e90addbd74b74eb04b937bf8e4249a6dc16b
SHA512 cc2bd569594e078fea8483767cc5aeea0e2d3e9f700082fac545e16c862b8fb97be6377c1744cde07ad200b582ddf99ae1fdf5c58403c6086e2ab120a861ab5e

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\2YourFace\2YourFace.crx C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\bho.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\FF8Installer.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\uninst.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\install.rdf C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=14be45c8000000000000e299a69ee862" C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc5000000000200000000001066000000010000200000002750f27100643cd74c8ff886a0a43b54f5358aebaa9af4eeba81422f6c4a8c93000000000e8000000002000020000000af17c05b609f434415f9b24971812e2ed27c8184d108276700bcbe6e702b072b50000000d90148577bcc4371bb51138750df041bef96e7365d14a8aa87e56700f97244cdc8772c044080a8947d51f14bf9c685d85687f87d88616b635f633fc9582bacd89f95fcc9d1a2e3916cbd417739be3fad400000008617c1cff210fc315cc15d0c5adb72bdde2dd40f1ce810a2ed21a8fa8c5f40d39370e24df9dc857d163d43aa4ca6ca338dbd0a96a10eecb3b2c0cba3cb943552 C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=14be45c8000000000000e299a69ee862" C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a43470363574763375d57730b0b5d13234b735d274747635d677363734b630b377347678b5a06010101e3e890d3001fc90b95 C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2008 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2008 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2008 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2008 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2008 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2008 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe
PID 2688 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe
PID 2676 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2676 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2676 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2676 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2008 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2008 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2008 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2008 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2008 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2008 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2008 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 272 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 272 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 272 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 272 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 272 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 272 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 272 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 272 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 272 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 272 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 272 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2008 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2008 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2008 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2008 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8BE33F~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8BE33F~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=

Network

Country Destination Domain Proto
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babylon.com udp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 8.8.8.8:53 cs-g2-crl.thawte.com udp
SE 192.229.221.95:80 cs-g2-crl.thawte.com tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 www.outbrowse.com udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsy8E6B.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Setup.exe

MD5 14c2d4576d528ed76fada4f4fa1a5952
SHA1 3a9d7d4639b5eb8bec42df972c44493690eaadfc
SHA256 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52
SHA512 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\8BE33F~1\IECOOK~1.DLL

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

memory/2732-50-0x0000000000900000-0x0000000000902000-memory.dmp

memory/2676-51-0x0000000000280000-0x0000000000282000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

MD5 5e6230b3b16798e23720958756ac6d9e
SHA1 c7bcb001c48a67d4c9d6e70e92473ebd85b30585
SHA256 d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2
SHA512 6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarA0AA.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2804-201-0x0000000002CE0000-0x0000000002CE2000-memory.dmp

memory/1200-206-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2804-208-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\BabyTBConf.ini

MD5 598babae1833f493311af07bccd4ece7
SHA1 1e14936777cdf081e5f1847ebf193284c60fc3c9
SHA256 10f078674c475a6d59772a28541ad6dc1c6c2109c63b8c75db7846fac2274b2d
SHA512 4a4ddc22ab54ef8c282f114a9cacb3bd7e007607e1fdc4cfe86d9f52106810ca2642cb293669edd59f4b124e20048f21b9401a0c66dc8c179ad97f2b95ed5ff1

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Latest\kstp.txt

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Temp\8BE33F26-BAB0-7891-8D51-11D168CCA8E7\Latest\setup.exe

MD5 5790a04f78c61c3caea7ddd6f01829d2
SHA1 9d783d964338a5378280dd3c3b72519d11f73ffa
SHA256 726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606
SHA512 9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

\Users\Admin\AppData\Local\Temp\MainInstaller.exe

MD5 9ce448dcd7cf13dd950725957361bdff
SHA1 5831ff31825ea82d90a2989e0fc0a33b859d5f97
SHA256 3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80
SHA512 b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f

\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

\Users\Admin\AppData\Local\Temp\PingMe.exe

MD5 991cd458830ae2008be0c2d8e26c8bd0
SHA1 d519a7ffd8360a47450e60b7d665e666d9df89bc
SHA256 f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71
SHA512 e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa

memory/2808-254-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2808-255-0x0000000000240000-0x00000000002C0000-memory.dmp

memory/2808-256-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2896-257-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2896-258-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2808-259-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Network

N/A

Files

memory/1420-0-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

N/A

Files

memory/3028-0-0x0000000000190000-0x00000000001A4000-memory.dmp

memory/3028-1-0x0000000000190000-0x00000000001A4000-memory.dmp

memory/3028-2-0x0000000000190000-0x00000000001A4000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

113s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4236 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4236 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2948 -ip 2948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 65.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

126s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 4208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 4208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 4208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4208 -ip 4208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240215-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 224

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsi1A45.tmp\ioSpecial.ini

MD5 fc60b5a4f144ca176996ea5a8a6c021e
SHA1 3d0696b25e5ee221e6742f685680d4e6163eec62
SHA256 01e54eb7a375edf1ea5d428fd0af24b2c4f0dc231856978f06219e8a2f83810f
SHA512 7c31d5f8ffc0fb42de1d8cb503db643c9bca3b9020b3b81631e58aa8c1ff072b0e4d652fb09e0e4ca758a9fc8ba9230607958e8921608e72053f0b88feba463e

\Users\Admin\AppData\Local\Temp\nsi1A45.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsi1A45.tmp\ioSpecial.ini

MD5 063d4ce972e83151d0982f46bfcb2dd7
SHA1 646ce353f93c071e58bca69b18404407e93b2d06
SHA256 d09426f8e0dc38b7082bacd3684c3c985dddbbe28a6ea0623445c350e8002676
SHA512 b497aec25ab515cf5a3be665f5f032175cd222df1f8be6de73811c67bd1f55bbb453955e65dbdfe51d98e1700571e6e8edc71794cd62c5133343606a4e46e637

C:\Users\Admin\AppData\Local\Temp\nsi1A45.tmp\ioSpecial.ini

MD5 a480345cd7c08a1f3d025dd162256f3b
SHA1 06ecb8a3dff9c58cc71069455a9ff403ebe1d1ce
SHA256 79c1c0769123c1377d6df3a3283621564df9893e27d48166a62adc2004f6df0e
SHA512 312409bd459642f148d1227e651cef672ab9651efcec7f9e11fbc0616b327cd640eeddee7a978a9eb6a9207525219bef92800934b9be8047ab5abdc6c30a1d57

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

113s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\AddInstall.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\AddInstall.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1560 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1560 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 228

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 220

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

113s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3888 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3888 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3888 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 13.89.179.14:443 tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
BE 2.17.197.240:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

\Users\Admin\AppData\Local\Temp\nsd17B6.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsd17B6.tmp\ioSpecial.ini

MD5 00b0d28677dc53f5dfc7ccaa21955cad
SHA1 4e8c8672e3ca0ec354338d9d8970a3b2196d82bd
SHA256 b3de401cc8e9becdeffb7b28e4de5034c4e43e9b72dadcefbffe7bfd2996a324
SHA512 9ab917182510237018c60e62f003cdb64e4254b708b7e55a852ec09c4aec29a499cc4d4fecb372d66885c20736558fcb392c2e6130968b33b04c7147e34e1ae3

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsa2007.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsa2007.tmp\ioSpecial.ini

MD5 c03e62b52429feba0d97442bac4d3057
SHA1 83d76a6e8b561a9d62c1584f9cae6bb0f3bffa24
SHA256 e198b495eb3082afeef40bb47f88e4ff6eb20c89f068cd3288bf099124b33b6a
SHA512 1eafebffef3323d79b484201027649700b0f68d0cf92e5be3134e834e689845bc2fe29e5413ba1079500fd25d681131911437a651518163f258a79eba968e33f

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 228

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efbe3097a7ebe750bca91a377880ca05_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\efbe3097a7ebe750bca91a377880ca05_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efbe3097a7ebe750bca91a377880ca05_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq3AB4.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/3108-19-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-20-0x0000000073C50000-0x0000000074201000-memory.dmp

memory/3108-21-0x0000000073C50000-0x0000000074201000-memory.dmp

memory/3108-25-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-26-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-29-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-30-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-31-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-32-0x0000000073C50000-0x0000000074201000-memory.dmp

memory/3108-33-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-34-0x0000000073C50000-0x0000000074201000-memory.dmp

memory/3108-35-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-36-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-37-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-38-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-39-0x0000000003150000-0x0000000003160000-memory.dmp

memory/3108-40-0x0000000003150000-0x0000000003160000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

124s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\2YourFace.crx C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\FF8Installer.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\uninst.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\install.rdf C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\bho.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=9ae59a8e000000000000fe40a00249be" C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=9ae59a8e000000000000fe40a00249be" C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433e39789c636262604903622146b36a032767630b4727475d033327735d130b63675d272347175d23370353632061e06c6659cb202020b04cf2fb7f00223b0c87 C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingMe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingMe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5024 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 5024 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 5024 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2220 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe
PID 2220 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe
PID 2220 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe
PID 5024 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 5024 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 5024 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 1572 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1572 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1572 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1572 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 1572 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 5024 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 5024 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A645BB~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A645BB~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 235.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 232.27.154.184.in-addr.arpa udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 www.outbrowse.com udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb15C6.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Setup.exe

MD5 14c2d4576d528ed76fada4f4fa1a5952
SHA1 3a9d7d4639b5eb8bec42df972c44493690eaadfc
SHA256 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52
SHA512 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\A645BB~1\IECOOK~1.DLL

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

memory/1964-120-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A645BBE9-BAB0-7891-9F28-F7BDC1D185D0\BabyTBConf.ini

MD5 f9f4a42cafca7511bd401aa15a1c69ce
SHA1 9eded95a734ba756fa139a571a08ee1b34ae4f12
SHA256 e228353fbfdd9bd8f8bb8be2926a4925a2d074808428c6a9e645eac0ff10b732
SHA512 6b4c6df55bf2923885dbea25f58044a315cae689639674012c78e438185996e55e2ba181b8dc71b23d4c376a5c859acc6a62e54f579d54e37c221e84ee83445d

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

MD5 9ce448dcd7cf13dd950725957361bdff
SHA1 5831ff31825ea82d90a2989e0fc0a33b859d5f97
SHA256 3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80
SHA512 b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

MD5 991cd458830ae2008be0c2d8e26c8bd0
SHA1 d519a7ffd8360a47450e60b7d665e666d9df89bc
SHA256 f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71
SHA512 e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa

memory/4000-163-0x00007FFC2AF00000-0x00007FFC2B8A1000-memory.dmp

memory/4000-164-0x0000000001220000-0x0000000001230000-memory.dmp

memory/2356-165-0x00007FFC2AF00000-0x00007FFC2B8A1000-memory.dmp

memory/2356-166-0x000000001B700000-0x000000001BBCE000-memory.dmp

memory/2356-167-0x00007FFC2AF00000-0x00007FFC2B8A1000-memory.dmp

memory/4000-168-0x00007FFC2AF00000-0x00007FFC2B8A1000-memory.dmp

memory/2356-171-0x00007FFC2AF00000-0x00007FFC2B8A1000-memory.dmp

memory/4000-170-0x00007FFC2AF00000-0x00007FFC2B8A1000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/2380-0-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 4540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 4540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 4540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4540 -ip 4540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efbe3097a7ebe750bca91a377880ca05_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\efbe3097a7ebe750bca91a377880ca05_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efbe3097a7ebe750bca91a377880ca05_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efbe3097a7ebe750bca91a377880ca05_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst6AF5.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/1404-19-0x0000000002D70000-0x0000000002DB0000-memory.dmp

memory/1404-23-0x0000000074860000-0x0000000074E0B000-memory.dmp

memory/1404-25-0x0000000074860000-0x0000000074E0B000-memory.dmp

memory/1404-24-0x0000000002D70000-0x0000000002DB0000-memory.dmp

memory/1404-26-0x0000000002D70000-0x0000000002DB0000-memory.dmp

memory/1404-29-0x0000000005D00000-0x0000000005E00000-memory.dmp

memory/1404-30-0x0000000005D00000-0x0000000005E00000-memory.dmp

memory/1404-37-0x0000000074860000-0x0000000074E0B000-memory.dmp

memory/1404-38-0x0000000002D70000-0x0000000002DB0000-memory.dmp

memory/1404-39-0x0000000005D00000-0x0000000005E00000-memory.dmp

memory/1404-40-0x0000000005D00000-0x0000000005E00000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2172 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2172 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2172 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2172 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2172 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2172 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

113s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4508 wrote to memory of 3656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4508 wrote to memory of 3656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4508 wrote to memory of 3656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 4136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3956 wrote to memory of 4136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3956 wrote to memory of 4136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4136 -ip 4136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 228

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2880-0-0x00007FF90D060000-0x00007FF90DA01000-memory.dmp

memory/2880-2-0x000000001C340000-0x000000001C80E000-memory.dmp

memory/2880-1-0x00000000018D0000-0x00000000018E0000-memory.dmp

memory/2880-4-0x00007FF90D060000-0x00007FF90DA01000-memory.dmp

memory/2880-5-0x00007FF90D060000-0x00007FF90DA01000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\AddInstall.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\AddInstall.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win7-20240319-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 228

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-04-14 23:18

Reported

2024-04-14 23:21

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\background.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\background.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4008 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4500 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4972 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5496 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5928 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.73.139.50:443 bzib.nelreports.net tcp
NL 72.246.173.187:443 www.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 static1.2yourface.com udp
US 8.8.8.8:53 static1.2yourface.com udp
US 3.94.41.167:80 static1.2yourface.com tcp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 50.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 167.41.94.3.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A