Analysis Overview
SHA256
3ac39d5f90e93146055b62b1d76d1e194d4cad634179b3ba33cf5603d546cb58
Threat Level: Shows suspicious behavior
The file efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
Loads dropped DLL
Checks installed software on the system
Checks whether UAC is enabled
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer start page
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 00:44
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
0s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4140 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4140 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4140 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3048 -ip 3048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 612
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
91s
Max time network
113s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
memory/2852-0-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 224
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsd408B.tmp\tools.dll
| MD5 | e12f05661436f2974cf91b5fc76fb5f4 |
| SHA1 | 5e0b7887950204713bef3da0018911279f2540ec |
| SHA256 | 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc |
| SHA512 | 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d |
memory/1224-19-0x0000000003090000-0x00000000030D0000-memory.dmp
memory/1224-23-0x00000000745C0000-0x0000000074B6B000-memory.dmp
memory/1224-24-0x00000000745C0000-0x0000000074B6B000-memory.dmp
memory/1224-25-0x0000000003090000-0x00000000030D0000-memory.dmp
memory/1224-26-0x0000000003090000-0x00000000030D0000-memory.dmp
memory/1224-28-0x0000000003090000-0x00000000030D0000-memory.dmp
memory/1224-30-0x0000000005D50000-0x0000000005E50000-memory.dmp
memory/1224-31-0x0000000005D50000-0x0000000005E50000-memory.dmp
memory/1224-38-0x0000000003090000-0x00000000030D0000-memory.dmp
memory/1224-39-0x00000000745C0000-0x0000000074B6B000-memory.dmp
memory/1224-40-0x0000000005D50000-0x0000000005E50000-memory.dmp
memory/1224-41-0x0000000005D50000-0x0000000005E50000-memory.dmp
memory/1224-42-0x0000000005D50000-0x0000000005E50000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
158s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 868 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 868 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 868 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
91s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 2044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 2044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 2044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2044 -ip 2044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2300 wrote to memory of 4980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2300 wrote to memory of 4980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2300 wrote to memory of 4980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\AddInstall.js
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2924 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2924 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2924 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2924 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2924 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2924 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2924 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1
Network
Files
\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 5d8d0c08384ad73216d52a2eabc064f5 |
| SHA1 | 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc |
| SHA256 | 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce |
| SHA512 | 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57 |
\Users\Admin\AppData\Local\Temp\nso3F91.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nso3F91.tmp\ioSpecial.ini
| MD5 | c732fb04d5f9c3b4bc0338ed5d7bf7d1 |
| SHA1 | 2728306cd16908b8ccbaca72a1e72fce83b4ac5d |
| SHA256 | 36e2735c43a81e30848906a47f6ed9eee1d3803dc0918c870854bc68f3c841cb |
| SHA512 | 356f3474ea55053bd53cb2b7306d0fed13f8ca36cc5f503b69b456fbd24fbc9d541babe77f44a4eaaddd5571e29aa49c0ffe7fafde160f722ea7ef38c210ec49 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2412 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1
Network
Files
memory/2124-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2124-1-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 4452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 4452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 4452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4452 -ip 4452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.42:443 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240319-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 228
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1288 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1288 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1288 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1288 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1288 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1288 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1424 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1424 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1424 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4288 -ip 4288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
124s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1424 wrote to memory of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 1424 wrote to memory of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 1424 wrote to memory of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4228,i,4770062162764366287,7825742579436984831,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 5d8d0c08384ad73216d52a2eabc064f5 |
| SHA1 | 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc |
| SHA256 | 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce |
| SHA512 | 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57 |
C:\Users\Admin\AppData\Local\Temp\nsbF04C.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsbF04C.tmp\ioSpecial.ini
| MD5 | 2bba555724b675854fa49705a8d8c5cf |
| SHA1 | 5dbc59ba917d4bc114fa01ed1ddcaa40ed8fa21d |
| SHA256 | 40afe4505a1abc377ee3748cbc5c663a1e984ba258d057df59a3bf575ed3168e |
| SHA512 | 3b996e521974ce35c8e3f7435059a544a13370107a3d752e679ff8746b4278e5f7d43da77865adf814791451688e445519e3f6991bdfbaf6d497faf9d27044b1 |
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04cbc27ce8eda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000eb99580a26f9831490c998b577eb23dccfaa0677a76b381ed6c0ef209804055e000000000e8000000002000020000000fa442b56dce11085ed81c1c790ab431aa030ee20bdd1ac37f5533a62860a61b7900000008840172d513fd7c62e84010e19517f5ef3610ba8857c0a9a8df592621a08484a1a2fefc5a7c06da69968e4fce444ce04ad8bf0a00c8a1cbfda1aa80aa6b9625de03eabeca8be4ccabf532f60fdb58d799b6442f61cdd559d7474987f2faf4af655937a501d6256fb4d0ce21e9027faf5ce0cac82e84d205d5d1f0b91d8d48a95414a0879e299884784373af434774d1340000000237d4765c3de89261840185388350377bcc59570e46e687b0adceb19d95373c29cbe0c01163eda55c55d68898cdf56d486c8177730e118a4f74571b6112114bf | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000abeded4b410d75052c2d737e8b0b666f922b7b3a552235078ee2997ae7863b61000000000e8000000002000020000000e9e340f7749c0a0d74582af3258e4c9ac0eda4573bead518ab92cd12130cdcd7200000002817d50753fa796dc80b20a822e11c9505a60f37e8d8389d90274350c97cf28d40000000141d853e512c30405c523f8a8dd01fa01f19ecf0fd84caf212e6ed391a9c666e08dcf5dd390e5cafafd0ec25ca8df4a1c67663fe39012f937405fecd8a9de6b1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{530E5381-FAC1-11EE-9966-EA483E0BCDAF} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419303741" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1652 wrote to memory of 2032 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1652 wrote to memory of 2032 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1652 wrote to memory of 2032 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1652 wrote to memory of 2032 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\background.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | static1.2yourface.com | udp |
| US | 3.130.253.23:80 | static1.2yourface.com | tcp |
| US | 3.130.253.23:80 | static1.2yourface.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1843b2c372756af51eb06b267e60b5b6 |
| SHA1 | abca0bdf31756aa9a3ae879ef3c0be5f34763ca0 |
| SHA256 | 020631028417769dbfa528054dc3f1c9369b1249cf586e22610cc7894e7e0091 |
| SHA512 | 7adae086147d0a4f4323c61737954e177e465c047935f01ee5775a99ce971bcf046051b17a01ba1e74a24a14fcb1bc09d40496b353a352df46f58bbae3fa5443 |
C:\Users\Admin\AppData\Local\Temp\Cab3B9B.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar3BAD.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar3C8E.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84b02bb20280ae64b570043cabee3b95 |
| SHA1 | 694d6e206149c161ca624bb83a031690171d5de2 |
| SHA256 | 12eb167c7192d5e22d8dc55c482bfdfcdce9018835cd9549628f8b9cc7e69845 |
| SHA512 | a31cd47b25d71986d055063ee6aa37ec2f6ab5e8bc3d8ce655ca7a0e46e79ba43cadd0818b71d5efe2af0eb1f5dbb6a95cfa2262b20c378bf2694e7147ff41a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab311dcbb4dee242ad12ac62aec846d5 |
| SHA1 | b2818c947b01f046cea001fda25f022db7abbde2 |
| SHA256 | 25f4f5f4089edd39c5dc9a8c048d9edf54b2a89e28543a81cb20d3eeb24b9651 |
| SHA512 | 068680f507a017474de20efb715d41301884fc2c10614bcb08b4f914d89fe38739583de3896c67ed91926adcc544eb179928e86ec0fa0226ec1a0bd9a96b4014 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ec8effadbbc83ccafe0ffeff231469a |
| SHA1 | 8a731672b895442f2102e45729d0481f6618aab6 |
| SHA256 | dc2fb3f44b551b4d0ee4d09603e5b1418f8a260ce6e2feb32d24b11cb9c927cb |
| SHA512 | 00f8b1f98aa93a7804c1c02010d398b91fbaec0ee7147a4fcd4a7515d769aceeb3843500b96246ba46d3341cb120cdd53a074aaab9b6108c9bcfe459b57e90c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db610b4e8aecb4780cd9df502bdeb6a0 |
| SHA1 | 90ed87918b554c7f92c7a692984e397ac61ad854 |
| SHA256 | 47414cab12e288f9c06e6756d48515129718a0e5a30099ab6b2b7ce156071d8a |
| SHA512 | f3ac96aa1d94bbc166317a6249ec0ffbc74dac6a203248a32a37732a46f3a4c02d50576b2890d3111cfc1ace17bd3d218311b60e5d24a86d4a0612789ae593d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b068781e5faf063532e9792e5625c86 |
| SHA1 | dd1932741d84648ffb13381fabd5ea54404eed11 |
| SHA256 | c62a8f9ad48dbe450831976c30c6b2dc4d09c83e9e5e462fd4f1fa68569b927e |
| SHA512 | 045eeb5f261e92106c59dd93e6770360f9d78bd4488a443583d53f0dbfd5bd6b8e55dc1db2d147c8cbb490934bdc1da08676b47826c4f3aada941cac1936bf16 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2602619f117d575395ff831c633262c9 |
| SHA1 | 855100794013d429805a841765ccb06028fa497d |
| SHA256 | fa60f8824ad63fff898000bcd3b24ce038a7090ca3bc06269ce6846d69b5814f |
| SHA512 | 1e92d1a8a6cab45d562bda9b1970e5a2f942bb1572d1c1d4424d7db346051232ea4ca3262519375f25fb787822ea76708633941d73e70f8c39e4fd49a1477a4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c98d71c46c2dcd3ccc1ac049e46a0ed9 |
| SHA1 | 4de2d40276abbe9a46016ea24682a30603d68433 |
| SHA256 | 079246eda2c4a8a1f3952299700df2682962ea3ee4f428cc80ce1013927e1d5d |
| SHA512 | 0bbbb2ca44273bff13ee5bab911a26f22c9da0715db8e19aa062b62d60a1005a08e93bebd3deb8aa7396579afeeac7c09c314e15f690e7b303796ee82ef5fc79 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba70e9e6cb37a7a5d2de034cc9bc49c1 |
| SHA1 | e6f41d0f0bf51ee4402aaf6b6547cec6b7ebd376 |
| SHA256 | 6d51db4c7cb654abf3fefc753a904314c0792b428728b38149c4e47e6f0176db |
| SHA512 | 2c854a843ce7fd4f9275d01098ccacb831424abf0f63771ce8b9cb65a795ed04e755b5d0c11c7b98b1c8e14c8a1ecda41f092b03ef58428d01554646aac870bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f12b30c7cf7bf81ff83d038e943f5496 |
| SHA1 | 83da6d39c7e83d8bbd34d419cc93c3f5a4777490 |
| SHA256 | 4dfa99de2438c49241dd4dae0e18b751e10cb693a4e9821b2d5df1f1d4a3d8db |
| SHA512 | e3daf5f7f6afe84269726fa1e7e387dd9f88c67c485c2853527b0766647493acf6e4b8808ffa91d0a9033ce08fffc989b1adfa663dda5e23ea0bee1720756792 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a97ebf86a20b007f6d981f527dbf184e |
| SHA1 | daa09758c8edcddbc346122888513442fb7ea1a9 |
| SHA256 | 21d9fcf80750f5e80b81a416134ba07c8bfa8bcfae9246f676e02d3e644fa9fe |
| SHA512 | 315a74b6b32fac56e19038510f0974b8d744f60300cea2e2d2a6791c90d4cef60252dc408b44fe98364baea681e10deb3b3a8851152331ab8846cea4ad313e88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 0083de7e8c020506e1f83773283cfbc4 |
| SHA1 | 8fab644b10d355d91f0bc07fa01aca2e3b7c322b |
| SHA256 | 53822a47d725eacd88585e852d26df9ea20d6a5eb673c3db77f6e3d298b802bc |
| SHA512 | 375c7fb8996535aa6c0b6ed29e06a2e7194a25a36c8b3477447536e1b498b431890cfb97e751a58e4b874a3f28453e5232b23709693fdf104d158119fb11d2fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f67cb152d2d353c8c9890b5ce4fe14c1 |
| SHA1 | dd3f5168f2e429cd2a52792af2b475582d400884 |
| SHA256 | 564a2a799c2f718a75773fc5946b3ae2786f2c2865e48d328b0f9564805c7c75 |
| SHA512 | 4131242884d6686acc16a78bfdba91ad2742e921e05f8e1d6ddc680b3438c495356e82b7f184aab6a77a1e49e54bceb18d24c06b9daeedc3fa6208a46ffc5fbc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79540eed4c2f15e6a959617c458af6ce |
| SHA1 | 1f9eb737c64614addd696e0ddcf1c587d3ab981d |
| SHA256 | 77ff6fd6b69e385f2b9db65cc0ea0637d1b71a77735299a59758ed90ac0b5df8 |
| SHA512 | 1c9e948e4be21432470d2f5f4fd4bcb797456aaac6049be3e7f5a9b787af6cfded110a4adcb986bf50cd848989b3a370ea5c19db27c72bf6bdcde60cf42d01b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17edb311ebf341cd31932ee844c4f909 |
| SHA1 | f5aad06ef5886ce258827c9c14cea2567bdc6083 |
| SHA256 | d3c4b0bc0e261fb4ac69eb04d4ffe26fc85efa778351686dff4b0b4bb787731d |
| SHA512 | 60f17cc875e30b06c691edbe9b4859fe4372d4992c39fa0107a7aece0f20390b2ab66b83519c4263afa155315bb9aaf3f7530f4c5bb75f8e6ec1114a3e4a900e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0aa4f0ce4f6a66b4b6c0058f9157158 |
| SHA1 | c47d570a9f5bd03419f0374cc831a4b25f7961ac |
| SHA256 | b5b08ea3a5acc4730d8f29206cd5cf458426b9aae97e412b672fa5cc9144da40 |
| SHA512 | fd34a505f4b6082f246e24220dda9d77166093402413edea9d3cec27cf0e232642b11bc1051b433e45d2945fcb83e4e11e9dd77aad467e2c03f53dd6e0d6be5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c54473b0bfa3047338a90edaf918bafa |
| SHA1 | 38aa9ebe4d3cf5092a31fcc4bfb7589b9ddee774 |
| SHA256 | fa07feb4d3de98c55e354c7b8924780a86d687a10cc4b78689886b7e4db18300 |
| SHA512 | 3fd286c41fcbf8e8e8d65e327c7dc1f2b1d9cb5efd40e38fb4f2aca586bfe69fe79b8a945c6d5b28cb57d24c36903c91eab6146c7ec012df2245ff0f748baf55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dbdeaead887ca1781483e9ddb2ecd704 |
| SHA1 | 0719e35120fa8e910bfb23888278b9cef0c28f18 |
| SHA256 | 69b9a40f4af78c819eb8bf0621d66e69dedb5af4360256f858e89ef6a44a301c |
| SHA512 | 5ae5fa5de54edaf0b1631ab7f32ed6f45eaadb3c401e1324ec99972fccbf86c35d391d15f3ec14487bf16011dd0a5b5a1998f66b54844c7d3fba4b6113bcea31 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 0ea576409c31816ddfd6ce5226338d86 |
| SHA1 | 00bcc84707eb32a35ba98546082734247d470fe2 |
| SHA256 | 62da1c0e5ca57c44a9f586ddb72cb0e6dfb96ae54dcccce52ba381b93ba8bda1 |
| SHA512 | c6a6ec93e52b228cb7aac66d07283caa97f00060c41a4a88c6adbc74931ec86ff7f9a8dbc86ba99d8b8b56c07b5bb9ade6050a51d6fff7ba1378035b9181574e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 309b700c8055820584b2fd91a4d3a189 |
| SHA1 | bb17c8bcb930452e701dfc09122d3412a5e8cfd2 |
| SHA256 | 949c23ef6a27523c3c322fc0aa721b08021b8ed327ac48ca0a66b3f158bee50f |
| SHA512 | 6ece5e5525d2b7f20109f78e8bc3262fb7a2c718fd5d9dbc105f86689954707c6cba0ff4f1788450150161bb937d16d45f56cd5048823273cb42a76c503b87ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a97ca8a3cc8f9bc2657767ee7cc5e749 |
| SHA1 | f69c150272923e37e6736a57a127094d28f1ed72 |
| SHA256 | 4f06427c29a7defb9570e905c09f2bfce19de253b54017e85576fe4edc9d8ee2 |
| SHA512 | a5f692236bceca9027eb4b1c33c6bd6a4dbbf03a7164100b8d61610d3384b3602dcececb7fcc07058b1dda592ccb23f570849f9ce3f87df94028de74e4395d1c |
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240220-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\2YourFace\2YourFace.crx | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\FF8Installer.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\uninst.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\bho.dll | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\install.rdf | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=f0f7dae7000000000000ee69c2ce6029" | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000003c83742566c7d82dbcb29e585027511c5ad488d71c5c32db6dd0779104502c8a000000000e8000000002000020000000e968f717c782b292e3fdfe07f28480cd9a5eabd1278ffd546032ac1c8ccb39af500000005b2398927e9b954ce5118bd05cfe347c86f4e4ce95140273aca1a0b9c90cac823cc2110501d4c59a779f797a3a6430debd0ee83df89a896584858996e3f3d344ceedb6feeab4c2bdc6c29469ca8ca82240000000cc034f30269c668f4936769377145ae920a5f861bde51698b796abbae2290321dc5c4a6d60a6ca2838aceb4dd9d98d6d20d480de05fae3263d78357cc0340a06 | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=f0f7dae7000000000000ee69c2ce6029" | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a37574b57736773135d0b0353435d134b47335d4b5737735d37570367374b4b57330b73d35a06010181634277bc0026920c08 | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C64EA7~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C64EA7~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | info.babylon.com | udp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 8.8.8.8:53 | stp.babylon.com | udp |
| US | 184.154.27.232:80 | stp.babylon.com | tcp |
| US | 8.8.8.8:53 | dl.babylon.com | udp |
| US | 198.143.128.244:80 | dl.babylon.com | tcp |
| US | 8.8.8.8:53 | ocsp.thawte.com | udp |
| US | 152.199.19.74:80 | ocsp.thawte.com | tcp |
| US | 8.8.8.8:53 | crl.thawte.com | udp |
| SE | 192.229.221.95:80 | crl.thawte.com | tcp |
| US | 8.8.8.8:53 | cs-g2-crl.thawte.com | udp |
| SE | 192.229.221.95:80 | cs-g2-crl.thawte.com | tcp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 8.8.8.8:53 | www.outbrowse.com | udp |
| US | 8.8.8.8:53 | www.outbrowse.com | udp |
| US | 13.248.169.48:80 | www.outbrowse.com | tcp |
| US | 13.248.169.48:80 | www.outbrowse.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsoFBB.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
| MD5 | 3d91ecdbb3404485702fb92b26b17d90 |
| SHA1 | 5dfc514a7a1e037683fed57029f49fa6c6f04dbf |
| SHA256 | 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9 |
| SHA512 | 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3 |
\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Setup.exe
| MD5 | 14c2d4576d528ed76fada4f4fa1a5952 |
| SHA1 | 3a9d7d4639b5eb8bec42df972c44493690eaadfc |
| SHA256 | 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52 |
| SHA512 | 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\bab033.tbinst.dat
| MD5 | 1ee8c638e49ee7137607722768afc5a2 |
| SHA1 | 8719d7a498a49b042cd6fc411cac6c44f3c0f43a |
| SHA256 | 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e |
| SHA512 | 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\bab091.norecovericon.dat
| MD5 | 4f6e1fdbef102cdbd379fdac550b9f48 |
| SHA1 | 5da6ee5b88a4040c80e5269e0cd2b0880b20659c |
| SHA256 | e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c |
| SHA512 | 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\SetupStrings.dat
| MD5 | 07bb1523dc51ec1fd5913b0a70ab98ee |
| SHA1 | 216f853cb251f32f5c91345404efd48f041ad5bd |
| SHA256 | 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2 |
| SHA512 | 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Babylon.dat
| MD5 | adbb6a655ae518830ba1afefdb84668f |
| SHA1 | a1be53d99a67fff011ea035c310588e635c718e1 |
| SHA256 | 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c |
| SHA512 | b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228 |
C:\Users\Admin\AppData\Local\Temp\C64EA7~1\IECOOK~1.DLL
| MD5 | 5a27c8702510d0b6c698163053fde6d1 |
| SHA1 | 69fdc602a51e52c603f23a80e9b087c262dce940 |
| SHA256 | ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437 |
| SHA512 | ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51 |
memory/2516-50-0x0000000000900000-0x0000000000902000-memory.dmp
memory/2732-51-0x0000000000210000-0x0000000000212000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\BExternal.dll
| MD5 | 743acbf54eb091066be6ab3cb12c5988 |
| SHA1 | 43a205985790c47a7e611fa2d3cab9b4eb59121f |
| SHA256 | fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0 |
| SHA512 | 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\sign
| MD5 | 73dbc500e121b83ec57bb2563203259a |
| SHA1 | 658adac13fc362f5292cbbda19ade1d228ff7901 |
| SHA256 | 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878 |
| SHA512 | c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\globe.png
| MD5 | cc53fb9e9456eb79479151090cb16cbd |
| SHA1 | e61004bf729757f3f225f77f0236b82518f68662 |
| SHA256 | 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42 |
| SHA512 | 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\options.js
| MD5 | 771f230f8bbc96a03b13976667918f1f |
| SHA1 | 0fba422c76b89cdb5d12e657064c49a9b1b7abae |
| SHA256 | 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252 |
| SHA512 | b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\page0.html
| MD5 | cf33120dd42cee842d96532843bb1961 |
| SHA1 | 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf |
| SHA256 | 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f |
| SHA512 | 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\eula.html
| MD5 | 1b73a781f7f5b0d61624bd97050a2ed0 |
| SHA1 | 01b848625761d5dede115e8599e4c72f126f8a3c |
| SHA256 | f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5 |
| SHA512 | 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\blueStar.png
| MD5 | a7fcdf142648bac756fcfe06a31f42e4 |
| SHA1 | 4df99b119c183c821ed1bf0f825536318c9c3353 |
| SHA256 | 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22 |
| SHA512 | ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\page2Lrg.css
| MD5 | db15b568f9d195635b3fcab87ef6293f |
| SHA1 | 6ae0f374531cb3013857880e8469a103492b8393 |
| SHA256 | 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d |
| SHA512 | a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\page2.html
| MD5 | 12152ded3604e8baaf82c078f8034d60 |
| SHA1 | 0867dec241a257e3e9ad9e8d20b9e06e3bce7184 |
| SHA256 | abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485 |
| SHA512 | a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\page3.css
| MD5 | 07784ad77f30fa018949e412b2257aab |
| SHA1 | 8595c222a3741bfa83c5a4d982c845c8038062a6 |
| SHA256 | 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf |
| SHA512 | 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\page2.css
| MD5 | 085cf46c4d1c8dea9edd79ee37d6d5bd |
| SHA1 | 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45 |
| SHA256 | 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d |
| SHA512 | 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\page3.html
| MD5 | b23c25988099403433efb7fb64715676 |
| SHA1 | e833527e1c021b311286e6e2d1c2f0530be0a565 |
| SHA256 | 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c |
| SHA512 | 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\page3Lrg.css
| MD5 | b3520c555c46a7020d8f27bfe81df0ca |
| SHA1 | 59398086abe3987c2a91edacb74eca94bbd63d7d |
| SHA256 | 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6 |
| SHA512 | 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\pBar.gif
| MD5 | 26621cb27bbc94f6bab3561791ac013b |
| SHA1 | 4010a489350cf59fd8f36f8e59b53e724c49cc5b |
| SHA256 | e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3 |
| SHA512 | 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\progress.png
| MD5 | dee08d8cbcdeb8013adf28ecf150aaf3 |
| SHA1 | c61cd9b1bd0127244b9d311f493fc514aa5c08d6 |
| SHA256 | eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5 |
| SHA512 | c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\setup.js
| MD5 | a95607ce49fa0af8ed7a3f5667c3eb31 |
| SHA1 | 5e4b5a30e56c42329afdf216625bf35be69a82aa |
| SHA256 | 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c |
| SHA512 | 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\title.png
| MD5 | 12ef76069cc40b8ad478d9091915ded6 |
| SHA1 | fabad560b6e6839f9e5ae1268695d11ca35f9d74 |
| SHA256 | 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c |
| SHA512 | 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067 |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\HtmlScreens\toolBar.jpg
| MD5 | 56dc3cb42b46309e642c15167003685d |
| SHA1 | 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d |
| SHA256 | bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1 |
| SHA512 | 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb
| MD5 | 5e6230b3b16798e23720958756ac6d9e |
| SHA1 | c7bcb001c48a67d4c9d6e70e92473ebd85b30585 |
| SHA256 | d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2 |
| SHA512 | 6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae |
C:\Users\Admin\AppData\Local\Temp\Tar1720.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/2388-201-0x0000000002C20000-0x0000000002C22000-memory.dmp
memory/2388-208-0x0000000060900000-0x0000000060970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\BabyTBConf.ini
| MD5 | 222c1a9afd57454b40814847b90704a3 |
| SHA1 | 4ca6cb6a2833469b411175678d0300b6a1a276bb |
| SHA256 | c38c994961335b1be41f2be4375025c815e429a97a0e20ff4d5fe01df28cb658 |
| SHA512 | ca2617f6b6b68dd9460cd8d32a1c62819b444fc68971a1ffdbf80d125f9a96a9770bc57009ebdbd71ebe3398a0d83f82e963136c6f1ae690a42305331c1ccb8f |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Latest\kstp.txt
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Temp\C64EA770-BAB0-7891-98C1-514C084FE712\Latest\setup.exe
| MD5 | 5790a04f78c61c3caea7ddd6f01829d2 |
| SHA1 | 9d783d964338a5378280dd3c3b72519d11f73ffa |
| SHA256 | 726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606 |
| SHA512 | 9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0 |
\Users\Admin\AppData\Local\Temp\MainInstaller.exe
| MD5 | 9ce448dcd7cf13dd950725957361bdff |
| SHA1 | 5831ff31825ea82d90a2989e0fc0a33b859d5f97 |
| SHA256 | 3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80 |
| SHA512 | b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f |
\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 5d8d0c08384ad73216d52a2eabc064f5 |
| SHA1 | 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc |
| SHA256 | 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce |
| SHA512 | 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57 |
\Users\Admin\AppData\Local\Temp\PingMe.exe
| MD5 | 991cd458830ae2008be0c2d8e26c8bd0 |
| SHA1 | d519a7ffd8360a47450e60b7d665e666d9df89bc |
| SHA256 | f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71 |
| SHA512 | e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa |
memory/2960-254-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2960-255-0x0000000001E20000-0x0000000001EA0000-memory.dmp
memory/2960-256-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2964-257-0x0000000000440000-0x00000000004C0000-memory.dmp
memory/2964-258-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2964-259-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2964-260-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2960-261-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
117s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\2YourFace\FF8Installer.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\uninst.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\2YourFace.crx | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\bho.dll | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\install.rdf | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=0989972500000000000052c9c93bbee7" | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=0989972500000000000052c9c93bbee7" | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 43404039789c636262604903622146b36a17172303674373575d63670b375d137317675d0b47530b5d370b430313130b33331753b35a06010181a9cd4fff030024c70cd6 | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ED2CFE~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ED2CFE~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | info.babylon.com | udp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stp.babylon.com | udp |
| US | 184.154.27.232:80 | stp.babylon.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 8.8.8.8:53 | 235.27.154.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.27.154.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.outbrowse.com | udp |
| US | 13.248.169.48:80 | www.outbrowse.com | tcp |
| US | 13.248.169.48:80 | www.outbrowse.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.77.24.184.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsk2C51.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
| MD5 | 3d91ecdbb3404485702fb92b26b17d90 |
| SHA1 | 5dfc514a7a1e037683fed57029f49fa6c6f04dbf |
| SHA256 | 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9 |
| SHA512 | 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Setup.exe
| MD5 | 14c2d4576d528ed76fada4f4fa1a5952 |
| SHA1 | 3a9d7d4639b5eb8bec42df972c44493690eaadfc |
| SHA256 | 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52 |
| SHA512 | 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\bab033.tbinst.dat
| MD5 | 1ee8c638e49ee7137607722768afc5a2 |
| SHA1 | 8719d7a498a49b042cd6fc411cac6c44f3c0f43a |
| SHA256 | 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e |
| SHA512 | 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\bab091.norecovericon.dat
| MD5 | 4f6e1fdbef102cdbd379fdac550b9f48 |
| SHA1 | 5da6ee5b88a4040c80e5269e0cd2b0880b20659c |
| SHA256 | e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c |
| SHA512 | 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\Babylon.dat
| MD5 | adbb6a655ae518830ba1afefdb84668f |
| SHA1 | a1be53d99a67fff011ea035c310588e635c718e1 |
| SHA256 | 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c |
| SHA512 | b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\SetupStrings.dat
| MD5 | 07bb1523dc51ec1fd5913b0a70ab98ee |
| SHA1 | 216f853cb251f32f5c91345404efd48f041ad5bd |
| SHA256 | 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2 |
| SHA512 | 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db |
C:\Users\Admin\AppData\Local\Temp\ED2CFE~1\IECOOK~1.DLL
| MD5 | 5a27c8702510d0b6c698163053fde6d1 |
| SHA1 | 69fdc602a51e52c603f23a80e9b087c262dce940 |
| SHA256 | ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437 |
| SHA512 | ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\BExternal.dll
| MD5 | 743acbf54eb091066be6ab3cb12c5988 |
| SHA1 | 43a205985790c47a7e611fa2d3cab9b4eb59121f |
| SHA256 | fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0 |
| SHA512 | 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\sign
| MD5 | 73dbc500e121b83ec57bb2563203259a |
| SHA1 | 658adac13fc362f5292cbbda19ade1d228ff7901 |
| SHA256 | 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878 |
| SHA512 | c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\blueStar.png
| MD5 | a7fcdf142648bac756fcfe06a31f42e4 |
| SHA1 | 4df99b119c183c821ed1bf0f825536318c9c3353 |
| SHA256 | 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22 |
| SHA512 | ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\eula.html
| MD5 | 1b73a781f7f5b0d61624bd97050a2ed0 |
| SHA1 | 01b848625761d5dede115e8599e4c72f126f8a3c |
| SHA256 | f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5 |
| SHA512 | 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\globe.png
| MD5 | cc53fb9e9456eb79479151090cb16cbd |
| SHA1 | e61004bf729757f3f225f77f0236b82518f68662 |
| SHA256 | 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42 |
| SHA512 | 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\page0.html
| MD5 | cf33120dd42cee842d96532843bb1961 |
| SHA1 | 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf |
| SHA256 | 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f |
| SHA512 | 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\options.js
| MD5 | 771f230f8bbc96a03b13976667918f1f |
| SHA1 | 0fba422c76b89cdb5d12e657064c49a9b1b7abae |
| SHA256 | 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252 |
| SHA512 | b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\page2.css
| MD5 | 085cf46c4d1c8dea9edd79ee37d6d5bd |
| SHA1 | 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45 |
| SHA256 | 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d |
| SHA512 | 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\page2Lrg.css
| MD5 | db15b568f9d195635b3fcab87ef6293f |
| SHA1 | 6ae0f374531cb3013857880e8469a103492b8393 |
| SHA256 | 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d |
| SHA512 | a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\page3.css
| MD5 | 07784ad77f30fa018949e412b2257aab |
| SHA1 | 8595c222a3741bfa83c5a4d982c845c8038062a6 |
| SHA256 | 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf |
| SHA512 | 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\page3.html
| MD5 | b23c25988099403433efb7fb64715676 |
| SHA1 | e833527e1c021b311286e6e2d1c2f0530be0a565 |
| SHA256 | 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c |
| SHA512 | 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\page2.html
| MD5 | 12152ded3604e8baaf82c078f8034d60 |
| SHA1 | 0867dec241a257e3e9ad9e8d20b9e06e3bce7184 |
| SHA256 | abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485 |
| SHA512 | a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\page3Lrg.css
| MD5 | b3520c555c46a7020d8f27bfe81df0ca |
| SHA1 | 59398086abe3987c2a91edacb74eca94bbd63d7d |
| SHA256 | 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6 |
| SHA512 | 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\pBar.gif
| MD5 | 26621cb27bbc94f6bab3561791ac013b |
| SHA1 | 4010a489350cf59fd8f36f8e59b53e724c49cc5b |
| SHA256 | e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3 |
| SHA512 | 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\progress.png
| MD5 | dee08d8cbcdeb8013adf28ecf150aaf3 |
| SHA1 | c61cd9b1bd0127244b9d311f493fc514aa5c08d6 |
| SHA256 | eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5 |
| SHA512 | c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\title.png
| MD5 | 12ef76069cc40b8ad478d9091915ded6 |
| SHA1 | fabad560b6e6839f9e5ae1268695d11ca35f9d74 |
| SHA256 | 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c |
| SHA512 | 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067 |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\setup.js
| MD5 | a95607ce49fa0af8ed7a3f5667c3eb31 |
| SHA1 | 5e4b5a30e56c42329afdf216625bf35be69a82aa |
| SHA256 | 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c |
| SHA512 | 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b |
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\HtmlScreens\toolBar.jpg
| MD5 | 56dc3cb42b46309e642c15167003685d |
| SHA1 | 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d |
| SHA256 | bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1 |
| SHA512 | 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60 |
memory/3204-120-0x0000000060900000-0x0000000060970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ED2CFE6F-BAB0-7891-9E5E-DF429CAAB76A\BabyTBConf.ini
| MD5 | 6e26baea62c9d1b454b6acfa419cbed4 |
| SHA1 | 84cec318c9bc8b7081a4ffb5bf187250bf592e71 |
| SHA256 | 65068ac98583c80b2498fd40a05dabe9aa03d39662a6f7f29a632f5a79e1d6e8 |
| SHA512 | 71fbe31d8347af2209b99986647ed4528e313728e2ba1b6f682ff4e91260d2a1595382aa522a5cf935db855ae033c4d345c2689722d61d2843ad0d1ed1769066 |
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
| MD5 | 9ce448dcd7cf13dd950725957361bdff |
| SHA1 | 5831ff31825ea82d90a2989e0fc0a33b859d5f97 |
| SHA256 | 3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80 |
| SHA512 | b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f |
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 5d8d0c08384ad73216d52a2eabc064f5 |
| SHA1 | 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc |
| SHA256 | 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce |
| SHA512 | 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57 |
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
| MD5 | 991cd458830ae2008be0c2d8e26c8bd0 |
| SHA1 | d519a7ffd8360a47450e60b7d665e666d9df89bc |
| SHA256 | f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71 |
| SHA512 | e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa |
memory/4608-163-0x00007FFDC0BD0000-0x00007FFDC1571000-memory.dmp
memory/4608-164-0x000000001BD40000-0x000000001C20E000-memory.dmp
memory/4608-165-0x0000000001270000-0x0000000001280000-memory.dmp
memory/4608-166-0x00007FFDC0BD0000-0x00007FFDC1571000-memory.dmp
memory/2896-167-0x00007FFDC0BD0000-0x00007FFDC1571000-memory.dmp
memory/2896-168-0x0000000000F10000-0x0000000000F20000-memory.dmp
memory/2896-169-0x00007FFDC0BD0000-0x00007FFDC1571000-memory.dmp
memory/4608-171-0x00007FFDC0BD0000-0x00007FFDC1571000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\PingMe.exe.log
| MD5 | 21474607a881ad45866e78423d00d806 |
| SHA1 | c406964aeaeefb6e331df4444fbbbb3beb5a4728 |
| SHA256 | 7905b13d8a2686b95d70c4e9a72cbe2e0e2d158af8654b8514f8912b2203f65e |
| SHA512 | bd1df4de95068874ae63dad6d6d0ab27b85fc340202b8ee6fd97c8501a93641ab76d953c92dad3f53e7375f5565b609f65a918e48d1ee79cf4238421847e9b68 |
memory/2896-173-0x00007FFDC0BD0000-0x00007FFDC1571000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 932 wrote to memory of 4872 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 932 wrote to memory of 4872 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 932 wrote to memory of 4872 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4872 -ip 4872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
124s
Max time network
132s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\AddInstall.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3856,i,11123149219465304642,109907309914991071,262144 --variations-seed-version --mojo-platform-channel-handle=3828 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
159s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efe7c01f9a19f5bbc39b0b289b049339_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn6841.tmp\tools.dll
| MD5 | e12f05661436f2974cf91b5fc76fb5f4 |
| SHA1 | 5e0b7887950204713bef3da0018911279f2540ec |
| SHA256 | 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc |
| SHA512 | 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d |
memory/3976-19-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-23-0x0000000074790000-0x0000000074D41000-memory.dmp
memory/3976-24-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-25-0x0000000074790000-0x0000000074D41000-memory.dmp
memory/3976-27-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-29-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-30-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-31-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-32-0x0000000074790000-0x0000000074D41000-memory.dmp
memory/3976-33-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-34-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-35-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-36-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-37-0x0000000003350000-0x0000000003360000-memory.dmp
memory/3976-38-0x0000000003350000-0x0000000003360000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 224
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240215-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 224
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsd5CD6.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsd5CD6.tmp\ioSpecial.ini
| MD5 | 454e10920b74d4a14c1e4d0d0c843c71 |
| SHA1 | f981915708f579e832c160a038b20b349453fbbd |
| SHA256 | bf526dd047a6315cad9172ee042118018f599151042136b32ee78e50779a2026 |
| SHA512 | 185b962d0ead20f1403e85298472e006db9f9207ab399d04b128786ceed1365eac3842664d643166793b8c29c1844e58389c568f8a8129025ca8964d52f1e8f9 |
C:\Users\Admin\AppData\Local\Temp\nsd5CD6.tmp\ioSpecial.ini
| MD5 | d1d37ccc99475cbdaa92247fedf5b3f9 |
| SHA1 | aff427ceb0cacf25fc487b2a5eeb4560a307872a |
| SHA256 | 7085e67bb5f54a282f5198ebd52c376b92d8633890db95589f28a76daebd0a9c |
| SHA512 | 83e29dcf69ab4f7abb2620452aafc42d82d0b487f18a8ba0a7f401b09ecb004faf4ef39038398071323b8dd2712b99ad2e5ad6efcaca39fdc35c0018d79de158 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240215-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 244
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4988 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4988 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2548 -ip 2548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\background.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd96bb46f8,0x7ffd96bb4708,0x7ffd96bb4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1864 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4875427093409577936,14147435366818962929,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | static1.2yourface.com | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 34.205.242.146:80 | static1.2yourface.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.242.205.34.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 48cff1baabb24706967de3b0d6869906 |
| SHA1 | b0cd54f587cd4c88e60556347930cb76991e6734 |
| SHA256 | f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775 |
| SHA512 | fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6 |
\??\pipe\LOCAL\crashpad_1364_JPBEZDYCMUYEONFW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7b56675b54840d86d49bde5a1ff8af6a |
| SHA1 | fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811 |
| SHA256 | 86af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929 |
| SHA512 | 11fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bdb3b442283b242b8759a4de194e483a |
| SHA1 | 25a9a7793b7019a82d344a5a9813a9b450ffc177 |
| SHA256 | 49ac8af4e7c1ec4303fde5f35aee4c02b7d606a480b6d0bef1c74da9b049360f |
| SHA512 | aa380f9b2b15075c4f50949ed26c9f6226b200068a50a67ce227ae0c826994542bf7536643d618f49424c47582c55fc65cbe35bb0bd4ee45a2af5c12d220d36b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c294aa574c66c7fe2a8e051ad730c42f |
| SHA1 | 69c5ca8d1a6e75f3728fcdf267a03017649fd7ec |
| SHA256 | 5592a114283071a4ba1a24b29b773bca5fa6d4730f9e96f320557c4fdb371afd |
| SHA512 | 86a68b845f4bcf916f796913be7f5f4c4ab5abc4967d8d644e84d31c5f1fe08bcd75fd3b849eb0559bb48045e8d1c75fa1ff78b2be07923da53d03f8386273c7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c15d05b5b5eb454d0af96e35f07b7fe4 |
| SHA1 | f64e5b933c7bfbc2ebad780302a1c0a43f6ca16b |
| SHA256 | 23eb6bac01a5711958a84ec2ec12531b128648525ae8da1b9e2fb89a6b2bc726 |
| SHA512 | 7c3ac66efed2acc12458807f069d34a398d31510c4c485dbf65bc44e4a3449e195a6c34d3f8f5ae5937e4b22b91f632afea2dcf8c08d65480648d6958d6c5efe |
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 228
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240319-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"
Network
Files
memory/2492-0-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
memory/2492-1-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
memory/1792-0-0x00007FFA5FBF0000-0x00007FFA60591000-memory.dmp
memory/1792-1-0x00007FFA5FBF0000-0x00007FFA60591000-memory.dmp
memory/1792-3-0x0000000000C60000-0x0000000000C70000-memory.dmp
memory/1792-2-0x000000001B900000-0x000000001BDCE000-memory.dmp
memory/1792-5-0x00007FFA5FBF0000-0x00007FFA60591000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20240221-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\nst92DE.tmp\ioSpecial.ini
| MD5 | b0c7e15d88ab55a5d88aaf8e5e0d6a0e |
| SHA1 | 7d875feb00042e4b68d6afc07b97865e8781aa78 |
| SHA256 | 8cc14e70b2f279a20adcb42f0fa01aa86110197f10cc7112825d29f89230a645 |
| SHA512 | 3abe9b384087a53b406f88443927b2700fc2c4e668d4394483a2c7eefc127fd266a4d47ee604259ad62338a811b12c247dc65b4036516f5c7e0a08f03bbc5319 |
\Users\Admin\AppData\Local\Temp\nst92DE.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-15 00:44
Reported
2024-04-15 00:47
Platform
win7-20231129-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 224