Malware Analysis Report

2025-01-18 21:45

Sample ID 240415-afqjfsca2z
Target efd711f06086575db73d17d6ea2735d3_JaffaCakes118
SHA256 6ff34d0c5aa7544303aba5068bdf220914abf09209719a328c1cf2aa7790e6ec
Tags
upx adware discovery evasion spyware stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6ff34d0c5aa7544303aba5068bdf220914abf09209719a328c1cf2aa7790e6ec

Threat Level: Shows suspicious behavior

The file efd711f06086575db73d17d6ea2735d3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware discovery evasion spyware stealer trojan

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Drops startup file

Checks whether UAC is enabled

Installs/modifies Browser Helper Object

Checks installed software on the system

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 00:09

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efd711f06086575db73d17d6ea2735d3_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\efd711f06086575db73d17d6ea2735d3_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efd711f06086575db73d17d6ea2735d3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efd711f06086575db73d17d6ea2735d3_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst7A31.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/2820-19-0x00000000024D0000-0x0000000002510000-memory.dmp

memory/2820-24-0x0000000073D60000-0x000000007430B000-memory.dmp

memory/2820-23-0x0000000073D60000-0x000000007430B000-memory.dmp

memory/2820-25-0x00000000024D0000-0x0000000002510000-memory.dmp

memory/2820-26-0x00000000024D0000-0x0000000002510000-memory.dmp

memory/2820-29-0x0000000005D10000-0x0000000005E10000-memory.dmp

memory/2820-30-0x0000000005D10000-0x0000000005E10000-memory.dmp

memory/2820-31-0x0000000005D10000-0x0000000005E10000-memory.dmp

memory/2820-42-0x00000000024D0000-0x0000000002510000-memory.dmp

memory/2820-43-0x0000000073D60000-0x000000007430B000-memory.dmp

memory/2820-44-0x0000000005D10000-0x0000000005E10000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 228

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe"

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=0

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

MD5 ff0198fd1f59b71c1deec34b6b0b0c07
SHA1 cae622ad91a3bab0996589e3bf905c9d4eeb6059
SHA256 f552d818f17841efb7f06803ecd2479fe5c9b2a0d3c4dad2c9d90b42e2e9d7d5
SHA512 96795276eefcde81b0ad4ac85f4aaec368cb93bd9e9912c343316912f1502f3a22d845af3ba75ea5aa92b1936028558d48c11a77d331d49bd77f58b886868ccc

C:\Users\Admin\AppData\Local\Temp\nsn352A.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\ioSpecial.ini

MD5 ea2ce23ee5ad7eef34215807d33c7f00
SHA1 759ad0ae2814745f193a40a1dde0d89e4866fe40
SHA256 32fe4702407853579fa7ec4a69ae3adb4d1f67cbe9dca6388bd0a485b8a1e577
SHA512 b70c7fb396c02aeddff5050130c180329d41bb60a0a0a44c7bd19857bda6ff1562700b873182efce46839f72ada0b95eac2093d385706d5d54863bfd5b1bfe4f

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 228

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 228

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 4484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 4484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 4484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe"

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=0

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy2991.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\SetupAuto.exe

MD5 ff0198fd1f59b71c1deec34b6b0b0c07
SHA1 cae622ad91a3bab0996589e3bf905c9d4eeb6059
SHA256 f552d818f17841efb7f06803ecd2479fe5c9b2a0d3c4dad2c9d90b42e2e9d7d5
SHA512 96795276eefcde81b0ad4ac85f4aaec368cb93bd9e9912c343316912f1502f3a22d845af3ba75ea5aa92b1936028558d48c11a77d331d49bd77f58b886868ccc

C:\Users\Admin\AppData\Local\Temp\nsy2A2D.tmp\ioSpecial.ini

MD5 2d5eda4b7e4e0c812c3f5bf61f455361
SHA1 beebf0011f46f2a3eb9d6ede8cf0ab4c74ae6b8c
SHA256 679a79f3848c3148d6345b6a91901f18889e4b75adabca8f20a67627801b167c
SHA512 a8c7e0453e1d7029782d41d6308d2f5323334f2ff5a29f36c2fa04be5ec29af61bc33b3eab3b1e24b6281d6e9d12f840be22450c641b285193d5a9f719eb14ab

\Users\Admin\AppData\Local\Temp\nsy2A2D.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

90s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 3296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4392 wrote to memory of 3296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4392 wrote to memory of 3296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3296 -ip 3296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240215-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

113s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5116 wrote to memory of 400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5116 wrote to memory of 400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

112s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 3088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 3088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 3088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3088 -ip 3088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 228

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4552 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4552 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3588 -ip 3588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 228

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

0s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5100 wrote to memory of 2644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5100 wrote to memory of 2644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5100 wrote to memory of 2644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 624

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

115s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2768 -ip 2768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 13.89.179.14:443 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
BE 2.17.197.240:80 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240215-en

Max time kernel

122s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

N/A

Files

memory/2660-0-0x00000000000F0000-0x0000000000104000-memory.dmp

memory/2660-1-0x00000000000F0000-0x0000000000104000-memory.dmp

memory/2660-2-0x00000000001E0000-0x00000000001F4000-memory.dmp

memory/2660-3-0x00000000000F0000-0x0000000000104000-memory.dmp

memory/2660-4-0x00000000000F0000-0x0000000000104000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efd711f06086575db73d17d6ea2735d3_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\efd711f06086575db73d17d6ea2735d3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efd711f06086575db73d17d6ea2735d3_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsx33E3.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/3440-19-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-23-0x00000000741C0000-0x0000000074771000-memory.dmp

memory/3440-24-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-25-0x00000000741C0000-0x0000000074771000-memory.dmp

memory/3440-26-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-29-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-30-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-31-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-32-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-33-0x00000000741C0000-0x0000000074771000-memory.dmp

memory/3440-34-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-35-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-36-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-37-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3440-38-0x00000000032F0000-0x0000000003300000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2YourFace_Updater.lnk C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\AppName = "Updater.exe" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c230677000000000200000000001066000000010000200000001eb624fd727f30c5db5bafb0b6700212a02297d15c0a770ec271bcd52d025f10000000000e80000000020000200000002f503bfedfa2f9c28cb0387048d3310ab21c7c8bc89d39f95cea7ea5194c61545000000085f963f0140cba6420f1f4478c0d1f99dd085856aae96542f30a4ce95a8dba84241865180caee5bcec767cb8eaf439808665c8b981be8b3609f9376c487fe5906542d787eda86ae0fda69591cfd05e914000000009cb837bf1f6a6c291fb84bb7a209a8670de9536d586dd72dab4234745ad846d4ab96960f12c165e4095f6796ca55b1a7ebc56b2500ab18ed144586c5c5a56e8 C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D} C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=112042&babsrc=SP_ss&mntrId=84e61fe00000000000006ead7206cc74" C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=112042&babsrc=HP_ss&mntrId=84e61fe00000000000006ead7206cc74" C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a53276767736733575d3713030b5d136757535d4753274b5d0313630313035727136327c75a06010101bfb249c90024120ba5 C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2844 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2844 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2844 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2844 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2844 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2844 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe
PID 2948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe
PID 2948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe
PID 2948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe
PID 2948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe
PID 2948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe
PID 2948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe
PID 2696 wrote to memory of 2516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2696 wrote to memory of 2516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2696 wrote to memory of 2516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2696 wrote to memory of 2516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 2844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 2844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 2844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 2844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 2844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 2844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 1668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1668 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=112042" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe" /aflt=babsst /babTrack="affID=112042" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\F4BD06~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\F4BD06~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babylon.com udp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 8.8.8.8:53 cs-g2-crl.thawte.com udp
SE 192.229.221.95:80 cs-g2-crl.thawte.com tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 www.outbrowse.com udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp

Files

\Users\Admin\AppData\Local\Temp\nso5F41.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Setup.exe

MD5 14c2d4576d528ed76fada4f4fa1a5952
SHA1 3a9d7d4639b5eb8bec42df972c44493690eaadfc
SHA256 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52
SHA512 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\F4BD06~1\IECOOK~1.DLL

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

memory/2516-50-0x00000000009C0000-0x00000000009C2000-memory.dmp

memory/2696-51-0x0000000000210000-0x0000000000212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

MD5 5e6230b3b16798e23720958756ac6d9e
SHA1 c7bcb001c48a67d4c9d6e70e92473ebd85b30585
SHA256 d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2
SHA512 6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar75D3.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2116-205-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2692-207-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\BabyTBConf.ini

MD5 0d6fd9b4ac04e1599d677987498480c6
SHA1 0e0a9b5e9cf47f78282a2769148b90268c34d430
SHA256 e4af8121075ee78700d1327a1cec929407ecc668753234e16779f25e1ed534e5
SHA512 30dff0744e642731b81d052ce78562408c2b9ca46eba98e132090633e4beea81551d592bc3318c9eaf319352d67ed5e1b90037cf95b063dd8b26c3b258d99fb6

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Latest\setup.exe

MD5 5790a04f78c61c3caea7ddd6f01829d2
SHA1 9d783d964338a5378280dd3c3b72519d11f73ffa
SHA256 726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606
SHA512 9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

C:\Users\Admin\AppData\Local\Temp\F4BD06D5-BAB0-7891-A207-01453034817E\Latest\kstp.txt

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

\Users\Admin\AppData\Local\Temp\nso5F41.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

MD5 7fc6bc14a74dc69773587af10132d8c9
SHA1 9d98b268eaa7f4ad208bde39944fdb1ab201e076
SHA256 e288d49f6011dcd3f893e54ceafda9b6b491543966521c483064a7df43e5bdd2
SHA512 a738205fb26bf259e70b1cacfd10f9168d381778ef90a49847b8d332d93b471cbdcf6357a3d2dfb2e41a4666cba98dd9dc2867a20d472636e5fc8080cc073742

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

MD5 ff0198fd1f59b71c1deec34b6b0b0c07
SHA1 cae622ad91a3bab0996589e3bf905c9d4eeb6059
SHA256 f552d818f17841efb7f06803ecd2479fe5c9b2a0d3c4dad2c9d90b42e2e9d7d5
SHA512 96795276eefcde81b0ad4ac85f4aaec368cb93bd9e9912c343316912f1502f3a22d845af3ba75ea5aa92b1936028558d48c11a77d331d49bd77f58b886868ccc

\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

MD5 2fef4da41b5f58e66d6de6b318bf3004
SHA1 66ef30ff290e8615cad27abb884cc8a2d250c3e7
SHA256 7c8472e322a87d039c22e8f48ab55107508898102b17a011222b2b0da9df4790
SHA512 8e6ee8e5660a10f227a9690822f278f393e865665c6d63d0a625241d58c6d48292964c3a30b594afca775de75d06604742925cb4fc42fd18c0cd14dd46cc9f1e

\Users\Admin\AppData\Roaming\2YourFace\Updater.exe

MD5 61a75fa584626ad7236a5e0ecf0ce806
SHA1 28b1b5548e12d56773d3fcdf252617e94f07da96
SHA256 b7c83ce96df6a282fa18e8551d5c6de87a08f4e256ad0e1105069155138ed5a2
SHA512 2f38d0d06ddcd4d4506623120902a194f33f84e87a6260d08e55a2658e40edf959d0fc83c37561db7002b3e43a569fd2bcc3b70328ab37efe39b9b9b8d2cc4d8

memory/1960-275-0x00000000003D0000-0x0000000000400000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd8392.tmp\SimpleFC.dll

MD5 d38543fc9ae37d188a23e06ee11d3504
SHA1 174fe778f66db4a527fddf21b1c23e1bc1ceceeb
SHA256 72f33da081b8d579f437e7aa2ba8d9cb9602270b88093ff9411ac6316b52fc6e
SHA512 43d1874e5821d8e5530eaa34d42b76aa867528368779fadcfd2691825297accf04e94bd34867442a76c25d4729edefba9469de6500acfe6f665949f11878c54b

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

"C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsw6301.tmp\ioSpecial.ini

MD5 0b93922ac4e729469033c26181131f4e
SHA1 6928b13d96432656838f9fbb4932a58e69c38744
SHA256 ea1d26a7ac6582cb2c0dd06f9d94b340b9eb09327542d4a3b0b96fb2688e0756
SHA512 9186645f5697f09d5f482bdb921375c598fe7fd1f5ead521de3bb2736ef9b0900192e8195cc478c5bf18e5270a83e60111b64439b683b9835ce538c879537f32

C:\Users\Admin\AppData\Local\Temp\nsw6301.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsw6301.tmp\ioSpecial.ini

MD5 b87e646df5255baafaa939994b11aca7
SHA1 22a414b1c7da2246f25f4feb6265dfaedc397c87
SHA256 5de5ac3b7e1fadcaceb21cc14561a1bf5c4d0936cfcab05808f10b8ea9cb5c2e
SHA512 5ff2766c10d57c4c4f4037e0e2d8685b775d2113c7dd875a8d0567832b2193e90d107dda27f381fcc30ad0c45ee78464e8b52e6fd508ff69e1097baf690183a5

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20231129-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 224

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240319-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 228

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

113s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2YourFace_Updater.lnk C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D} C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\AppName = "Updater.exe" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=112042&babsrc=SP_ss&mntrId=420820170000000000006e00c7b2a603" C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF6FE19C-C35B-456A-83EF-0ACCBC14F55D}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=112042&babsrc=HP_ss&mntrId=420820170000000000006e00c7b2a603" C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a2313534b530343375d676753375d132333535d47730b635d534b43474b4b0b53331353935a060101015e9f8ffb0118500b9a C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 980 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 980 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 980 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 4832 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe
PID 4832 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe
PID 4832 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe
PID 980 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 980 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 980 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
PID 2692 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 2692 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 2692 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
PID 2692 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 2692 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe
PID 2692 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=112042" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe" /aflt=babsst /babTrack="affID=112042" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E1E4F3~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E1E4F3~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 www.outbrowse.com udp
US 8.8.8.8:53 235.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 232.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse2C7F.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Setup.exe

MD5 14c2d4576d528ed76fada4f4fa1a5952
SHA1 3a9d7d4639b5eb8bec42df972c44493690eaadfc
SHA256 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52
SHA512 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\E1E4F3~1\IECOOK~1.DLL

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

memory/4164-120-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E1E4F355-BAB0-7891-ABF6-A1C31118A71B\BabyTBConf.ini

MD5 624d7e261a132ed1cdba5a01497abadb
SHA1 d61f4c658fa970e4e0a554740eed47a68c7a9f30
SHA256 32b480e99e8ad7ff020542546c73ddb1f0bcbdbf82813d98d041795983d3da52
SHA512 9bd434f4043a7bf400f4db845253dd5f7e6c68c4488055e643d326fa7226b49fd78c68c1acf2105a2eeb02225b4c78f2f5102965e58cf9048915c9fdd3809f1a

C:\Users\Admin\AppData\Local\Temp\nse2C7F.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe

MD5 7fc6bc14a74dc69773587af10132d8c9
SHA1 9d98b268eaa7f4ad208bde39944fdb1ab201e076
SHA256 e288d49f6011dcd3f893e54ceafda9b6b491543966521c483064a7df43e5bdd2
SHA512 a738205fb26bf259e70b1cacfd10f9168d381778ef90a49847b8d332d93b471cbdcf6357a3d2dfb2e41a4666cba98dd9dc2867a20d472636e5fc8080cc073742

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

MD5 ff0198fd1f59b71c1deec34b6b0b0c07
SHA1 cae622ad91a3bab0996589e3bf905c9d4eeb6059
SHA256 f552d818f17841efb7f06803ecd2479fe5c9b2a0d3c4dad2c9d90b42e2e9d7d5
SHA512 96795276eefcde81b0ad4ac85f4aaec368cb93bd9e9912c343316912f1502f3a22d845af3ba75ea5aa92b1936028558d48c11a77d331d49bd77f58b886868ccc

C:\Users\Admin\AppData\Local\Temp\SetupUpdater.exe

MD5 2fef4da41b5f58e66d6de6b318bf3004
SHA1 66ef30ff290e8615cad27abb884cc8a2d250c3e7
SHA256 7c8472e322a87d039c22e8f48ab55107508898102b17a011222b2b0da9df4790
SHA512 8e6ee8e5660a10f227a9690822f278f393e865665c6d63d0a625241d58c6d48292964c3a30b594afca775de75d06604742925cb4fc42fd18c0cd14dd46cc9f1e

memory/512-180-0x00000000024E0000-0x0000000002510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsm7233.tmp\SimpleFC.dll

MD5 d38543fc9ae37d188a23e06ee11d3504
SHA1 174fe778f66db4a527fddf21b1c23e1bc1ceceeb
SHA256 72f33da081b8d579f437e7aa2ba8d9cb9602270b88093ff9411ac6316b52fc6e
SHA512 43d1874e5821d8e5530eaa34d42b76aa867528368779fadcfd2691825297accf04e94bd34867442a76c25d4729edefba9469de6500acfe6f665949f11878c54b

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3608 wrote to memory of 2320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3608 wrote to memory of 2320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3608 wrote to memory of 2320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2320 -ip 2320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 596

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe

"C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsy428D.tmp\ioSpecial.ini

MD5 ccfa865aa96297f29a2b45a725def7f8
SHA1 8cb465cebcdbacbac89bef938f675b5b6519c087
SHA256 51cd544376c353abd5e18da467cee5a467bec91631aff545be13463b4e71e6ee
SHA512 0f720a6571c555b573db04896d66b681e49ad38929e29212d73e25a7c8a362fd80e2c5f41e84b215a319023d2cb9339cba0963f138395563fa3b101aa5282834

C:\Users\Admin\AppData\Local\Temp\nsy428D.tmp\ioSpecial.ini

MD5 6ea8230769afe8207e00c4041a9b37a2
SHA1 15652f21f200afe9e619e1e62990544a867756b3
SHA256 79dbdf9341a80ee2d61b966f8fa2c83bb86ba753501a5d1aeb638f68e7733fd2
SHA512 c96d12d776ebd0b22def49a8e4a6ee34cf2a8658568178f02b8d0250d088af4be62a03c40eacfe601577d2c4f4e587d9347706bac3256c3cc07e67e92c20ad79

\Users\Admin\AppData\Local\Temp\nsy428D.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 1820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4752 wrote to memory of 1820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4752 wrote to memory of 1820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1820 -ip 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 180 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 180 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 180 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 244

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-15 00:09

Reported

2024-04-15 00:12

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/316-0-0x0000000000400000-0x0000000000414000-memory.dmp