Malware Analysis Report

2025-01-18 21:37

Sample ID 240415-tlnftscg7x
Target f17550df3cb68018a96b48678322f70b_JaffaCakes118
SHA256 3d60ca3843ccfdb6a60eed5fb4aed22bc0be094735f8855de1056f203717710b
Tags
adware discovery evasion spyware stealer trojan upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3d60ca3843ccfdb6a60eed5fb4aed22bc0be094735f8855de1056f203717710b

Threat Level: Shows suspicious behavior

The file f17550df3cb68018a96b48678322f70b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery evasion spyware stealer trojan upx

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Checks whether UAC is enabled

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 16:08

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 880 wrote to memory of 3440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 880 wrote to memory of 3440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 880 wrote to memory of 3440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\2YourFace\ffextension\install.rdf C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\FF8Installer.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\bho.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\uninst.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\2YourFace.crx C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000b6abe25ccc834fd3c232e0071f999880c3205c2270d73156c918c019b7404346000000000e8000000002000020000000d913c4c6d11b7c664b6fc35b65ce22870d5ef856f2b60bff5f6dbdeaff346325500000007a950530b3e463fa2b0d285ef605c79aa9bbb45e26afb6bf8e9ebb3d175d9a290be1aaee398b181c34d4ae5b6fc756b485861e7f1361e6f0177e5e583cb1a5901ef54d40315b19a999b479b8ad2d378e40000000c9b1bfe2bffb1a6bffe88556daef6382c343f37dc0aa45196c4c95853f3e161ef74921bffdebcf9646b9b2d6cbf1db9e2c1418a2326c97b17b2e86d7603d6b9f C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=26d909910000000000004a4f109f65b0" C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=26d909910000000000004a4f109f65b0" C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433d39789c636262604903622146b36a43170353371343635d676753735d1310cbd2d0c942d7dcc2dcd1d1c8c2c4d5d5c4a4964140402067ed425b001aff0ba3 C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2336 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2336 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2336 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2336 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2336 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2336 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 2392 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe
PID 2392 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe
PID 2392 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe
PID 2392 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe
PID 2392 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe
PID 2392 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe
PID 2392 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe
PID 1992 wrote to memory of 2016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1992 wrote to memory of 2016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1992 wrote to memory of 2016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1992 wrote to memory of 2016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2168 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2336 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2336 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2336 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2336 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2336 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 2336 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 808 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 808 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 808 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 808 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2336 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2336 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2336 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 2336 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Users\Admin\AppData\Local\Temp\yourface.exe

"C:\Users\Admin\AppData\Local\Temp\yourface.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\093247~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\093247~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache visitorID|http://babylon.com

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\093247~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=

Network

Country Destination Domain Proto
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babylon.com udp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 8.8.8.8:53 cs-g2-crl.thawte.com udp
SE 192.229.221.95:80 cs-g2-crl.thawte.com tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 www.outbrowse.com udp
US 8.8.8.8:53 www.outbrowse.com udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp

Files

\Users\Admin\AppData\Local\Temp\nse513D.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe

MD5 14c2d4576d528ed76fada4f4fa1a5952
SHA1 3a9d7d4639b5eb8bec42df972c44493690eaadfc
SHA256 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52
SHA512 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\093247~1\IECOOK~1.DLL

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

memory/2016-50-0x0000000002040000-0x0000000002042000-memory.dmp

memory/1992-51-0x0000000000240000-0x0000000000242000-memory.dmp

\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

MD5 5e6230b3b16798e23720958756ac6d9e
SHA1 c7bcb001c48a67d4c9d6e70e92473ebd85b30585
SHA256 d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2
SHA512 6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar6D4B.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/1292-210-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2168-212-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\BabyTBConf.ini

MD5 3f6e3f4071d00eba2818df4d4c7db254
SHA1 143c73c45d37f0563591c62b1e21128580740937
SHA256 2422c98a18ef679192dafa4c0a02a16ebed522e349aa83eabb5d321534257b3f
SHA512 3ff562e843b9dca15a1aef570d37d792c4b6a76cb37e2aed73dd000677031b64315966fce841080b3a659fab298c2f42f6c90a73177ba74411f39b0d72241864

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Latest\setup.exe

MD5 5790a04f78c61c3caea7ddd6f01829d2
SHA1 9d783d964338a5378280dd3c3b72519d11f73ffa
SHA256 726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606
SHA512 9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Latest\kstp.txt

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

\Users\Admin\AppData\Local\Temp\MainInstaller.exe

MD5 9ce448dcd7cf13dd950725957361bdff
SHA1 5831ff31825ea82d90a2989e0fc0a33b859d5f97
SHA256 3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80
SHA512 b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f

\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

\Users\Admin\AppData\Local\Temp\PingMe.exe

MD5 991cd458830ae2008be0c2d8e26c8bd0
SHA1 d519a7ffd8360a47450e60b7d665e666d9df89bc
SHA256 f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71
SHA512 e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa

memory/2284-258-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/2284-259-0x0000000001FA0000-0x0000000002020000-memory.dmp

memory/2284-260-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/1696-261-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/1696-262-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/2284-264-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/1696-263-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Network

N/A

Files

memory/1972-0-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

memory/1972-1-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

memory/1972-2-0x0000000000A70000-0x0000000000AF0000-memory.dmp

memory/1972-3-0x0000000000A70000-0x0000000000AF0000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240319-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy33ED.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsy33ED.tmp\ioSpecial.ini

MD5 049db9061d7bead0a7adea7e7d9d648a
SHA1 54b115a250f5eaed34942cdc889117be0e5983f5
SHA256 1c6779fd4a74f6604000074591b2ac69299fd53c6296bbbeb1ba22838851b253
SHA512 1a4fbdcc63f6e30059706080995ec3cb573a5074d371c1688320000c93fbdd5b34f64a9c80178ebe8a20ff1a627c49ac7e9023acbb9dffdd543de220513f2706

Analysis: behavioral32

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3888 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3888 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3888 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 612

Network

Country Destination Domain Proto
US 13.89.179.14:443 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
BE 2.17.197.240:80 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240215-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 224

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3584-0-0x00007FFA928E0000-0x00007FFA93281000-memory.dmp

memory/3584-2-0x000000001BB80000-0x000000001C04E000-memory.dmp

memory/3584-1-0x0000000001170000-0x0000000001180000-memory.dmp

memory/3584-5-0x00007FFA928E0000-0x00007FFA93281000-memory.dmp

memory/3584-4-0x00007FFA928E0000-0x00007FFA93281000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

N/A

Files

memory/2768-1-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2768-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2768-2-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 1456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3580 wrote to memory of 1456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3580 wrote to memory of 1456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1456 -ip 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2936 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2936 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 612

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3968 wrote to memory of 3444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 3444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 3444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/3444-0-0x00000000007A0000-0x00000000007B4000-memory.dmp

memory/3444-1-0x00000000007A0000-0x00000000007B4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsi39F6.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/1444-19-0x0000000002E00000-0x0000000002E40000-memory.dmp

memory/1444-22-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/1444-24-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/1444-25-0x0000000002E00000-0x0000000002E40000-memory.dmp

memory/1444-27-0x0000000002E00000-0x0000000002E40000-memory.dmp

memory/1444-26-0x0000000002E00000-0x0000000002E40000-memory.dmp

memory/1444-30-0x0000000005D00000-0x0000000005E00000-memory.dmp

memory/1444-31-0x0000000005D00000-0x0000000005E00000-memory.dmp

memory/1444-32-0x0000000005D00000-0x0000000005E00000-memory.dmp

memory/1444-39-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/1444-40-0x0000000002E00000-0x0000000002E40000-memory.dmp

memory/1444-41-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/1444-42-0x0000000005D00000-0x0000000005E00000-memory.dmp

memory/1444-43-0x0000000005D00000-0x0000000005E00000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 872 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 872 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 872 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2376 -ip 2376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 248

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 228

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\yourface.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yourface.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\bho.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\2YourFace.crx C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\install.rdf C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\FF8Installer.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\2YourFace\uninst.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=109035|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=142780570000000000004a48d699c5c8" C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=109035|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=109035|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=142780570000000000004a48d699c5c8" C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 43404039789c636262604903622146b36a0b4b0b3373334b735d6733474b5d133313735d4b6303435d532343575343130b03734bd35a060101816fc74b1f02001a260c82 C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingMe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingMe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 4404 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 4404 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
PID 4656 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe
PID 4656 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe
PID 4656 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe
PID 4404 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 4404 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 4404 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
PID 4356 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4356 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4356 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4356 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 4356 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 4404 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe
PID 4404 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\yourface.exe C:\Users\Admin\AppData\Local\Temp\PingMe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\yourface.exe

"C:\Users\Admin\AppData\Local\Temp\yourface.exe"

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache visitorID|http://babylon.com

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 235.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 232.27.154.184.in-addr.arpa udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 www.outbrowse.com udp
US 13.248.169.48:80 www.outbrowse.com tcp
US 13.248.169.48:80 www.outbrowse.com tcp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsnC70.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

MD5 3d91ecdbb3404485702fb92b26b17d90
SHA1 5dfc514a7a1e037683fed57029f49fa6c6f04dbf
SHA256 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9
SHA512 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe

MD5 14c2d4576d528ed76fada4f4fa1a5952
SHA1 3a9d7d4639b5eb8bec42df972c44493690eaadfc
SHA256 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52
SHA512 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL

MD5 5a27c8702510d0b6c698163053fde6d1
SHA1 69fdc602a51e52c603f23a80e9b087c262dce940
SHA256 ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437
SHA512 ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\BExternal.dll

MD5 743acbf54eb091066be6ab3cb12c5988
SHA1 43a205985790c47a7e611fa2d3cab9b4eb59121f
SHA256 fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0
SHA512 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\sign

MD5 73dbc500e121b83ec57bb2563203259a
SHA1 658adac13fc362f5292cbbda19ade1d228ff7901
SHA256 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878
SHA512 c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

memory/4440-122-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\BabyTBConf.ini

MD5 17b7b6cc233f35f9407e8b885508647f
SHA1 99f33f45a69bd616aad7b28a26b7d48b49cac398
SHA256 9e99a072e58e49c8bde416a9221568d81ae4e56f3cd0c368259555c0e3d23fcb
SHA512 b57068e546a5ccc8f81028cd0a5506e737a820539635339ed13a903a185b143268d99f2d630189cfe11a2149c6b1c74dcd21ad36b04f18d08d1462cffbb7270e

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

MD5 9ce448dcd7cf13dd950725957361bdff
SHA1 5831ff31825ea82d90a2989e0fc0a33b859d5f97
SHA256 3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80
SHA512 b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

C:\Users\Admin\AppData\Local\Temp\PingMe.exe

MD5 991cd458830ae2008be0c2d8e26c8bd0
SHA1 d519a7ffd8360a47450e60b7d665e666d9df89bc
SHA256 f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71
SHA512 e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa

memory/3068-165-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp

memory/4648-166-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp

memory/4648-167-0x0000000000F30000-0x0000000000F40000-memory.dmp

memory/3068-168-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp

memory/3068-169-0x000000001B840000-0x000000001BD0E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\PingMe.exe.log

MD5 21474607a881ad45866e78423d00d806
SHA1 c406964aeaeefb6e331df4444fbbbb3beb5a4728
SHA256 7905b13d8a2686b95d70c4e9a72cbe2e0e2d158af8654b8514f8912b2203f65e
SHA512 bd1df4de95068874ae63dad6d6d0ab27b85fc340202b8ee6fd97c8501a93641ab76d953c92dad3f53e7375f5565b609f65a918e48d1ee79cf4238421847e9b68

memory/3068-174-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp

memory/4648-173-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

\Users\Admin\AppData\Local\Temp\nsy16FB.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsy16FB.tmp\ioSpecial.ini

MD5 2e6b7323e40dc59b8d13b4d6ee9e08e1
SHA1 a1d2be0eb5d43c9d8725c36f7ad205d96717d4ee
SHA256 732494eb31f29a7dfc75e9c6d94c2e6994e4e433966af488eb6ad58c6fd7944a
SHA512 086de294cfd7943d3681528fe031de1d391bbd2a48d9b61ab41f2c013fc9cd02a0cad99a49d16158d26751db84a94fd55a27335f9522c1719e288c53b571b140

C:\Users\Admin\AppData\Local\Temp\nsy16FB.tmp\ioSpecial.ini

MD5 0042762065d3d41d09ab001d7f404114
SHA1 591576eec974bb2e5f40f885507620c2dc46bf67
SHA256 af689a325c461ba10ff76d207f7069032bc385039e99b8d12c850347d61c9111
SHA512 f8c8e3e4efb3eca82a1cde6dc844859a8135f238068bbc7ad7388aaf07a5396a5a8f152f91f676dec87a92c7f41a95bcf7031cac39723167a05431f595e45f8c

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240215-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 224

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss3460.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/1584-19-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-23-0x00000000744C0000-0x0000000074A71000-memory.dmp

memory/1584-24-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-25-0x00000000744C0000-0x0000000074A71000-memory.dmp

memory/1584-26-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-29-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-30-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-31-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-32-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-33-0x00000000744C0000-0x0000000074A71000-memory.dmp

memory/1584-34-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-35-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-36-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-37-0x0000000003430000-0x0000000003440000-memory.dmp

memory/1584-38-0x0000000003430000-0x0000000003440000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 4244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1576 wrote to memory of 4244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1576 wrote to memory of 4244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

136s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5d8d0c08384ad73216d52a2eabc064f5
SHA1 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc
SHA256 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce
SHA512 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

C:\Users\Admin\AppData\Local\Temp\nsb707E.tmp\ioSpecial.ini

MD5 53e2f20cafa67b9042f3979793f60d47
SHA1 93980f88d7540af7f06de3455e72e1cf1562999e
SHA256 74f2c8277533936dcdb459efe7c9715499f31b9a2c054b611b9ab73a1aa5ca39
SHA512 0debdbfb681e1998e147de0c96eade4b422c1a76e0c3e5da0fcb44e6559d0efb7f49c022971cfec0ea2e11804591e8f5843e4312b0c1f9e806a1f537716d36bb

C:\Users\Admin\AppData\Local\Temp\nsb707E.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsr6552.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsr6552.tmp\ioSpecial.ini

MD5 dceb36ca621035d575ceefb08ee641ae
SHA1 5daf210287cb70c8f3103a46127605f85e8ebcd6
SHA256 0e2aed3d5aa034dbe04c10f7939ec6eb454f69b11b0b66efee36897a443a2147
SHA512 1d3830484cc2815142d007cbab1d0b57da53abf1456d92d2d64a8379dc39b0785c5f65dd2c6cb16438fdc72333f4038ccc7f40221ab2b522c7e50113218398f4

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 3428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1808 wrote to memory of 3428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1808 wrote to memory of 3428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3428 -ip 3428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240220-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 220

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win7-20240215-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 224

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-15 16:08

Reported

2024-04-15 16:11

Platform

win10v2004-20240412-en

Max time kernel

125s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 1216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 1216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 1216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5052,i,9197556651587249039,2664027599321555186,262144 --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

N/A