Analysis Overview
SHA256
3d60ca3843ccfdb6a60eed5fb4aed22bc0be094735f8855de1056f203717710b
Threat Level: Shows suspicious behavior
The file f17550df3cb68018a96b48678322f70b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Reads user/profile data of web browsers
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Checks whether UAC is enabled
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Modifies Internet Explorer start page
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 16:08
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 880 wrote to memory of 3440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 880 wrote to memory of 3440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 880 wrote to memory of 3440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\2YourFace\ffextension\install.rdf | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\FF8Installer.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\bho.dll | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\uninst.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\2YourFace.crx | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000b6abe25ccc834fd3c232e0071f999880c3205c2270d73156c918c019b7404346000000000e8000000002000020000000d913c4c6d11b7c664b6fc35b65ce22870d5ef856f2b60bff5f6dbdeaff346325500000007a950530b3e463fa2b0d285ef605c79aa9bbb45e26afb6bf8e9ebb3d175d9a290be1aaee398b181c34d4ae5b6fc756b485861e7f1361e6f0177e5e583cb1a5901ef54d40315b19a999b479b8ad2d378e40000000c9b1bfe2bffb1a6bffe88556daef6382c343f37dc0aa45196c4c95853f3e161ef74921bffdebcf9646b9b2d6cbf1db9e2c1418a2326c97b17b2e86d7603d6b9f | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=26d909910000000000004a4f109f65b0" | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=26d909910000000000004a4f109f65b0" | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433d39789c636262604903622146b36a43170353371343635d676753735d1310cbd2d0c942d7dcc2dcd1d1c8c2c4d5d5c4a4964140402067ed425b001aff0ba3 | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Users\Admin\AppData\Local\Temp\yourface.exe
"C:\Users\Admin\AppData\Local\Temp\yourface.exe"
C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\093247~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\093247~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache visitorID|http://babylon.com
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\093247~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | info.babylon.com | udp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 8.8.8.8:53 | stp.babylon.com | udp |
| US | 184.154.27.232:80 | stp.babylon.com | tcp |
| US | 8.8.8.8:53 | dl.babylon.com | udp |
| US | 198.143.128.244:80 | dl.babylon.com | tcp |
| US | 8.8.8.8:53 | ocsp.thawte.com | udp |
| US | 152.199.19.74:80 | ocsp.thawte.com | tcp |
| US | 8.8.8.8:53 | crl.thawte.com | udp |
| SE | 192.229.221.95:80 | crl.thawte.com | tcp |
| US | 8.8.8.8:53 | cs-g2-crl.thawte.com | udp |
| SE | 192.229.221.95:80 | cs-g2-crl.thawte.com | tcp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 8.8.8.8:53 | www.outbrowse.com | udp |
| US | 8.8.8.8:53 | www.outbrowse.com | udp |
| US | 13.248.169.48:80 | www.outbrowse.com | tcp |
| US | 13.248.169.48:80 | www.outbrowse.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nse513D.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
| MD5 | 3d91ecdbb3404485702fb92b26b17d90 |
| SHA1 | 5dfc514a7a1e037683fed57029f49fa6c6f04dbf |
| SHA256 | 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9 |
| SHA512 | 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3 |
\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Setup.exe
| MD5 | 14c2d4576d528ed76fada4f4fa1a5952 |
| SHA1 | 3a9d7d4639b5eb8bec42df972c44493690eaadfc |
| SHA256 | 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52 |
| SHA512 | 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\bab033.tbinst.dat
| MD5 | 1ee8c638e49ee7137607722768afc5a2 |
| SHA1 | 8719d7a498a49b042cd6fc411cac6c44f3c0f43a |
| SHA256 | 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e |
| SHA512 | 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\bab091.norecovericon.dat
| MD5 | 4f6e1fdbef102cdbd379fdac550b9f48 |
| SHA1 | 5da6ee5b88a4040c80e5269e0cd2b0880b20659c |
| SHA256 | e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c |
| SHA512 | 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\SetupStrings.dat
| MD5 | 07bb1523dc51ec1fd5913b0a70ab98ee |
| SHA1 | 216f853cb251f32f5c91345404efd48f041ad5bd |
| SHA256 | 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2 |
| SHA512 | 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Babylon.dat
| MD5 | adbb6a655ae518830ba1afefdb84668f |
| SHA1 | a1be53d99a67fff011ea035c310588e635c718e1 |
| SHA256 | 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c |
| SHA512 | b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228 |
C:\Users\Admin\AppData\Local\Temp\093247~1\IECOOK~1.DLL
| MD5 | 5a27c8702510d0b6c698163053fde6d1 |
| SHA1 | 69fdc602a51e52c603f23a80e9b087c262dce940 |
| SHA256 | ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437 |
| SHA512 | ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51 |
memory/2016-50-0x0000000002040000-0x0000000002042000-memory.dmp
memory/1992-51-0x0000000000240000-0x0000000000242000-memory.dmp
\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\BExternal.dll
| MD5 | 743acbf54eb091066be6ab3cb12c5988 |
| SHA1 | 43a205985790c47a7e611fa2d3cab9b4eb59121f |
| SHA256 | fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0 |
| SHA512 | 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\sign
| MD5 | 73dbc500e121b83ec57bb2563203259a |
| SHA1 | 658adac13fc362f5292cbbda19ade1d228ff7901 |
| SHA256 | 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878 |
| SHA512 | c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\blueStar.png
| MD5 | a7fcdf142648bac756fcfe06a31f42e4 |
| SHA1 | 4df99b119c183c821ed1bf0f825536318c9c3353 |
| SHA256 | 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22 |
| SHA512 | ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\eula.html
| MD5 | 1b73a781f7f5b0d61624bd97050a2ed0 |
| SHA1 | 01b848625761d5dede115e8599e4c72f126f8a3c |
| SHA256 | f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5 |
| SHA512 | 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page0.html
| MD5 | cf33120dd42cee842d96532843bb1961 |
| SHA1 | 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf |
| SHA256 | 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f |
| SHA512 | 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\options.js
| MD5 | 771f230f8bbc96a03b13976667918f1f |
| SHA1 | 0fba422c76b89cdb5d12e657064c49a9b1b7abae |
| SHA256 | 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252 |
| SHA512 | b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\globe.png
| MD5 | cc53fb9e9456eb79479151090cb16cbd |
| SHA1 | e61004bf729757f3f225f77f0236b82518f68662 |
| SHA256 | 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42 |
| SHA512 | 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page2.html
| MD5 | 12152ded3604e8baaf82c078f8034d60 |
| SHA1 | 0867dec241a257e3e9ad9e8d20b9e06e3bce7184 |
| SHA256 | abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485 |
| SHA512 | a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page2Lrg.css
| MD5 | db15b568f9d195635b3fcab87ef6293f |
| SHA1 | 6ae0f374531cb3013857880e8469a103492b8393 |
| SHA256 | 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d |
| SHA512 | a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page2.css
| MD5 | 085cf46c4d1c8dea9edd79ee37d6d5bd |
| SHA1 | 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45 |
| SHA256 | 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d |
| SHA512 | 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page3.css
| MD5 | 07784ad77f30fa018949e412b2257aab |
| SHA1 | 8595c222a3741bfa83c5a4d982c845c8038062a6 |
| SHA256 | 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf |
| SHA512 | 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\progress.png
| MD5 | dee08d8cbcdeb8013adf28ecf150aaf3 |
| SHA1 | c61cd9b1bd0127244b9d311f493fc514aa5c08d6 |
| SHA256 | eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5 |
| SHA512 | c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\pBar.gif
| MD5 | 26621cb27bbc94f6bab3561791ac013b |
| SHA1 | 4010a489350cf59fd8f36f8e59b53e724c49cc5b |
| SHA256 | e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3 |
| SHA512 | 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page3Lrg.css
| MD5 | b3520c555c46a7020d8f27bfe81df0ca |
| SHA1 | 59398086abe3987c2a91edacb74eca94bbd63d7d |
| SHA256 | 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6 |
| SHA512 | 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\page3.html
| MD5 | b23c25988099403433efb7fb64715676 |
| SHA1 | e833527e1c021b311286e6e2d1c2f0530be0a565 |
| SHA256 | 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c |
| SHA512 | 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\setup.js
| MD5 | a95607ce49fa0af8ed7a3f5667c3eb31 |
| SHA1 | 5e4b5a30e56c42329afdf216625bf35be69a82aa |
| SHA256 | 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c |
| SHA512 | 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\title.png
| MD5 | 12ef76069cc40b8ad478d9091915ded6 |
| SHA1 | fabad560b6e6839f9e5ae1268695d11ca35f9d74 |
| SHA256 | 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c |
| SHA512 | 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\HtmlScreens\toolBar.jpg
| MD5 | 56dc3cb42b46309e642c15167003685d |
| SHA1 | 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d |
| SHA256 | bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1 |
| SHA512 | 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60 |
C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb
| MD5 | 5e6230b3b16798e23720958756ac6d9e |
| SHA1 | c7bcb001c48a67d4c9d6e70e92473ebd85b30585 |
| SHA256 | d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2 |
| SHA512 | 6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar6D4B.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/1292-210-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/2168-212-0x0000000060900000-0x0000000060970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\BabyTBConf.ini
| MD5 | 3f6e3f4071d00eba2818df4d4c7db254 |
| SHA1 | 143c73c45d37f0563591c62b1e21128580740937 |
| SHA256 | 2422c98a18ef679192dafa4c0a02a16ebed522e349aa83eabb5d321534257b3f |
| SHA512 | 3ff562e843b9dca15a1aef570d37d792c4b6a76cb37e2aed73dd000677031b64315966fce841080b3a659fab298c2f42f6c90a73177ba74411f39b0d72241864 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Latest\setup.exe
| MD5 | 5790a04f78c61c3caea7ddd6f01829d2 |
| SHA1 | 9d783d964338a5378280dd3c3b72519d11f73ffa |
| SHA256 | 726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606 |
| SHA512 | 9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0 |
C:\Users\Admin\AppData\Local\Temp\093247C6-BAB0-7891-A6E3-F934D1AE5DD5\Latest\kstp.txt
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
\Users\Admin\AppData\Local\Temp\MainInstaller.exe
| MD5 | 9ce448dcd7cf13dd950725957361bdff |
| SHA1 | 5831ff31825ea82d90a2989e0fc0a33b859d5f97 |
| SHA256 | 3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80 |
| SHA512 | b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f |
\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 5d8d0c08384ad73216d52a2eabc064f5 |
| SHA1 | 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc |
| SHA256 | 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce |
| SHA512 | 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57 |
\Users\Admin\AppData\Local\Temp\PingMe.exe
| MD5 | 991cd458830ae2008be0c2d8e26c8bd0 |
| SHA1 | d519a7ffd8360a47450e60b7d665e666d9df89bc |
| SHA256 | f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71 |
| SHA512 | e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa |
memory/2284-258-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp
memory/2284-259-0x0000000001FA0000-0x0000000002020000-memory.dmp
memory/2284-260-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp
memory/1696-261-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp
memory/1696-262-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp
memory/2284-264-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp
memory/1696-263-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"
Network
Files
memory/1972-0-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp
memory/1972-1-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp
memory/1972-2-0x0000000000A70000-0x0000000000AF0000-memory.dmp
memory/1972-3-0x0000000000A70000-0x0000000000AF0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240319-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsy33ED.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsy33ED.tmp\ioSpecial.ini
| MD5 | 049db9061d7bead0a7adea7e7d9d648a |
| SHA1 | 54b115a250f5eaed34942cdc889117be0e5983f5 |
| SHA256 | 1c6779fd4a74f6604000074591b2ac69299fd53c6296bbbeb1ba22838851b253 |
| SHA512 | 1a4fbdcc63f6e30059706080995ec3cb573a5074d371c1688320000c93fbdd5b34f64a9c80178ebe8a20ff1a627c49ac7e9023acbb9dffdd543de220513f2706 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
91s
Max time network
117s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3888 wrote to memory of 2772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3888 wrote to memory of 2772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3888 wrote to memory of 2772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2772 -ip 2772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 13.89.179.14:443 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| BE | 2.17.197.240:80 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2340 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2340 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2340 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2340 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2340 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2340 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2340 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240215-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 224
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3584-0-0x00007FFA928E0000-0x00007FFA93281000-memory.dmp
memory/3584-2-0x000000001BB80000-0x000000001C04E000-memory.dmp
memory/3584-1-0x0000000001170000-0x0000000001180000-memory.dmp
memory/3584-5-0x00007FFA928E0000-0x00007FFA93281000-memory.dmp
memory/3584-4-0x00007FFA928E0000-0x00007FFA93281000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2196 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1
Network
Files
memory/2768-1-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2768-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2768-2-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3580 wrote to memory of 1456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3580 wrote to memory of 1456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3580 wrote to memory of 1456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2936 wrote to memory of 2020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2936 wrote to memory of 2020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2936 wrote to memory of 2020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2020 -ip 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3036 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3036 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3036 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
117s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3968 wrote to memory of 3444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3968 wrote to memory of 3444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3968 wrote to memory of 3444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/3444-0-0x00000000007A0000-0x00000000007B4000-memory.dmp
memory/3444-1-0x00000000007A0000-0x00000000007B4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsi39F6.tmp\tools.dll
| MD5 | e12f05661436f2974cf91b5fc76fb5f4 |
| SHA1 | 5e0b7887950204713bef3da0018911279f2540ec |
| SHA256 | 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc |
| SHA512 | 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d |
memory/1444-19-0x0000000002E00000-0x0000000002E40000-memory.dmp
memory/1444-22-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/1444-24-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/1444-25-0x0000000002E00000-0x0000000002E40000-memory.dmp
memory/1444-27-0x0000000002E00000-0x0000000002E40000-memory.dmp
memory/1444-26-0x0000000002E00000-0x0000000002E40000-memory.dmp
memory/1444-30-0x0000000005D00000-0x0000000005E00000-memory.dmp
memory/1444-31-0x0000000005D00000-0x0000000005E00000-memory.dmp
memory/1444-32-0x0000000005D00000-0x0000000005E00000-memory.dmp
memory/1444-39-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/1444-40-0x0000000002E00000-0x0000000002E40000-memory.dmp
memory/1444-41-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/1444-42-0x0000000005D00000-0x0000000005E00000-memory.dmp
memory/1444-43-0x0000000005D00000-0x0000000005E00000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 872 wrote to memory of 2376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 872 wrote to memory of 2376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 872 wrote to memory of 2376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2376 -ip 2376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 248
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 228
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yourface.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yourface.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\bho.dll | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\2YourFace.crx | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\install.rdf | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\FF8Installer.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\2YourFace\uninst.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=109035|trkInfo=|visitorID=|URI=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=142780570000000000004a48d699c5c8" | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=109035|trkInfo=|visitorID=|URI=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=109035|trkInfo=|visitorID=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=142780570000000000004a48d699c5c8" | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 43404039789c636262604903622146b36a0b4b0b3373334b735d6733474b5d133313735d4b6303435d532343575343130b03734bd35a060101816fc74b1f02001a260c82 | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PingMe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\yourface.exe
"C:\Users\Admin\AppData\Local\Temp\yourface.exe"
C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache visitorID|http://babylon.com
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
"C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | info.babylon.com | udp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 8.8.8.8:53 | 235.27.154.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stp.babylon.com | udp |
| US | 184.154.27.232:80 | stp.babylon.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.27.154.184.in-addr.arpa | udp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | www.outbrowse.com | udp |
| US | 13.248.169.48:80 | www.outbrowse.com | tcp |
| US | 13.248.169.48:80 | www.outbrowse.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsnC70.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
| MD5 | 3d91ecdbb3404485702fb92b26b17d90 |
| SHA1 | 5dfc514a7a1e037683fed57029f49fa6c6f04dbf |
| SHA256 | 588b7896a3712043efd9789e8bd2de35d2bcc082344f2d2cb7a90cfadc66b6d9 |
| SHA512 | 1cc40cfa7328eb251f9cc5bc4c5ba695e213c8efda94e8ef23cfc7786a561c8298c05b39fbbbcfccc90eaf3a18090f1d6fd4ecc405795565fdb8790c9b2093d3 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Setup.exe
| MD5 | 14c2d4576d528ed76fada4f4fa1a5952 |
| SHA1 | 3a9d7d4639b5eb8bec42df972c44493690eaadfc |
| SHA256 | 6e7425ace83127aa18a94927144f3d97870f7395606285606635c3ae591f1b52 |
| SHA512 | 15c32a49946429e15ff8a8e4293d2ccccd160c43c24d3b6f9ccb0373f3dfb666e3c04c062feecc5dd6415f44c7230a09f0cc423aed601a121c2afec28d772558 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\bab033.tbinst.dat
| MD5 | 1ee8c638e49ee7137607722768afc5a2 |
| SHA1 | 8719d7a498a49b042cd6fc411cac6c44f3c0f43a |
| SHA256 | 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e |
| SHA512 | 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\bab091.norecovericon.dat
| MD5 | 4f6e1fdbef102cdbd379fdac550b9f48 |
| SHA1 | 5da6ee5b88a4040c80e5269e0cd2b0880b20659c |
| SHA256 | e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c |
| SHA512 | 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\SetupStrings.dat
| MD5 | 07bb1523dc51ec1fd5913b0a70ab98ee |
| SHA1 | 216f853cb251f32f5c91345404efd48f041ad5bd |
| SHA256 | 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2 |
| SHA512 | 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\Babylon.dat
| MD5 | adbb6a655ae518830ba1afefdb84668f |
| SHA1 | a1be53d99a67fff011ea035c310588e635c718e1 |
| SHA256 | 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c |
| SHA512 | b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
C:\Users\Admin\AppData\Local\Temp\199769~1\IECOOK~1.DLL
| MD5 | 5a27c8702510d0b6c698163053fde6d1 |
| SHA1 | 69fdc602a51e52c603f23a80e9b087c262dce940 |
| SHA256 | ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437 |
| SHA512 | ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\BExternal.dll
| MD5 | 743acbf54eb091066be6ab3cb12c5988 |
| SHA1 | 43a205985790c47a7e611fa2d3cab9b4eb59121f |
| SHA256 | fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0 |
| SHA512 | 014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\sign
| MD5 | 73dbc500e121b83ec57bb2563203259a |
| SHA1 | 658adac13fc362f5292cbbda19ade1d228ff7901 |
| SHA256 | 9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878 |
| SHA512 | c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\blueStar.png
| MD5 | a7fcdf142648bac756fcfe06a31f42e4 |
| SHA1 | 4df99b119c183c821ed1bf0f825536318c9c3353 |
| SHA256 | 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22 |
| SHA512 | ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\globe.png
| MD5 | cc53fb9e9456eb79479151090cb16cbd |
| SHA1 | e61004bf729757f3f225f77f0236b82518f68662 |
| SHA256 | 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42 |
| SHA512 | 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\eula.html
| MD5 | 1b73a781f7f5b0d61624bd97050a2ed0 |
| SHA1 | 01b848625761d5dede115e8599e4c72f126f8a3c |
| SHA256 | f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5 |
| SHA512 | 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\options.js
| MD5 | 771f230f8bbc96a03b13976667918f1f |
| SHA1 | 0fba422c76b89cdb5d12e657064c49a9b1b7abae |
| SHA256 | 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252 |
| SHA512 | b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page0.html
| MD5 | cf33120dd42cee842d96532843bb1961 |
| SHA1 | 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf |
| SHA256 | 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f |
| SHA512 | 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page2.html
| MD5 | 12152ded3604e8baaf82c078f8034d60 |
| SHA1 | 0867dec241a257e3e9ad9e8d20b9e06e3bce7184 |
| SHA256 | abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485 |
| SHA512 | a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page2.css
| MD5 | 085cf46c4d1c8dea9edd79ee37d6d5bd |
| SHA1 | 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45 |
| SHA256 | 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d |
| SHA512 | 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page3Lrg.css
| MD5 | b3520c555c46a7020d8f27bfe81df0ca |
| SHA1 | 59398086abe3987c2a91edacb74eca94bbd63d7d |
| SHA256 | 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6 |
| SHA512 | 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page3.html
| MD5 | b23c25988099403433efb7fb64715676 |
| SHA1 | e833527e1c021b311286e6e2d1c2f0530be0a565 |
| SHA256 | 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c |
| SHA512 | 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page3.css
| MD5 | 07784ad77f30fa018949e412b2257aab |
| SHA1 | 8595c222a3741bfa83c5a4d982c845c8038062a6 |
| SHA256 | 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf |
| SHA512 | 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\page2Lrg.css
| MD5 | db15b568f9d195635b3fcab87ef6293f |
| SHA1 | 6ae0f374531cb3013857880e8469a103492b8393 |
| SHA256 | 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d |
| SHA512 | a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\setup.js
| MD5 | a95607ce49fa0af8ed7a3f5667c3eb31 |
| SHA1 | 5e4b5a30e56c42329afdf216625bf35be69a82aa |
| SHA256 | 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c |
| SHA512 | 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\progress.png
| MD5 | dee08d8cbcdeb8013adf28ecf150aaf3 |
| SHA1 | c61cd9b1bd0127244b9d311f493fc514aa5c08d6 |
| SHA256 | eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5 |
| SHA512 | c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\pBar.gif
| MD5 | 26621cb27bbc94f6bab3561791ac013b |
| SHA1 | 4010a489350cf59fd8f36f8e59b53e724c49cc5b |
| SHA256 | e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3 |
| SHA512 | 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\toolBar.jpg
| MD5 | 56dc3cb42b46309e642c15167003685d |
| SHA1 | 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d |
| SHA256 | bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1 |
| SHA512 | 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60 |
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\HtmlScreens\title.png
| MD5 | 12ef76069cc40b8ad478d9091915ded6 |
| SHA1 | fabad560b6e6839f9e5ae1268695d11ca35f9d74 |
| SHA256 | 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c |
| SHA512 | 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067 |
memory/4440-122-0x0000000060900000-0x0000000060970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\199769C1-BAB0-7891-808C-2FFB5DD38017\BabyTBConf.ini
| MD5 | 17b7b6cc233f35f9407e8b885508647f |
| SHA1 | 99f33f45a69bd616aad7b28a26b7d48b49cac398 |
| SHA256 | 9e99a072e58e49c8bde416a9221568d81ae4e56f3cd0c368259555c0e3d23fcb |
| SHA512 | b57068e546a5ccc8f81028cd0a5506e737a820539635339ed13a903a185b143268d99f2d630189cfe11a2149c6b1c74dcd21ad36b04f18d08d1462cffbb7270e |
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
| MD5 | 9ce448dcd7cf13dd950725957361bdff |
| SHA1 | 5831ff31825ea82d90a2989e0fc0a33b859d5f97 |
| SHA256 | 3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80 |
| SHA512 | b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f |
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 5d8d0c08384ad73216d52a2eabc064f5 |
| SHA1 | 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc |
| SHA256 | 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce |
| SHA512 | 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57 |
C:\Users\Admin\AppData\Local\Temp\PingMe.exe
| MD5 | 991cd458830ae2008be0c2d8e26c8bd0 |
| SHA1 | d519a7ffd8360a47450e60b7d665e666d9df89bc |
| SHA256 | f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71 |
| SHA512 | e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa |
memory/3068-165-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp
memory/4648-166-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp
memory/4648-167-0x0000000000F30000-0x0000000000F40000-memory.dmp
memory/3068-168-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp
memory/3068-169-0x000000001B840000-0x000000001BD0E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\PingMe.exe.log
| MD5 | 21474607a881ad45866e78423d00d806 |
| SHA1 | c406964aeaeefb6e331df4444fbbbb3beb5a4728 |
| SHA256 | 7905b13d8a2686b95d70c4e9a72cbe2e0e2d158af8654b8514f8912b2203f65e |
| SHA512 | bd1df4de95068874ae63dad6d6d0ab27b85fc340202b8ee6fd97c8501a93641ab76d953c92dad3f53e7375f5565b609f65a918e48d1ee79cf4238421847e9b68 |
memory/3068-174-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp
memory/4648-173-0x00007FFE5E200000-0x00007FFE5EBA1000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2228 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2228 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2228 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2228 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2228 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2228 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 2228 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1
Network
Files
\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 5d8d0c08384ad73216d52a2eabc064f5 |
| SHA1 | 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc |
| SHA256 | 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce |
| SHA512 | 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57 |
\Users\Admin\AppData\Local\Temp\nsy16FB.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsy16FB.tmp\ioSpecial.ini
| MD5 | 2e6b7323e40dc59b8d13b4d6ee9e08e1 |
| SHA1 | a1d2be0eb5d43c9d8725c36f7ad205d96717d4ee |
| SHA256 | 732494eb31f29a7dfc75e9c6d94c2e6994e4e433966af488eb6ad58c6fd7944a |
| SHA512 | 086de294cfd7943d3681528fe031de1d391bbd2a48d9b61ab41f2c013fc9cd02a0cad99a49d16158d26751db84a94fd55a27335f9522c1719e288c53b571b140 |
C:\Users\Admin\AppData\Local\Temp\nsy16FB.tmp\ioSpecial.ini
| MD5 | 0042762065d3d41d09ab001d7f404114 |
| SHA1 | 591576eec974bb2e5f40f885507620c2dc46bf67 |
| SHA256 | af689a325c461ba10ff76d207f7069032bc385039e99b8d12c850347d61c9111 |
| SHA512 | f8c8e3e4efb3eca82a1cde6dc844859a8135f238068bbc7ad7388aaf07a5396a5a8f152f91f676dec87a92c7f41a95bcf7031cac39723167a05431f595e45f8c |
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240215-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 224
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f17550df3cb68018a96b48678322f70b_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nss3460.tmp\tools.dll
| MD5 | e12f05661436f2974cf91b5fc76fb5f4 |
| SHA1 | 5e0b7887950204713bef3da0018911279f2540ec |
| SHA256 | 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc |
| SHA512 | 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d |
memory/1584-19-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-23-0x00000000744C0000-0x0000000074A71000-memory.dmp
memory/1584-24-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-25-0x00000000744C0000-0x0000000074A71000-memory.dmp
memory/1584-26-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-29-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-30-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-31-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-32-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-33-0x00000000744C0000-0x0000000074A71000-memory.dmp
memory/1584-34-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-35-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-36-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-37-0x0000000003430000-0x0000000003440000-memory.dmp
memory/1584-38-0x0000000003430000-0x0000000003440000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 224
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1576 wrote to memory of 4244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1576 wrote to memory of 4244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1576 wrote to memory of 4244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4244 -ip 4244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
136s
Max time network
144s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3592 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 3592 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 3592 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 5d8d0c08384ad73216d52a2eabc064f5 |
| SHA1 | 0fa5c77fd6b6323b926c9648679e063d1bbc8bcc |
| SHA256 | 30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce |
| SHA512 | 42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57 |
C:\Users\Admin\AppData\Local\Temp\nsb707E.tmp\ioSpecial.ini
| MD5 | 53e2f20cafa67b9042f3979793f60d47 |
| SHA1 | 93980f88d7540af7f06de3455e72e1cf1562999e |
| SHA256 | 74f2c8277533936dcdb459efe7c9715499f31b9a2c054b611b9ab73a1aa5ca39 |
| SHA512 | 0debdbfb681e1998e147de0c96eade4b422c1a76e0c3e5da0fcb44e6559d0efb7f49c022971cfec0ea2e11804591e8f5843e4312b0c1f9e806a1f537716d36bb |
C:\Users\Admin\AppData\Local\Temp\nsb707E.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsr6552.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsr6552.tmp\ioSpecial.ini
| MD5 | dceb36ca621035d575ceefb08ee641ae |
| SHA1 | 5daf210287cb70c8f3103a46127605f85e8ebcd6 |
| SHA256 | 0e2aed3d5aa034dbe04c10f7939ec6eb454f69b11b0b66efee36897a443a2147 |
| SHA512 | 1d3830484cc2815142d007cbab1d0b57da53abf1456d92d2d64a8379dc39b0785c5f65dd2c6cb16438fdc72333f4038ccc7f40221ab2b522c7e50113218398f4 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1808 wrote to memory of 3428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1808 wrote to memory of 3428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1808 wrote to memory of 3428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3428 -ip 3428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240220-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2YourFace_Util.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 220
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win7-20240215-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 224
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-15 16:08
Reported
2024-04-15 16:11
Platform
win10v2004-20240412-en
Max time kernel
125s
Max time network
131s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2644 wrote to memory of 1216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2644 wrote to memory of 1216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2644 wrote to memory of 1216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 636
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5052,i,9197556651587249039,2664027599321555186,262144 --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |