Malware Analysis Report

2025-08-11 00:26

Sample ID 221001-wkj35aaefr
Target 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1
SHA256 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1
Tags
neshta evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1

Threat Level: Known bad

The file 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1 was found to be: Known bad.

Malicious Activity Summary

neshta evasion persistence spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Neshta

Modifies system executable filetype association

Neshta family

Detect Neshta payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-01 17:58

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-01 17:58

Reported

2022-10-01 18:11

Platform

win7-20220901-en

Max time kernel

97s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A

Neshta

persistence spyware neshta

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 1368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 1368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 1368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 1368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 1368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 1368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 936 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
PID 936 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
PID 936 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
PID 936 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
PID 936 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
PID 936 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
PID 936 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
PID 680 wrote to memory of 1764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 680 wrote to memory of 1764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 680 wrote to memory of 1764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 680 wrote to memory of 1764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1276 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
PID 1276 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
PID 1276 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
PID 1276 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
PID 1276 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
PID 1276 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
PID 1276 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe

"C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe" -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe -latest -dlp -tsp=8310 -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon-software.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 info.babylon.com udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 dl.babsft.com udp
NL 198.20.106.236:80 dl.babsft.com tcp
US 8.8.8.8:53 stpui.babylon.com udp
US 184.154.27.242:80 stpui.babylon.com tcp
N/A 127.0.0.1:116 tcp
N/A 127.0.0.1:116 tcp
N/A 127.0.0.1:116 tcp
US 8.8.8.8:53 stat.babsft.com udp
US 184.154.27.233:80 stat.babsft.com tcp
US 8.8.8.8:53 stp.babsft.com udp
US 184.154.27.233:80 stp.babsft.com tcp
US 8.8.8.8:53 stpui.babsft.com udp
US 184.154.27.233:80 stpui.babsft.com tcp
NL 198.20.106.236:80 dl.babsft.com tcp
NL 198.20.106.236:80 dl.babsft.com tcp
N/A 127.0.0.1:116 tcp
US 184.154.27.233:80 stpui.babsft.com tcp
US 8.8.8.8:53 img.babylon.com udp
US 198.143.128.241:80 img.babylon.com tcp
US 198.143.128.241:80 img.babylon.com tcp
US 184.154.27.233:80 stpui.babsft.com tcp
US 184.154.27.233:80 stpui.babsft.com tcp
US 184.154.27.233:80 stpui.babsft.com tcp
US 184.154.27.233:80 stpui.babsft.com tcp

Files

memory/1368-54-0x0000000076461000-0x0000000076463000-memory.dmp

\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe

MD5 1aee40c0cd0ece0f8dc23c920ad695d5
SHA1 222941e777fccba46b0e14ec3686dc6146976a23
SHA256 1e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b
SHA512 1958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748

memory/936-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe

MD5 1aee40c0cd0ece0f8dc23c920ad695d5
SHA1 222941e777fccba46b0e14ec3686dc6146976a23
SHA256 1e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b
SHA512 1958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748

\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe

MD5 1e77f6bea1e30db75604efc90f82f4b0
SHA1 6030676abef280ffa08743a19c88a8237b9ec335
SHA256 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a
SHA512 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77

memory/1276-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe

MD5 1e77f6bea1e30db75604efc90f82f4b0
SHA1 6030676abef280ffa08743a19c88a8237b9ec335
SHA256 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a
SHA512 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe

MD5 1e77f6bea1e30db75604efc90f82f4b0
SHA1 6030676abef280ffa08743a19c88a8237b9ec335
SHA256 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a
SHA512 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab016.v10ttl.dat

MD5 f391c791cddef78f3b258b875374e3ca
SHA1 5957844d36896195e470e505323b3bd8205a622e
SHA256 8cab66a3318de4e2a6d3e2266a9aa4fb51c20a8e8017845c8d01df5514c4a98e
SHA512 7b04e102aaa0befaa8717f9131b140eda51948fc9396694dac4db8f497efa889911bdef783e08a8f81d7a6e8ca9847e72e6e509c93a975a03fbb0372bbecfb0e

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab049.cbid050812.dat

MD5 cc1b681ed072bcef4df4113dee901459
SHA1 bcd524a7d217d17ef4ad3ccf3941a73da10fd8bd
SHA256 98945e42eb5a93adb8af326ea90fb320b5ab8bac947f39267c41503103dd2522
SHA512 5c02d58114ac3c499985388b9c378ccc6cb11a39b7ddd2e0a3549300441cf6aa9223b6d9b4109032c16a207301fb7c55823561e5c0e29dd4190c29e429b1ce02

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab066.abtstr.dat

MD5 2f32e22bc344cb74c5dc6d965620b65a
SHA1 8c3c0fc770ca136631fb5961a26def2b18229bda
SHA256 fa3685a284892283a70ea3b414fd7049fe97fcb8cbdad323a226e89383aca0b5
SHA512 1c78c40d28baeb81bf085a9912d5d63820753a7d319472dd9540710fba6431965f7a7a0381199da06685faf8b4c1bd9b222a5959b1aca0cd63c115e7698517ac

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab222.15ftt.dat

MD5 0199a430416761529f0b218726bf626a
SHA1 0b32e84def910fbd5dec04a3d9aa1f8eb4b9ec26
SHA256 8c06f34ed1271caa22a23ca9346a9631939b7e386f494cca82b2631c2874022a
SHA512 05f0d5628128bc141e704a1ce4f772463a975d965a0a90bc450bf44a004cf7945b869ecf330f0909acd73759ebeec8f30937258bbbb03ac50130bfc645b5ddba

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab307.sp_pop0.dat

MD5 0b7be9c4b72c2c5166bfd61ca5ebbfed
SHA1 aea0aa4e8226c1b4efce92e909da773744baa6d4
SHA256 673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd
SHA512 4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\SetupStrings.dat

MD5 407846797c5ba247abeb5fa7c0c0ba05
SHA1 44386455eed8e74d75e95e9e81e96a19f0b27884
SHA256 0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3
SHA512 7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Babylon.dat

MD5 825e5733974586a0a1229a53361ed13e
SHA1 9ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA256 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512 ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll

MD5 a21de5067618d4f2df261416315ed120
SHA1 7759a3318de2abc3755ebb7f50322c6d586b5286
SHA256 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA512 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll

MD5 a21de5067618d4f2df261416315ed120
SHA1 7759a3318de2abc3755ebb7f50322c6d586b5286
SHA256 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA512 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll

MD5 a21de5067618d4f2df261416315ed120
SHA1 7759a3318de2abc3755ebb7f50322c6d586b5286
SHA256 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA512 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll

MD5 a21de5067618d4f2df261416315ed120
SHA1 7759a3318de2abc3755ebb7f50322c6d586b5286
SHA256 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA512 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll

MD5 a21de5067618d4f2df261416315ed120
SHA1 7759a3318de2abc3755ebb7f50322c6d586b5286
SHA256 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA512 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

memory/1764-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\setup.ico

MD5 87b19ef4ae23d80f7cdccc16dc633e7e
SHA1 39f49c3896911c401aa168628df97ab3c214c6dd
SHA256 ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1
SHA512 8a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\HtmlScreens\loading.html

MD5 f50fa4673555652289652753183fd1ee
SHA1 f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256 afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA512 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\BExternal.dll

MD5 b212865e7e478a28a97268f960079a8d
SHA1 ded201ae02fb9ea3646489afeda49270c4620d9c
SHA256 d6138aef3f7674e2442add75013c86ca8fda3d5ba69737a9b881e7f7bbc730e6
SHA512 d973f9cb45d2035a8546bbdf77fa1b239a3f1e4ba2b17d32195a1cfed13fe06aaf48b91a133cebd7e53481ab5a5e9166329b730587b46a154b193779da6ad737

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\HtmlScreens\navError.html

MD5 0c464e407c81764ebc09eacbe41f0b3e
SHA1 245afe550a05215e5873d8f5f21c22d12aa46b6a
SHA256 770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26
SHA512 71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe

MD5 d41b0dae45b7b7059416783055082dca
SHA1 ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29
SHA256 a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515
SHA512 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32

memory/804-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe

MD5 d41b0dae45b7b7059416783055082dca
SHA1 ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29
SHA256 a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515
SHA512 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe

MD5 d41b0dae45b7b7059416783055082dca
SHA1 ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29
SHA256 a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515
SHA512 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe

MD5 1e77f6bea1e30db75604efc90f82f4b0
SHA1 6030676abef280ffa08743a19c88a8237b9ec335
SHA256 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a
SHA512 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\stp_bbl.dat

MD5 4682606995e6f849c53e1dceb038d52e
SHA1 62906101dd4beb380d982ff05c47ed3c7d6d1b42
SHA256 f6753e0521958250cad68dacce1b31e1ccb3be47b59e0c5f4aa9bf2477a313b5
SHA512 ccecb874b8a64f154c4bb25a2ed4692f12abbfaa00cb2636bf418d64b0df748212b0c4b5edcecf530a18c2d3c5710844abfeccec5fd7457730a192f9ce810a65

\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe

MD5 1e77f6bea1e30db75604efc90f82f4b0
SHA1 6030676abef280ffa08743a19c88a8237b9ec335
SHA256 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a
SHA512 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\SetupStrings.dat

MD5 29f499560e54ace4ac6d95c20f7a5e85
SHA1 d6e99033ecede912fb0403ae02d60141e1e6c67b
SHA256 1a13997c37bed6159085726f844de6455172cda3812be9b557422e3c6ef789d6
SHA512 cf71be7260776c84389a9ac34689a7f456ab3f806bfd9e04201ab068bb83c0bff890c7c7b4a644c061a30092a2554b9861058bd60293d3cd3fc1304ab06762c8

\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL

MD5 275596dec9cfad85401b803630d7e6c5
SHA1 a0abe06d091fc974c363329d968182528e9bd74c
SHA256 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531
SHA512 a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391

\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL

MD5 275596dec9cfad85401b803630d7e6c5
SHA1 a0abe06d091fc974c363329d968182528e9bd74c
SHA256 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531
SHA512 a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391

\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL

MD5 275596dec9cfad85401b803630d7e6c5
SHA1 a0abe06d091fc974c363329d968182528e9bd74c
SHA256 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531
SHA512 a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391

\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL

MD5 275596dec9cfad85401b803630d7e6c5
SHA1 a0abe06d091fc974c363329d968182528e9bd74c
SHA256 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531
SHA512 a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391

C:\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL

MD5 275596dec9cfad85401b803630d7e6c5
SHA1 a0abe06d091fc974c363329d968182528e9bd74c
SHA256 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531
SHA512 a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\ClientSetup.aoi

MD5 c7cefa16289de8830edbe5a693386f74
SHA1 393cff22ff616d03e2623b42c49d163fd3548536
SHA256 794d60dfd8d3652d914f6210113657a552c39f8a972c58236f172a6d57bffe2e
SHA512 d6eb73a2c8daf679961017567a712eca709c27640825d736e748fafc5341d3e82bf7e959d02032a018d1dad1337cd880dd651bb95e2b12144a0df9aa14e4b157

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\ClientSetupStart.dll

MD5 595c8260fada99d2a213c0892ba58bcf
SHA1 f7046823d34d0517a9b852dc5fcc6e470950aafb
SHA256 feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57
SHA512 73ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\ClientSetupStart.aoi

MD5 1408225f8c6c919c3f7fdc3a0a70d9c4
SHA1 6ae23a3d57d0d09d182dd3fa24c8173c311aaf64
SHA256 4b91c539986a1083986741a3472b1b2e91ffa06d57f3916c82b0ec731ac568d4
SHA512 df359c41ad452c5833cb3693f829b95c2d4466b74dd655fd622f2f040912cd1debbe402a407e12ce1189e92449080286ea1290fc2797a3844eccd3107e53d295

\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\ClientSetupStart.dll

MD5 595c8260fada99d2a213c0892ba58bcf
SHA1 f7046823d34d0517a9b852dc5fcc6e470950aafb
SHA256 feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57
SHA512 73ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.ico

MD5 87b19ef4ae23d80f7cdccc16dc633e7e
SHA1 39f49c3896911c401aa168628df97ab3c214c6dd
SHA256 ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1
SHA512 8a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\HtmlScreens\loading.html

MD5 f50fa4673555652289652753183fd1ee
SHA1 f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256 afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA512 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Babylon.dat

MD5 825e5733974586a0a1229a53361ed13e
SHA1 9ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA256 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512 ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\49X9ZHAH.txt

MD5 49e091b417f05f166508ee56ff7a8656
SHA1 91f1fff322c4548d6e537f0e9aee111502c098bb
SHA256 72864a9c55cd6241a465de463e77765675f6eb7fb7f777a326fe299842fe148a
SHA512 1b7114e6033c82725576079d68ed7d583a4fc019ef0a9f2d7a57c462ca13c4735a8dd8c726ff2ee1f993514f4cc5cbdb446f1bffbb74a5aa34670a90840f62e5

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-01 17:58

Reported

2022-10-01 18:12

Platform

win10v2004-20220812-en

Max time kernel

172s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 1344 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 1344 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
PID 1104 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe
PID 1104 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe
PID 1104 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe
PID 3388 wrote to memory of 3916 N/A C:\Windows\system32\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 3916 N/A C:\Windows\system32\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 3916 N/A C:\Windows\system32\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3364 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe
PID 3364 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe
PID 3364 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe
PID 3388 wrote to memory of 3888 N/A C:\Windows\system32\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 3888 N/A C:\Windows\system32\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 3888 N/A C:\Windows\system32\svchost.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe

"C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe" -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\61BF3E~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe -latest -tsp=8310 -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\61BF3E~1\Latest\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon-software.com

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 20.189.173.10:443 tcp
US 209.197.3.8:80 tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 info.babylon.com udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babsft.com udp
US 216.104.42.92:80 dl.babsft.com tcp
US 8.8.8.8:53 stpui.babylon.com udp
US 184.154.27.242:80 stpui.babylon.com tcp
US 8.8.8.8:53 img.babylon.com udp
US 184.154.27.242:80 stpui.babylon.com tcp
US 108.163.228.179:80 img.babylon.com tcp
US 108.163.228.179:80 img.babylon.com tcp
N/A 127.0.0.1:116 tcp
N/A 127.0.0.1:116 tcp
N/A 127.0.0.1:116 tcp
US 8.8.8.8:53 stat.babsft.com udp
US 184.154.27.233:80 stat.babsft.com tcp
US 8.8.8.8:53 stp.babsft.com udp
US 184.154.27.233:80 stp.babsft.com tcp
US 8.8.8.8:53 stpui.babsft.com udp
US 184.154.27.233:80 stpui.babsft.com tcp
N/A 127.0.0.1:116 tcp
US 216.104.42.92:80 dl.babsft.com tcp
US 216.104.42.92:80 dl.babsft.com tcp
US 184.154.27.233:80 stpui.babsft.com tcp
US 108.163.228.179:80 img.babylon.com tcp
US 108.163.228.179:80 img.babylon.com tcp
US 184.154.27.233:80 stpui.babsft.com tcp
US 184.154.27.233:80 stpui.babsft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe

MD5 1aee40c0cd0ece0f8dc23c920ad695d5
SHA1 222941e777fccba46b0e14ec3686dc6146976a23
SHA256 1e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b
SHA512 1958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748

memory/1104-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe

MD5 1aee40c0cd0ece0f8dc23c920ad695d5
SHA1 222941e777fccba46b0e14ec3686dc6146976a23
SHA256 1e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b
SHA512 1958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748

memory/3364-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe

MD5 1e77f6bea1e30db75604efc90f82f4b0
SHA1 6030676abef280ffa08743a19c88a8237b9ec335
SHA256 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a
SHA512 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe

MD5 1e77f6bea1e30db75604efc90f82f4b0
SHA1 6030676abef280ffa08743a19c88a8237b9ec335
SHA256 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a
SHA512 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab016.v10ttl.dat

MD5 f391c791cddef78f3b258b875374e3ca
SHA1 5957844d36896195e470e505323b3bd8205a622e
SHA256 8cab66a3318de4e2a6d3e2266a9aa4fb51c20a8e8017845c8d01df5514c4a98e
SHA512 7b04e102aaa0befaa8717f9131b140eda51948fc9396694dac4db8f497efa889911bdef783e08a8f81d7a6e8ca9847e72e6e509c93a975a03fbb0372bbecfb0e

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab049.cbid050812.dat

MD5 cc1b681ed072bcef4df4113dee901459
SHA1 bcd524a7d217d17ef4ad3ccf3941a73da10fd8bd
SHA256 98945e42eb5a93adb8af326ea90fb320b5ab8bac947f39267c41503103dd2522
SHA512 5c02d58114ac3c499985388b9c378ccc6cb11a39b7ddd2e0a3549300441cf6aa9223b6d9b4109032c16a207301fb7c55823561e5c0e29dd4190c29e429b1ce02

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab066.abtstr.dat

MD5 2f32e22bc344cb74c5dc6d965620b65a
SHA1 8c3c0fc770ca136631fb5961a26def2b18229bda
SHA256 fa3685a284892283a70ea3b414fd7049fe97fcb8cbdad323a226e89383aca0b5
SHA512 1c78c40d28baeb81bf085a9912d5d63820753a7d319472dd9540710fba6431965f7a7a0381199da06685faf8b4c1bd9b222a5959b1aca0cd63c115e7698517ac

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab222.15ftt.dat

MD5 0199a430416761529f0b218726bf626a
SHA1 0b32e84def910fbd5dec04a3d9aa1f8eb4b9ec26
SHA256 8c06f34ed1271caa22a23ca9346a9631939b7e386f494cca82b2631c2874022a
SHA512 05f0d5628128bc141e704a1ce4f772463a975d965a0a90bc450bf44a004cf7945b869ecf330f0909acd73759ebeec8f30937258bbbb03ac50130bfc645b5ddba

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab307.sp_pop0.dat

MD5 0b7be9c4b72c2c5166bfd61ca5ebbfed
SHA1 aea0aa4e8226c1b4efce92e909da773744baa6d4
SHA256 673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd
SHA512 4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\SetupStrings.dat

MD5 407846797c5ba247abeb5fa7c0c0ba05
SHA1 44386455eed8e74d75e95e9e81e96a19f0b27884
SHA256 0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3
SHA512 7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Babylon.dat

MD5 825e5733974586a0a1229a53361ed13e
SHA1 9ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA256 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512 ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

memory/3916-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\61BF3E~1\IEHelper.dll

MD5 a21de5067618d4f2df261416315ed120
SHA1 7759a3318de2abc3755ebb7f50322c6d586b5286
SHA256 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA512 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\IEHelper.dll

MD5 a21de5067618d4f2df261416315ed120
SHA1 7759a3318de2abc3755ebb7f50322c6d586b5286
SHA256 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA512 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\setup.ico

MD5 87b19ef4ae23d80f7cdccc16dc633e7e
SHA1 39f49c3896911c401aa168628df97ab3c214c6dd
SHA256 ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1
SHA512 8a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\HtmlScreens\loading.html

MD5 f50fa4673555652289652753183fd1ee
SHA1 f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256 afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA512 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\HtmlScreens\navError.html

MD5 0c464e407c81764ebc09eacbe41f0b3e
SHA1 245afe550a05215e5873d8f5f21c22d12aa46b6a
SHA256 770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26
SHA512 71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\BExternal.dll

MD5 b212865e7e478a28a97268f960079a8d
SHA1 ded201ae02fb9ea3646489afeda49270c4620d9c
SHA256 d6138aef3f7674e2442add75013c86ca8fda3d5ba69737a9b881e7f7bbc730e6
SHA512 d973f9cb45d2035a8546bbdf77fa1b239a3f1e4ba2b17d32195a1cfed13fe06aaf48b91a133cebd7e53481ab5a5e9166329b730587b46a154b193779da6ad737

memory/2420-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe

MD5 d41b0dae45b7b7059416783055082dca
SHA1 ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29
SHA256 a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515
SHA512 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe

MD5 d41b0dae45b7b7059416783055082dca
SHA1 ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29
SHA256 a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515
SHA512 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\stp_bbl.dat

MD5 4682606995e6f849c53e1dceb038d52e
SHA1 62906101dd4beb380d982ff05c47ed3c7d6d1b42
SHA256 f6753e0521958250cad68dacce1b31e1ccb3be47b59e0c5f4aa9bf2477a313b5
SHA512 ccecb874b8a64f154c4bb25a2ed4692f12abbfaa00cb2636bf418d64b0df748212b0c4b5edcecf530a18c2d3c5710844abfeccec5fd7457730a192f9ce810a65

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\SetupStrings.dat

MD5 29f499560e54ace4ac6d95c20f7a5e85
SHA1 d6e99033ecede912fb0403ae02d60141e1e6c67b
SHA256 1a13997c37bed6159085726f844de6455172cda3812be9b557422e3c6ef789d6
SHA512 cf71be7260776c84389a9ac34689a7f456ab3f806bfd9e04201ab068bb83c0bff890c7c7b4a644c061a30092a2554b9861058bd60293d3cd3fc1304ab06762c8

memory/3888-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\61BF3E~1\Latest\IECOOK~1.DLL

MD5 275596dec9cfad85401b803630d7e6c5
SHA1 a0abe06d091fc974c363329d968182528e9bd74c
SHA256 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531
SHA512 a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\IECookieLow.dll

MD5 275596dec9cfad85401b803630d7e6c5
SHA1 a0abe06d091fc974c363329d968182528e9bd74c
SHA256 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531
SHA512 a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\ClientSetup.aoi

MD5 c7cefa16289de8830edbe5a693386f74
SHA1 393cff22ff616d03e2623b42c49d163fd3548536
SHA256 794d60dfd8d3652d914f6210113657a552c39f8a972c58236f172a6d57bffe2e
SHA512 d6eb73a2c8daf679961017567a712eca709c27640825d736e748fafc5341d3e82bf7e959d02032a018d1dad1337cd880dd651bb95e2b12144a0df9aa14e4b157

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\ClientSetupStart.aoi

MD5 1408225f8c6c919c3f7fdc3a0a70d9c4
SHA1 6ae23a3d57d0d09d182dd3fa24c8173c311aaf64
SHA256 4b91c539986a1083986741a3472b1b2e91ffa06d57f3916c82b0ec731ac568d4
SHA512 df359c41ad452c5833cb3693f829b95c2d4466b74dd655fd622f2f040912cd1debbe402a407e12ce1189e92449080286ea1290fc2797a3844eccd3107e53d295

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\ClientSetupStart.dll

MD5 595c8260fada99d2a213c0892ba58bcf
SHA1 f7046823d34d0517a9b852dc5fcc6e470950aafb
SHA256 feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57
SHA512 73ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\ClientSetupStart.dll

MD5 595c8260fada99d2a213c0892ba58bcf
SHA1 f7046823d34d0517a9b852dc5fcc6e470950aafb
SHA256 feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57
SHA512 73ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.ico

MD5 87b19ef4ae23d80f7cdccc16dc633e7e
SHA1 39f49c3896911c401aa168628df97ab3c214c6dd
SHA256 ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1
SHA512 8a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\HtmlScreens\loading.html

MD5 f50fa4673555652289652753183fd1ee
SHA1 f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256 afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA512 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Babylon.dat

MD5 825e5733974586a0a1229a53361ed13e
SHA1 9ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA256 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512 ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e