Analysis Overview
SHA256
183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1
Threat Level: Known bad
The file 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Neshta
Modifies system executable filetype association
Neshta family
Detect Neshta payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Checks whether UAC is enabled
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-01 17:58
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-01 17:58
Reported
2022-10-01 18:11
Platform
win7-20220901-en
Max time kernel
97s
Max time network
159s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
"C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe" -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe -latest -dlp -tsp=8310 -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon-software.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | info.babylon.com | udp |
| US | 8.8.8.8:53 | stp.babylon.com | udp |
| US | 184.154.27.232:80 | stp.babylon.com | tcp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 8.8.8.8:53 | dl.babsft.com | udp |
| NL | 198.20.106.236:80 | dl.babsft.com | tcp |
| US | 8.8.8.8:53 | stpui.babylon.com | udp |
| US | 184.154.27.242:80 | stpui.babylon.com | tcp |
| N/A | 127.0.0.1:116 | tcp | |
| N/A | 127.0.0.1:116 | tcp | |
| N/A | 127.0.0.1:116 | tcp | |
| US | 8.8.8.8:53 | stat.babsft.com | udp |
| US | 184.154.27.233:80 | stat.babsft.com | tcp |
| US | 8.8.8.8:53 | stp.babsft.com | udp |
| US | 184.154.27.233:80 | stp.babsft.com | tcp |
| US | 8.8.8.8:53 | stpui.babsft.com | udp |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
| NL | 198.20.106.236:80 | dl.babsft.com | tcp |
| NL | 198.20.106.236:80 | dl.babsft.com | tcp |
| N/A | 127.0.0.1:116 | tcp | |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
| US | 8.8.8.8:53 | img.babylon.com | udp |
| US | 198.143.128.241:80 | img.babylon.com | tcp |
| US | 198.143.128.241:80 | img.babylon.com | tcp |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
Files
memory/1368-54-0x0000000076461000-0x0000000076463000-memory.dmp
\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
| MD5 | 1aee40c0cd0ece0f8dc23c920ad695d5 |
| SHA1 | 222941e777fccba46b0e14ec3686dc6146976a23 |
| SHA256 | 1e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b |
| SHA512 | 1958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748 |
memory/936-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
| MD5 | 1aee40c0cd0ece0f8dc23c920ad695d5 |
| SHA1 | 222941e777fccba46b0e14ec3686dc6146976a23 |
| SHA256 | 1e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b |
| SHA512 | 1958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748 |
\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
| MD5 | 1e77f6bea1e30db75604efc90f82f4b0 |
| SHA1 | 6030676abef280ffa08743a19c88a8237b9ec335 |
| SHA256 | 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a |
| SHA512 | 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77 |
memory/1276-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
| MD5 | 1e77f6bea1e30db75604efc90f82f4b0 |
| SHA1 | 6030676abef280ffa08743a19c88a8237b9ec335 |
| SHA256 | 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a |
| SHA512 | 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
| MD5 | 1e77f6bea1e30db75604efc90f82f4b0 |
| SHA1 | 6030676abef280ffa08743a19c88a8237b9ec335 |
| SHA256 | 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a |
| SHA512 | 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab016.v10ttl.dat
| MD5 | f391c791cddef78f3b258b875374e3ca |
| SHA1 | 5957844d36896195e470e505323b3bd8205a622e |
| SHA256 | 8cab66a3318de4e2a6d3e2266a9aa4fb51c20a8e8017845c8d01df5514c4a98e |
| SHA512 | 7b04e102aaa0befaa8717f9131b140eda51948fc9396694dac4db8f497efa889911bdef783e08a8f81d7a6e8ca9847e72e6e509c93a975a03fbb0372bbecfb0e |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab049.cbid050812.dat
| MD5 | cc1b681ed072bcef4df4113dee901459 |
| SHA1 | bcd524a7d217d17ef4ad3ccf3941a73da10fd8bd |
| SHA256 | 98945e42eb5a93adb8af326ea90fb320b5ab8bac947f39267c41503103dd2522 |
| SHA512 | 5c02d58114ac3c499985388b9c378ccc6cb11a39b7ddd2e0a3549300441cf6aa9223b6d9b4109032c16a207301fb7c55823561e5c0e29dd4190c29e429b1ce02 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab066.abtstr.dat
| MD5 | 2f32e22bc344cb74c5dc6d965620b65a |
| SHA1 | 8c3c0fc770ca136631fb5961a26def2b18229bda |
| SHA256 | fa3685a284892283a70ea3b414fd7049fe97fcb8cbdad323a226e89383aca0b5 |
| SHA512 | 1c78c40d28baeb81bf085a9912d5d63820753a7d319472dd9540710fba6431965f7a7a0381199da06685faf8b4c1bd9b222a5959b1aca0cd63c115e7698517ac |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab222.15ftt.dat
| MD5 | 0199a430416761529f0b218726bf626a |
| SHA1 | 0b32e84def910fbd5dec04a3d9aa1f8eb4b9ec26 |
| SHA256 | 8c06f34ed1271caa22a23ca9346a9631939b7e386f494cca82b2631c2874022a |
| SHA512 | 05f0d5628128bc141e704a1ce4f772463a975d965a0a90bc450bf44a004cf7945b869ecf330f0909acd73759ebeec8f30937258bbbb03ac50130bfc645b5ddba |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\bab307.sp_pop0.dat
| MD5 | 0b7be9c4b72c2c5166bfd61ca5ebbfed |
| SHA1 | aea0aa4e8226c1b4efce92e909da773744baa6d4 |
| SHA256 | 673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd |
| SHA512 | 4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\SetupStrings.dat
| MD5 | 407846797c5ba247abeb5fa7c0c0ba05 |
| SHA1 | 44386455eed8e74d75e95e9e81e96a19f0b27884 |
| SHA256 | 0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3 |
| SHA512 | 7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Babylon.dat
| MD5 | 825e5733974586a0a1229a53361ed13e |
| SHA1 | 9ec5b8944c6727fda6fdc3c18856884554cf6b31 |
| SHA256 | 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96 |
| SHA512 | ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
C:\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll
| MD5 | a21de5067618d4f2df261416315ed120 |
| SHA1 | 7759a3318de2abc3755ebb7f50322c6d586b5286 |
| SHA256 | 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca |
| SHA512 | 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a |
\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll
| MD5 | a21de5067618d4f2df261416315ed120 |
| SHA1 | 7759a3318de2abc3755ebb7f50322c6d586b5286 |
| SHA256 | 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca |
| SHA512 | 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a |
\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll
| MD5 | a21de5067618d4f2df261416315ed120 |
| SHA1 | 7759a3318de2abc3755ebb7f50322c6d586b5286 |
| SHA256 | 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca |
| SHA512 | 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a |
\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll
| MD5 | a21de5067618d4f2df261416315ed120 |
| SHA1 | 7759a3318de2abc3755ebb7f50322c6d586b5286 |
| SHA256 | 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca |
| SHA512 | 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a |
\Users\Admin\AppData\Local\Temp\96B6E0~1\IEHelper.dll
| MD5 | a21de5067618d4f2df261416315ed120 |
| SHA1 | 7759a3318de2abc3755ebb7f50322c6d586b5286 |
| SHA256 | 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca |
| SHA512 | 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a |
memory/1764-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\setup.ico
| MD5 | 87b19ef4ae23d80f7cdccc16dc633e7e |
| SHA1 | 39f49c3896911c401aa168628df97ab3c214c6dd |
| SHA256 | ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1 |
| SHA512 | 8a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\HtmlScreens\loading.html
| MD5 | f50fa4673555652289652753183fd1ee |
| SHA1 | f496797f0d34eb866d6328d2fd1492b485f74d0a |
| SHA256 | afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812 |
| SHA512 | 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\HtmlScreens\pBar.gif
| MD5 | 26621cb27bbc94f6bab3561791ac013b |
| SHA1 | 4010a489350cf59fd8f36f8e59b53e724c49cc5b |
| SHA256 | e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3 |
| SHA512 | 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\BExternal.dll
| MD5 | b212865e7e478a28a97268f960079a8d |
| SHA1 | ded201ae02fb9ea3646489afeda49270c4620d9c |
| SHA256 | d6138aef3f7674e2442add75013c86ca8fda3d5ba69737a9b881e7f7bbc730e6 |
| SHA512 | d973f9cb45d2035a8546bbdf77fa1b239a3f1e4ba2b17d32195a1cfed13fe06aaf48b91a133cebd7e53481ab5a5e9166329b730587b46a154b193779da6ad737 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\HtmlScreens\navError.html
| MD5 | 0c464e407c81764ebc09eacbe41f0b3e |
| SHA1 | 245afe550a05215e5873d8f5f21c22d12aa46b6a |
| SHA256 | 770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26 |
| SHA512 | 71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc |
\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
| MD5 | d41b0dae45b7b7059416783055082dca |
| SHA1 | ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29 |
| SHA256 | a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515 |
| SHA512 | 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32 |
memory/804-89-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
| MD5 | d41b0dae45b7b7059416783055082dca |
| SHA1 | ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29 |
| SHA256 | a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515 |
| SHA512 | 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.exe
| MD5 | d41b0dae45b7b7059416783055082dca |
| SHA1 | ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29 |
| SHA256 | a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515 |
| SHA512 | 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
| MD5 | 1e77f6bea1e30db75604efc90f82f4b0 |
| SHA1 | 6030676abef280ffa08743a19c88a8237b9ec335 |
| SHA256 | 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a |
| SHA512 | 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\stp_bbl.dat
| MD5 | 4682606995e6f849c53e1dceb038d52e |
| SHA1 | 62906101dd4beb380d982ff05c47ed3c7d6d1b42 |
| SHA256 | f6753e0521958250cad68dacce1b31e1ccb3be47b59e0c5f4aa9bf2477a313b5 |
| SHA512 | ccecb874b8a64f154c4bb25a2ed4692f12abbfaa00cb2636bf418d64b0df748212b0c4b5edcecf530a18c2d3c5710844abfeccec5fd7457730a192f9ce810a65 |
\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Setup.exe
| MD5 | 1e77f6bea1e30db75604efc90f82f4b0 |
| SHA1 | 6030676abef280ffa08743a19c88a8237b9ec335 |
| SHA256 | 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a |
| SHA512 | 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\SetupStrings.dat
| MD5 | 29f499560e54ace4ac6d95c20f7a5e85 |
| SHA1 | d6e99033ecede912fb0403ae02d60141e1e6c67b |
| SHA256 | 1a13997c37bed6159085726f844de6455172cda3812be9b557422e3c6ef789d6 |
| SHA512 | cf71be7260776c84389a9ac34689a7f456ab3f806bfd9e04201ab068bb83c0bff890c7c7b4a644c061a30092a2554b9861058bd60293d3cd3fc1304ab06762c8 |
\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL
| MD5 | 275596dec9cfad85401b803630d7e6c5 |
| SHA1 | a0abe06d091fc974c363329d968182528e9bd74c |
| SHA256 | 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531 |
| SHA512 | a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391 |
\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL
| MD5 | 275596dec9cfad85401b803630d7e6c5 |
| SHA1 | a0abe06d091fc974c363329d968182528e9bd74c |
| SHA256 | 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531 |
| SHA512 | a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391 |
\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL
| MD5 | 275596dec9cfad85401b803630d7e6c5 |
| SHA1 | a0abe06d091fc974c363329d968182528e9bd74c |
| SHA256 | 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531 |
| SHA512 | a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391 |
\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL
| MD5 | 275596dec9cfad85401b803630d7e6c5 |
| SHA1 | a0abe06d091fc974c363329d968182528e9bd74c |
| SHA256 | 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531 |
| SHA512 | a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391 |
C:\Users\Admin\AppData\Local\Temp\96B6E0~1\Latest\IECOOK~1.DLL
| MD5 | 275596dec9cfad85401b803630d7e6c5 |
| SHA1 | a0abe06d091fc974c363329d968182528e9bd74c |
| SHA256 | 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531 |
| SHA512 | a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\ClientSetup.aoi
| MD5 | c7cefa16289de8830edbe5a693386f74 |
| SHA1 | 393cff22ff616d03e2623b42c49d163fd3548536 |
| SHA256 | 794d60dfd8d3652d914f6210113657a552c39f8a972c58236f172a6d57bffe2e |
| SHA512 | d6eb73a2c8daf679961017567a712eca709c27640825d736e748fafc5341d3e82bf7e959d02032a018d1dad1337cd880dd651bb95e2b12144a0df9aa14e4b157 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\ClientSetupStart.dll
| MD5 | 595c8260fada99d2a213c0892ba58bcf |
| SHA1 | f7046823d34d0517a9b852dc5fcc6e470950aafb |
| SHA256 | feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57 |
| SHA512 | 73ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\ClientSetupStart.aoi
| MD5 | 1408225f8c6c919c3f7fdc3a0a70d9c4 |
| SHA1 | 6ae23a3d57d0d09d182dd3fa24c8173c311aaf64 |
| SHA256 | 4b91c539986a1083986741a3472b1b2e91ffa06d57f3916c82b0ec731ac568d4 |
| SHA512 | df359c41ad452c5833cb3693f829b95c2d4466b74dd655fd622f2f040912cd1debbe402a407e12ce1189e92449080286ea1290fc2797a3844eccd3107e53d295 |
\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\ClientSetupStart.dll
| MD5 | 595c8260fada99d2a213c0892ba58bcf |
| SHA1 | f7046823d34d0517a9b852dc5fcc6e470950aafb |
| SHA256 | feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57 |
| SHA512 | 73ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Setup.ico
| MD5 | 87b19ef4ae23d80f7cdccc16dc633e7e |
| SHA1 | 39f49c3896911c401aa168628df97ab3c214c6dd |
| SHA256 | ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1 |
| SHA512 | 8a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\HtmlScreens\loading.html
| MD5 | f50fa4673555652289652753183fd1ee |
| SHA1 | f496797f0d34eb866d6328d2fd1492b485f74d0a |
| SHA256 | afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812 |
| SHA512 | 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\HtmlScreens\pBar.gif
| MD5 | 26621cb27bbc94f6bab3561791ac013b |
| SHA1 | 4010a489350cf59fd8f36f8e59b53e724c49cc5b |
| SHA256 | e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3 |
| SHA512 | 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6 |
C:\Users\Admin\AppData\Local\Temp\96B6E0A0-BAB0-7891-9B1B-D5B163240A66\Latest\Babylon.dat
| MD5 | 825e5733974586a0a1229a53361ed13e |
| SHA1 | 9ec5b8944c6727fda6fdc3c18856884554cf6b31 |
| SHA256 | 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96 |
| SHA512 | ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\49X9ZHAH.txt
| MD5 | 49e091b417f05f166508ee56ff7a8656 |
| SHA1 | 91f1fff322c4548d6e537f0e9aee111502c098bb |
| SHA256 | 72864a9c55cd6241a465de463e77765675f6eb7fb7f777a326fe299842fe148a |
| SHA512 | 1b7114e6033c82725576079d68ed7d583a4fc019ef0a9f2d7a57c462ca13c4735a8dd8c726ff2ee1f993514f4cc5cbdb446f1bffbb74a5aa34670a90840f62e5 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-01 17:58
Reported
2022-10-01 18:12
Platform
win10v2004-20220812-en
Max time kernel
172s
Max time network
176s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe | N/A |
Neshta
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3388 created 3364 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe |
| PID 3388 created 2420 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
"C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe" -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\61BF3E~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe -latest -tsp=8310 -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\61BF3E~1\Latest\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon-software.com
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 20.189.173.10:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | info.babylon.com | udp |
| US | 8.8.8.8:53 | stp.babylon.com | udp |
| US | 184.154.27.235:80 | info.babylon.com | tcp |
| US | 184.154.27.232:80 | stp.babylon.com | tcp |
| US | 8.8.8.8:53 | dl.babsft.com | udp |
| US | 216.104.42.92:80 | dl.babsft.com | tcp |
| US | 8.8.8.8:53 | stpui.babylon.com | udp |
| US | 184.154.27.242:80 | stpui.babylon.com | tcp |
| US | 8.8.8.8:53 | img.babylon.com | udp |
| US | 184.154.27.242:80 | stpui.babylon.com | tcp |
| US | 108.163.228.179:80 | img.babylon.com | tcp |
| US | 108.163.228.179:80 | img.babylon.com | tcp |
| N/A | 127.0.0.1:116 | tcp | |
| N/A | 127.0.0.1:116 | tcp | |
| N/A | 127.0.0.1:116 | tcp | |
| US | 8.8.8.8:53 | stat.babsft.com | udp |
| US | 184.154.27.233:80 | stat.babsft.com | tcp |
| US | 8.8.8.8:53 | stp.babsft.com | udp |
| US | 184.154.27.233:80 | stp.babsft.com | tcp |
| US | 8.8.8.8:53 | stpui.babsft.com | udp |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
| N/A | 127.0.0.1:116 | tcp | |
| US | 216.104.42.92:80 | dl.babsft.com | tcp |
| US | 216.104.42.92:80 | dl.babsft.com | tcp |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
| US | 108.163.228.179:80 | img.babylon.com | tcp |
| US | 108.163.228.179:80 | img.babylon.com | tcp |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
| US | 184.154.27.233:80 | stpui.babsft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
| MD5 | 1aee40c0cd0ece0f8dc23c920ad695d5 |
| SHA1 | 222941e777fccba46b0e14ec3686dc6146976a23 |
| SHA256 | 1e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b |
| SHA512 | 1958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748 |
memory/1104-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
| MD5 | 1aee40c0cd0ece0f8dc23c920ad695d5 |
| SHA1 | 222941e777fccba46b0e14ec3686dc6146976a23 |
| SHA256 | 1e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b |
| SHA512 | 1958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748 |
memory/3364-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe
| MD5 | 1e77f6bea1e30db75604efc90f82f4b0 |
| SHA1 | 6030676abef280ffa08743a19c88a8237b9ec335 |
| SHA256 | 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a |
| SHA512 | 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe
| MD5 | 1e77f6bea1e30db75604efc90f82f4b0 |
| SHA1 | 6030676abef280ffa08743a19c88a8237b9ec335 |
| SHA256 | 13d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a |
| SHA512 | 0c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab016.v10ttl.dat
| MD5 | f391c791cddef78f3b258b875374e3ca |
| SHA1 | 5957844d36896195e470e505323b3bd8205a622e |
| SHA256 | 8cab66a3318de4e2a6d3e2266a9aa4fb51c20a8e8017845c8d01df5514c4a98e |
| SHA512 | 7b04e102aaa0befaa8717f9131b140eda51948fc9396694dac4db8f497efa889911bdef783e08a8f81d7a6e8ca9847e72e6e509c93a975a03fbb0372bbecfb0e |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab049.cbid050812.dat
| MD5 | cc1b681ed072bcef4df4113dee901459 |
| SHA1 | bcd524a7d217d17ef4ad3ccf3941a73da10fd8bd |
| SHA256 | 98945e42eb5a93adb8af326ea90fb320b5ab8bac947f39267c41503103dd2522 |
| SHA512 | 5c02d58114ac3c499985388b9c378ccc6cb11a39b7ddd2e0a3549300441cf6aa9223b6d9b4109032c16a207301fb7c55823561e5c0e29dd4190c29e429b1ce02 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab066.abtstr.dat
| MD5 | 2f32e22bc344cb74c5dc6d965620b65a |
| SHA1 | 8c3c0fc770ca136631fb5961a26def2b18229bda |
| SHA256 | fa3685a284892283a70ea3b414fd7049fe97fcb8cbdad323a226e89383aca0b5 |
| SHA512 | 1c78c40d28baeb81bf085a9912d5d63820753a7d319472dd9540710fba6431965f7a7a0381199da06685faf8b4c1bd9b222a5959b1aca0cd63c115e7698517ac |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab222.15ftt.dat
| MD5 | 0199a430416761529f0b218726bf626a |
| SHA1 | 0b32e84def910fbd5dec04a3d9aa1f8eb4b9ec26 |
| SHA256 | 8c06f34ed1271caa22a23ca9346a9631939b7e386f494cca82b2631c2874022a |
| SHA512 | 05f0d5628128bc141e704a1ce4f772463a975d965a0a90bc450bf44a004cf7945b869ecf330f0909acd73759ebeec8f30937258bbbb03ac50130bfc645b5ddba |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\bab307.sp_pop0.dat
| MD5 | 0b7be9c4b72c2c5166bfd61ca5ebbfed |
| SHA1 | aea0aa4e8226c1b4efce92e909da773744baa6d4 |
| SHA256 | 673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd |
| SHA512 | 4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\SetupStrings.dat
| MD5 | 407846797c5ba247abeb5fa7c0c0ba05 |
| SHA1 | 44386455eed8e74d75e95e9e81e96a19f0b27884 |
| SHA256 | 0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3 |
| SHA512 | 7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Babylon.dat
| MD5 | 825e5733974586a0a1229a53361ed13e |
| SHA1 | 9ec5b8944c6727fda6fdc3c18856884554cf6b31 |
| SHA256 | 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96 |
| SHA512 | ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e |
memory/3916-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\61BF3E~1\IEHelper.dll
| MD5 | a21de5067618d4f2df261416315ed120 |
| SHA1 | 7759a3318de2abc3755ebb7f50322c6d586b5286 |
| SHA256 | 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca |
| SHA512 | 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\IEHelper.dll
| MD5 | a21de5067618d4f2df261416315ed120 |
| SHA1 | 7759a3318de2abc3755ebb7f50322c6d586b5286 |
| SHA256 | 6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca |
| SHA512 | 6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\setup.ico
| MD5 | 87b19ef4ae23d80f7cdccc16dc633e7e |
| SHA1 | 39f49c3896911c401aa168628df97ab3c214c6dd |
| SHA256 | ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1 |
| SHA512 | 8a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\HtmlScreens\loading.html
| MD5 | f50fa4673555652289652753183fd1ee |
| SHA1 | f496797f0d34eb866d6328d2fd1492b485f74d0a |
| SHA256 | afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812 |
| SHA512 | 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\HtmlScreens\pBar.gif
| MD5 | 26621cb27bbc94f6bab3561791ac013b |
| SHA1 | 4010a489350cf59fd8f36f8e59b53e724c49cc5b |
| SHA256 | e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3 |
| SHA512 | 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\HtmlScreens\navError.html
| MD5 | 0c464e407c81764ebc09eacbe41f0b3e |
| SHA1 | 245afe550a05215e5873d8f5f21c22d12aa46b6a |
| SHA256 | 770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26 |
| SHA512 | 71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\BExternal.dll
| MD5 | b212865e7e478a28a97268f960079a8d |
| SHA1 | ded201ae02fb9ea3646489afeda49270c4620d9c |
| SHA256 | d6138aef3f7674e2442add75013c86ca8fda3d5ba69737a9b881e7f7bbc730e6 |
| SHA512 | d973f9cb45d2035a8546bbdf77fa1b239a3f1e4ba2b17d32195a1cfed13fe06aaf48b91a133cebd7e53481ab5a5e9166329b730587b46a154b193779da6ad737 |
memory/2420-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe
| MD5 | d41b0dae45b7b7059416783055082dca |
| SHA1 | ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29 |
| SHA256 | a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515 |
| SHA512 | 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe
| MD5 | d41b0dae45b7b7059416783055082dca |
| SHA1 | ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29 |
| SHA256 | a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515 |
| SHA512 | 5118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\sqlite3.dll
| MD5 | 0f66e8e2340569fb17e774dac2010e31 |
| SHA1 | 406bb6854e7384ff77c0b847bf2f24f3315874a3 |
| SHA256 | de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f |
| SHA512 | 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\stp_bbl.dat
| MD5 | 4682606995e6f849c53e1dceb038d52e |
| SHA1 | 62906101dd4beb380d982ff05c47ed3c7d6d1b42 |
| SHA256 | f6753e0521958250cad68dacce1b31e1ccb3be47b59e0c5f4aa9bf2477a313b5 |
| SHA512 | ccecb874b8a64f154c4bb25a2ed4692f12abbfaa00cb2636bf418d64b0df748212b0c4b5edcecf530a18c2d3c5710844abfeccec5fd7457730a192f9ce810a65 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\SetupStrings.dat
| MD5 | 29f499560e54ace4ac6d95c20f7a5e85 |
| SHA1 | d6e99033ecede912fb0403ae02d60141e1e6c67b |
| SHA256 | 1a13997c37bed6159085726f844de6455172cda3812be9b557422e3c6ef789d6 |
| SHA512 | cf71be7260776c84389a9ac34689a7f456ab3f806bfd9e04201ab068bb83c0bff890c7c7b4a644c061a30092a2554b9861058bd60293d3cd3fc1304ab06762c8 |
memory/3888-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\61BF3E~1\Latest\IECOOK~1.DLL
| MD5 | 275596dec9cfad85401b803630d7e6c5 |
| SHA1 | a0abe06d091fc974c363329d968182528e9bd74c |
| SHA256 | 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531 |
| SHA512 | a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\IECookieLow.dll
| MD5 | 275596dec9cfad85401b803630d7e6c5 |
| SHA1 | a0abe06d091fc974c363329d968182528e9bd74c |
| SHA256 | 8b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531 |
| SHA512 | a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\ClientSetup.aoi
| MD5 | c7cefa16289de8830edbe5a693386f74 |
| SHA1 | 393cff22ff616d03e2623b42c49d163fd3548536 |
| SHA256 | 794d60dfd8d3652d914f6210113657a552c39f8a972c58236f172a6d57bffe2e |
| SHA512 | d6eb73a2c8daf679961017567a712eca709c27640825d736e748fafc5341d3e82bf7e959d02032a018d1dad1337cd880dd651bb95e2b12144a0df9aa14e4b157 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\ClientSetupStart.aoi
| MD5 | 1408225f8c6c919c3f7fdc3a0a70d9c4 |
| SHA1 | 6ae23a3d57d0d09d182dd3fa24c8173c311aaf64 |
| SHA256 | 4b91c539986a1083986741a3472b1b2e91ffa06d57f3916c82b0ec731ac568d4 |
| SHA512 | df359c41ad452c5833cb3693f829b95c2d4466b74dd655fd622f2f040912cd1debbe402a407e12ce1189e92449080286ea1290fc2797a3844eccd3107e53d295 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\ClientSetupStart.dll
| MD5 | 595c8260fada99d2a213c0892ba58bcf |
| SHA1 | f7046823d34d0517a9b852dc5fcc6e470950aafb |
| SHA256 | feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57 |
| SHA512 | 73ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\ClientSetupStart.dll
| MD5 | 595c8260fada99d2a213c0892ba58bcf |
| SHA1 | f7046823d34d0517a9b852dc5fcc6e470950aafb |
| SHA256 | feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57 |
| SHA512 | 73ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.ico
| MD5 | 87b19ef4ae23d80f7cdccc16dc633e7e |
| SHA1 | 39f49c3896911c401aa168628df97ab3c214c6dd |
| SHA256 | ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1 |
| SHA512 | 8a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\HtmlScreens\loading.html
| MD5 | f50fa4673555652289652753183fd1ee |
| SHA1 | f496797f0d34eb866d6328d2fd1492b485f74d0a |
| SHA256 | afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812 |
| SHA512 | 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\HtmlScreens\pBar.gif
| MD5 | 26621cb27bbc94f6bab3561791ac013b |
| SHA1 | 4010a489350cf59fd8f36f8e59b53e724c49cc5b |
| SHA256 | e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3 |
| SHA512 | 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6 |
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Babylon.dat
| MD5 | 825e5733974586a0a1229a53361ed13e |
| SHA1 | 9ec5b8944c6727fda6fdc3c18856884554cf6b31 |
| SHA256 | 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96 |
| SHA512 | ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e |