njrat | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

System Information Discovery

Processes:

Babylon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\International\Geo\Nation	Babylon.exe

Drops startup file 2 IoCs

Processes:

NJRat.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe

Executes dropped EXE 16 IoCs

Processes:

7z2201-x64.exe7zG.exe7zFM.exe7zFM.exe7zG.exe7zFM.exesmb-7teux2sm.exeBabylon12_Setup.exesetup.exeBabylonHelper64.exeBabylon.exeBabylonHelper64.exe7zG.exeNJRat.exeNakedWife.exeNople.exe

pid	process
1924	7z2201-x64.exe
1880	7zG.exe
5032	7zFM.exe
3264	7zFM.exe
4024	7zG.exe
2896	7zFM.exe
2068	smb-7teux2sm.exe
3408	Babylon12_Setup.exe
3784	setup.exe
5476	BabylonHelper64.exe
5220	Babylon.exe
1048	BabylonHelper64.exe
5352	7zG.exe
5224	NJRat.exe
5932	NakedWife.exe
2820	Nople.exe

Loads dropped DLL 61 IoCs

Processes:

7zG.exe7zFM.exe7zFM.exe7zG.exe7zFM.exesetup.exerundll32.exeregsvr32.exeregsvr32.exerundll32.exerundll32.exeregsvr32.exeregsvr32.exerundll32.exerundll32.exeBabylon.exeBabylonHelper64.exerundll32.exerundll32.exerundll32.exerundll32.exe7zG.exeNakedWife.exe

pid	process
3204
3204
1880	7zG.exe
5032	7zFM.exe
5032	7zFM.exe
5032	7zFM.exe
3264	7zFM.exe
3264	7zFM.exe
3264	7zFM.exe
3264	7zFM.exe
3264	7zFM.exe
4024	7zG.exe
2896	7zFM.exe
2896	7zFM.exe
3784	setup.exe
4332	rundll32.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
5804	regsvr32.exe
5816	regsvr32.exe
5840	rundll32.exe
5872	rundll32.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
6024	regsvr32.exe
6036	regsvr32.exe
6100	rundll32.exe
6120	rundll32.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
1048	BabylonHelper64.exe
5632	rundll32.exe
5764	rundll32.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
5780	rundll32.exe
5832	rundll32.exe
5220	Babylon.exe
5220	Babylon.exe
3204
5352	7zG.exe
5932	NakedWife.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

BabylonHelper64.exe7z2201-x64.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B00DAC-870D-4E6A-8D34-3A6E3E427A30}\LocalServer32	BabylonHelper64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B00DAC-870D-4E6A-8D34-3A6E3E427A30}\LocalServer32\ = "\"C:\\Program Files\\Babylon\\Babylon-Pro\\BabylonHelper64.exe\""	BabylonHelper64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{947217BD-E967-400A-B14A-BA851A8EDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Utils\\BabylonDocTranslation64PI.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5E7C3E9-37BF-4b5c-8234-F5DC02111B23}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5E7C3E9-37BF-4b5c-8234-F5DC02111B23}\InprocServer32\ = "C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Utils\\BabylonOffice64PI.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5E7C3E9-37BF-4b5c-8234-F5DC02111B23}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{947217BD-E967-400A-B14A-BA851A8EDCBB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{947217BD-E967-400A-B14A-BA851A8EDCBB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{947217BD-E967-400A-B14A-BA851A8EDCBB}\InprocServer32	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

setup.exeNJRat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Babylon Client = "C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Babylon.exe -AutoStart"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\RAT\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\RAT\\NJRat.exe\" .."	NJRat.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

setup.exerundll32.exeBabylon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Babylon.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}\ = "Babylon IE plugin"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}\NoExplorer = "1"	setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

7z2201-x64.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Romanian.ldtb	setup.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\Metaphone.dat	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Armenian.ldtb	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Hebrew.ldtb	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Serbian.ldtb	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Icelandic.ldtb	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Malay.ldtb	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Georgian.ldtb	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2201-x64.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\BException.dll	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Spanish.ldtb	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Japanese.ldtb	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Telugu.ldtb	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\captlib.dll	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\uninstbb.exe	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll	setup.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Updates\Rates.dat	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Belarusian.ldtb	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Estonian.ldtb	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Somali.ldtb	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\Strings.dat	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\English.ldtb	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\BContentServerExt.dll	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\Babylon.dat	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Galician.ldtb	setup.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\French.ldtb	setup.exe
File created	C:\Program Files (x86)\Babylon\Babylon-Pro\Data\LDTs\Welsh.ldtb	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Babylon.exefirefox.exefirefox.exeAcroRd32.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Babylon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Babylon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

Processes:

Babylon.exeAcroRd32.exesetup.exeAcroRd32.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\MenuExt\Translate this web page with Babylon\ = "res://C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Utils\\BabylonIEPI.dll/ActionTU.htm"	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}\CLSID = "{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\MenuExt\Translate with Babylon\Contexts = "49"	Babylon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}\Policy = "3"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\MenuExt\Translate with Babylon	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID="	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}\ButtonText = "Translate this web page with Babylon"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}\Default Visible = "Yes"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\MenuExt\Translate this web page with Babylon	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\MenuExt\Translate this web page with Babylon\Contexts = "1"	Babylon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}\MenuText = "Translate this web page with Babylon"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}\ToolTip = "Babylon web page translation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}\Script = "res://C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Utils\\BabylonIEPI.dll/ActionTU.htm"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Babylon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Babylon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}\Icon = "C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Utils\\BabylonIEPI.dll,202"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}\HotIcon = "C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Utils\\BabylonIEPI.dll,202"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\MenuExt\Translate with Babylon\ = "res://C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Utils\\BabylonIEPI.dll/Action.htm"	Babylon.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133282254676731909"	chrome.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.exeregsvr32.exesetup.exeBabylon.exeregsvr32.exeBabylonHelper64.exe7z2201-x64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\text_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{947217BD-E967-400A-B14A-BA851A8EDCBB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}\TypeLib\ = "{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/bof	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}\ProxyStubClsid32	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}\1.0\0\win32\ = "C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Utils\\BabylonIEPI.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F339F0B-716F-408F-A627-DEEB5DEB4020}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5E7C3E9-37BF-4b5c-8234-F5DC02111B23}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AC0BB10-C922-45e2-857D-2A368FE749E5}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyGloss\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}\ = "IBabyAgent"	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5C9A2304-70A5-11D5-AFB0-0050DAC67890}\1.0\0\win32\ = "C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Babylon.exe\\1"	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}\ = "IBabyFullText"	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin\CLSID\ = "{6AC0BB10-C922-45e2-857D-2A368FE749E5}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F310F027-15CB-4A7F-B10D-3A4AFB5013A5}\1.0\0\win32\ = "C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Utils\\BabylonOfficePI.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}	BabylonHelper64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyGloss\shell\open\ddeexec\Application\ = "Babylon"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyGloss\shell\open\ddeexec\Topic\ = "Open_file"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5C9A2304-70A5-11D5-AFB0-0050DAC67890}\1.0\FLAGS	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BabylonIEPI.BabylonIEBho\CurVer\ = "BabylonIEPI.BabylonIEBho.1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5E7C3E9-37BF-4b5c-8234-F5DC02111B23}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{928FE5E7-D557-46B7-8AF6-17ACCE1FB4ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bgl	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}\TypeLib	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyOptFile\shell\open\ddeexec\Topic	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}\TypeLib	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}\ProxyStubClsid32	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}\ = "IXslExternal"	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\BabylonDocTrans\ = "{947217BD-E967-400A-B14A-BA851A8EDCBB}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{928FE5E7-D557-46B7-8AF6-17ACCE1FB4ED}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/bdc\Extension = ".bdc"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyDict\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}\TypeLib\ = "{5C9A2304-70A5-11D5-AFB0-0050DAC67890}"	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}\ProxyStubClsid32	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F339F0B-716F-408F-A627-DEEB5DEB4020}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin64.1\CLSID\ = "{B5E7C3E9-37BF-4b5c-8234-F5DC02111B23}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F310F027-15CB-4A7F-B10D-3A4AFB5013A5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyOptFile\shell\open\ddeexec\Application	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}\TypeLib\Version = "1.0"	Babylon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyDict\shell\open\command\ = "\"C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Babylon.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin64\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AC0BB10-C922-45e2-857D-2A368FE749E5}\ = "OfficeAddin Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyGloss\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyGloss\shell\open\ddeexec\ = "\"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}\TypeLib\ = "{5C9A2304-70A5-11D5-AFB0-0050DAC67890}"	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F310F027-15CB-4A7F-B10D-3A4AFB5013A5}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B00DAC-870D-4E6A-8D34-3A6E3E427A30}\LocalServer32	BabylonHelper64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 432c2d789c63626260610162264656c5200101202b0dc2d37b00e28830b2f33b5a5f10101090bfeb7004004c2b05f3	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F339F0B-716F-408F-A627-DEEB5DEB4020}\TypeLib\ = "{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bof\ = "BabyOptFile"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BabyOptFile\shell\open\ddeexec\Topic\ = "Open_file"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}\TypeLib\Version = "1.0"	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\.text	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\BabylonDocTrans\ = "{947217BD-E967-400A-B14A-BA851A8EDCBB}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exechrome.exechrome.exesetup.exeNJRat.exe

pid	process
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
4672	chrome.exe
4672	chrome.exe
3508	chrome.exe
3508	chrome.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe
5224	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

OpenWith.exe7zFM.exe7zFM.exe7zFM.exeBabylon.exeNakedWife.exe

pid process

2960 OpenWith.exe
5032 7zFM.exe
3264 7zFM.exe
2896 7zFM.exe
5220 Babylon.exe
5932 NakedWife.exe

pid	process
2960	OpenWith.exe
5032	7zFM.exe
3264	7zFM.exe
2896	7zFM.exe
5220	Babylon.exe
5932	NakedWife.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

chrome.exe

pid	process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exefirefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	4512	firefox.exe
Token: SeDebugPrivilege	4512	firefox.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exechrome.exe

pid	process
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exechrome.exe

pid	process
4512	firefox.exe
4512	firefox.exe
4512	firefox.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of SetWindowsHookEx 53 IoCs

Processes:

firefox.exeOpenWith.exeAcroRd32.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeAcroRd32.exesetup.exeBabylon.exeNakedWife.exe

pid	process
4512	firefox.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2960	OpenWith.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
1880	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
1308	OpenWith.exe
2788	OpenWith.exe
2788	OpenWith.exe
2788	OpenWith.exe
2788	OpenWith.exe
2788	OpenWith.exe
3504	OpenWith.exe
3488	AcroRd32.exe
3488	AcroRd32.exe
3488	AcroRd32.exe
3488	AcroRd32.exe
3784	setup.exe
3784	setup.exe
3784	setup.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
5220	Babylon.exe
5932	NakedWife.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 2064 wrote to memory of 4512	2064	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4552	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4552	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 4548	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 3440	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 3440	4512	firefox.exe	firefox.exe
PID 4512 wrote to memory of 3440	4512	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.0.1362172579\1211490346" -parentBuildID 20221007134813 -prefsHandle 1632 -prefMapHandle 1624 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7467c31c-36f2-4c25-8dc2-a1092e090dba} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 1748 21ad8f18f58 gpu
3⤵
PID:4552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.1.1030723501\1498903898" -parentBuildID 20221007134813 -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d81bd3e-2e17-457c-ab4f-50940a4a0699} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2104 21ad7d0e558 socket
3⤵
- Checks processor information in registry
PID:4548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.2.588856903\266995171" -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 2780 -prefsLen 20974 -prefMapSize 232645 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ebe5e69-4dbc-4b57-b9b2-ab53cebe9611} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2760 21adbc40258 tab
3⤵
PID:3440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.3.868401520\994478930" -childID 2 -isForBrowser -prefsHandle 1292 -prefMapHandle 1288 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d3250b8-d76c-4b34-9951-3482284d38f5} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 1276 21ada5fb558 tab
3⤵
PID:4896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.4.347685248\1277065701" -childID 3 -isForBrowser -prefsHandle 3420 -prefMapHandle 3436 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3fda34f-15ef-4b98-a855-6f3f11450203} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 3440 21acc562558 tab
3⤵
PID:4904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.5.1484067907\219675761" -childID 4 -isForBrowser -prefsHandle 1576 -prefMapHandle 4560 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b052fc22-2bb9-4ea8-8f5f-3a9409ff822e} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 1580 21adc241258 tab
3⤵
PID:3532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.6.1743619781\970318012" -childID 5 -isForBrowser -prefsHandle 4980 -prefMapHandle 4984 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b7bc1e1-0dd6-480a-b584-cbe83efd5176} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 1536 21adc2d5358 tab
3⤵
PID:2228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.7.2006171856\721494230" -childID 6 -isForBrowser -prefsHandle 5052 -prefMapHandle 4996 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86313c34-e714-42d4-8246-921835fcb9d1} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 5044 21adc2d6b58 tab
3⤵
PID:2136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.8.1839514669\1676443997" -childID 7 -isForBrowser -prefsHandle 5572 -prefMapHandle 5472 -prefsLen 26639 -prefMapSize 232645 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f28c255d-b705-4a3e-885b-306978a5c525} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 5580 21adc2d4158 tab
3⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd6d799758,0x7ffd6d799768,0x7ffd6d799778
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:2
2⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4768 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5000 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3076 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1656 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3456 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4964 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5576 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5184 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4412 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:1312

C:\Users\Admin\Downloads\7z2201-x64.exe
"C:\Users\Admin\Downloads\7z2201-x64.exe"
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5924 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3668 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5752 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4804 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5468 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4364 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2444 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3900 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6104 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:8
2⤵
PID:360

C:\Users\Admin\Downloads\Babylon12_Setup.exe
"C:\Users\Admin\Downloads\Babylon12_Setup.exe"
2⤵
- Executes dropped EXE
PID:3408

C:\Users\Admin\AppData\Local\Temp\{C6EC2C5F-BAB0-7891-AE44-DC1391FCAC89}\setup.exe
"C:\Users\Admin\AppData\Local\Temp\{C6EC2C5F-BAB0-7891-AE44-DC1391FCAC89}\setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\{C6EC2~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon-software.com
4⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:4332

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s /u "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll"
4⤵
PID:5744

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll"
4⤵
- Loads dropped DLL
PID:5804

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5816

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll",AdminAction64 1 0
4⤵
- Loads dropped DLL
PID:5840

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll",AdminAction64 1 0
5⤵
- Loads dropped DLL
PID:5872

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s /u "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll"
4⤵
PID:5996

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll"
4⤵
- Loads dropped DLL
PID:6024

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:6036

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll",AdminAction64 1 0
4⤵
- Loads dropped DLL
PID:6100

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll",AdminAction64 1 0
5⤵
- Loads dropped DLL
PID:6120

C:\Program Files\Babylon\Babylon-Pro\BabylonHelper64.exe
"C:\Program Files\Babylon\Babylon-Pro\BabylonHelper64.exe" /regserver
4⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:5476

C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe
"C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5220

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll",AdminAction64 3 0
5⤵
- Loads dropped DLL
PID:5632

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll",AdminAction64 3 0
6⤵
- Loads dropped DLL
PID:5764

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll",AdminAction64 3 0
5⤵
- Loads dropped DLL
PID:5780

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll",AdminAction64 3 0
6⤵
- Loads dropped DLL
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument http://www.babylon-software.com/redirects/redir.cgi?type=getting_started&lang=0&first=1&ver=12.0.0.8&guid=0F41C687C21FF283&affID=&vid=&geo=IE&redir_subdomain=true
5⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd6d799758,0x7ffd6d799768,0x7ffd6d799778
6⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=2656 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=5180 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:5748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=820 --field-trial-handle=1716,i,4836869921936168427,4308999256819726134,131072 /prefetch:1
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4324

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_malware-samples-master.zip\malware-samples-master\Wannacry\please-read-me.txt
1⤵
PID:1844

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\malware-samples-master\" -spe -an -ai#7zMap19073:102:7zEvent7235
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\malware-samples-master\Ransomware\Wannacry\smb-5cgc70g1.7z"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:404

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8BD3065E16FDF7F8DCE82FB972554090 --mojo-platform-channel-handle=1600 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:900

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AA4AB0E391788EFCEA0BED5C817AACA4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AA4AB0E391788EFCEA0BED5C817AACA4 --renderer-client-id=2 --mojo-platform-channel-handle=1616 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2892

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2BA10D4FF5A36D4D1580CCA67CA7E445 --mojo-platform-channel-handle=2236 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3432

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\malware-samples-master\Ransomware\Wannacry\smb-5cgc70g1.7z"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:5032

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745-20170707033827.zip"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:3264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0CCAAF4F\.text
2⤵
PID:2412

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745-20170707033827\" -spe -an -ai#7zMap28564:216:7zEvent32408
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3504

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\malware-samples-master\Downloader-CUZ\smb-7teux2sm.zip"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2896

C:\Users\Admin\AppData\Local\Temp\7zO05BF8D50\smb-7teux2sm.exe
"C:\Users\Admin\AppData\Local\Temp\7zO05BF8D50\smb-7teux2sm.exe"
2⤵
- Executes dropped EXE
PID:2068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp4_malware-samples-master.zip\malware-samples-master\Virut\smb-qua22o4u.7z"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:1936

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D306AD3A29A406E58A1EAEC8F895E19D --mojo-platform-channel-handle=1604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E1A546E97A72F72D64E711FF06605C7E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E1A546E97A72F72D64E711FF06605C7E --renderer-client-id=2 --mojo-platform-channel-handle=1588 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3052

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=49C76E267DC84877B9C560CAF09F4826 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4332

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:4880

C:\Program Files\Babylon\Babylon-Pro\BabylonHelper64.exe
"C:\Program Files\Babylon\Babylon-Pro\BabylonHelper64.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\" -spe -an -ai#7zMap23087:104:7zEvent8873
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5352

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\NJRat.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\NJRat.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:5224

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:5848

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\ILOVEYOU.vbs"
1⤵
PID:2340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\ILOVEYOU.vbs"
1⤵
PID:1328

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\NakedWife.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\NakedWife.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5932

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Worm\Nople.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Worm\Nople.exe"
1⤵
- Executes dropped EXE
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Query Registry

System Information Discovery