Malware Analysis Report

2025-01-18 21:43

Sample ID 240415-d8s2tsgc41
Target f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118
SHA256 6a9fe92b79c4455d935dd6c226ffa173cbe852c461ae3f5d952a43f10cffa48d
Tags
adware stealer discovery persistence spyware
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6a9fe92b79c4455d935dd6c226ffa173cbe852c461ae3f5d952a43f10cffa48d

Threat Level: Shows suspicious behavior

The file f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer discovery persistence spyware

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 03:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

113s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bh\BabylonToolbar.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL\AppID = "{BDB69379-802F-4eaf-B541-F8DE92DD98DB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\VersionIndependentProgID\ = "escort.escortIEPane" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\ = "escrtBtn Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ProgID\ = "bbylntlbr.bbylntlbrHlpr.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ProgID\ = "escort.escortIEPane.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Instance\InitPropertyBag\URL = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CLSID\ = "{2EECD738-5844-4a99-B4B6-146BF802613B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\ = "IescrtHlpr" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\AppID = "{BDB69379-802F-4eaf-B541-F8DE92DD98DB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1\ = "escrtBtn Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Instance\InitPropertyBag C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ = "babylonToolbar.com" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\VersionIndependentProgID\ = "bbylntlbr.bbylntlbrHlpr" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bh\\BabylonToolbar.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\ = "IescrtBtn" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\ProgID\ = "escort.escrtBtn.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1\CurVer\ = "escort.escrtBtn.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "CescrtHlpr Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bh\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\ = "CescrtHlpr Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Implemented Categories\{00021493-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Instance C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 872 wrote to memory of 4488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 872 wrote to memory of 4488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 872 wrote to memory of 4488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bh\BabylonToolbar.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\bh\BabylonToolbar.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 228

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

125s

Max time network

130s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\defaults\preferences\instlPref.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\defaults\preferences\instlPref.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,17128687272012926844,9802527383925822781,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\bbylnDef.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\bbylnDef.js

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

138s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\btnInf.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\btnInf.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240319-en

Max time kernel

121s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\mtrprt.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\mtrprt.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BabylonToolbar = "\"C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\BabylonToolbarsrv.exe\" /md I" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\bbylnDef.js C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\vssver.scc C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Croatian.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\mj.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\it.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\defaults\preferences\instlPref.js C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\toolbarIcons_casino.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\mnRadio\rd_strp.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\vssver.scc C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\home.gif C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\cz.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\mtrprt.js C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\il.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Russian.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Spanish.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\ru.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\babylon.css C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\09.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\pl.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\fr.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\components\FFHst.dll C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarApp.dll C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\greenCard.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\sa.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\install.rdf C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\PPCB.js C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\logo.PNG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\he.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\ja.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\se.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Polish.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Turkish.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\vssver.scc C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\ae.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\bg.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\en.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\jp.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\mnRadio\Thumbs.db C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\bh\BabylonToolbar.dll C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\chrome.manifest C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\sv.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Thumbs.db C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\ch.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Chinese Simplified.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\pbggl.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\German.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\Thumbs.db C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\mnRadio\lines.gif C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\mnRadio\playBtn.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\btnInf.js C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Korean.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\translate.PNG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\uninstall.exe C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Hindi.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarEng.dll C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\babylon.xul C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\ro.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\components\FFHst.xpt C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\French.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\bbyln.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\help_16.gif C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\lottery.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\defaults\preferences\vssver.scc C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\${ELV_GUID} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\${ELV_GUID}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\${ELV_GUID}\AppName = "BabylonToolbarsrv.exe" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\${ELV_GUID}\AppPath = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC} = "Babylon Toolbar" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ = "IesrvXtrnl" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047} C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib\Version = "1.0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}\ = "esrv" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D} C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CurVer C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\1.0 C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1\ = "escrtBtn Object" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\0\win32 C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\Programmable C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\instlDay = "19828" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ = "IXtrnlBsc" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib\Version = "1.0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\Programmable C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\TypeLib C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\FLAGS\ = "0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ProgID C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70} C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib\Version = "1.0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1\CLSID C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\ = "IescrtHlpr" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ = "IRegmapDisp" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393} C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc.1\CLSID C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL\AppID = "{BDB69379-802F-4eaf-B541-F8DE92DD98DB}" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\1.0\ = "escortEng 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CurVer C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\LocalServer32\ = "\"C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\BabylonToolbarsrv.exe\"" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\InprocServer32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\bh\\BabylonToolbar.dll" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib\Version = "1.0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\FLAGS\ = "0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1 C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ = "IEHostWnd" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\TypeLib C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe"

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe

"C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe" /RegServer

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nso477D.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

memory/1936-137-0x0000000001D50000-0x0000000001DBA000-memory.dmp

\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarEng.dll

MD5 ce5d74d6ac19e94164de0506d46b8ae8
SHA1 460787519719512980c651e12faea1ea0f248ba1
SHA256 b56d0b4d10fcf0d3a7b06880e8f0b25922f51b9fcf90aac5851e822a87ae44b1
SHA512 79bfb453bb6a259b847a7577a5f5549b65c472c9aff775b2a48bcf8f8cfc7dd6660354445523264f604de53c95238be2f1399e768538959192217262c565c350

memory/1936-132-0x0000000001D50000-0x0000000001DA1000-memory.dmp

\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarApp.dll

MD5 5f933c75510ce7064600770488159453
SHA1 fd431f71a4a06601df970c160c6f027cdb487454
SHA256 c3aa14523d496a8cb780e568e2dc8fbd52b18d252cdf9b5ec223b6d3788ce82a
SHA512 68a2eb4f5785cb3355409e662513fd54ecf6afea6fc67b18f3bbc7f0fd3724c7ade9bb0cafb2afa89d98fc8e81ecf4864de627bee65e44d0a3f50150deb55c86

memory/1936-127-0x0000000001D50000-0x0000000001D89000-memory.dmp

\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\bh\BabylonToolbar.dll

MD5 91bcffe9095dfe033125add31ee7ffc1
SHA1 2e62ade3fd726db37e23a16e6961433035a50d44
SHA256 5d2c82a9186fb144245456e12c55744c2ff2b38a50294bda6d881e66e18e9d46
SHA512 e666822cdbd9d6fa88b0936c6403c24d109aecdc28f78ebc27a73a17ee989600932ccafd6362b6687d473bd0c49d98f058076d91d985683f4a73df9fb464a19a

\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe

MD5 000a83380536df86efe77d020d812f96
SHA1 93ccca1325a0037ab108ea3417eeaf166d510b76
SHA256 97e8af15a48dbd5c2a57ef6b8bdbd135a47fe9a86570253206477990ed7cc29c
SHA512 7b96aeab7b725060094c841eb3208e9e17f1a3c41dd9dfefacb2f521794c10056ccc4191ee9390bced07c94474dcc36525e9057d1217ae574fe323cb48a62c28

memory/1936-19-0x00000000004E0000-0x000000000050F000-memory.dmp

\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarTlbr.dll

MD5 cf158fac1864ee97bfe3221285fec23a
SHA1 329020bc3cb47fab48a978df697aa1d1e919f117
SHA256 8d22f5c4b285edd6237712941a51c14036861d44e68760eb64a4325a9c4f90b8
SHA512 b412d067d5ed9b5b9d581220c71a307956d6a5427c37e0a033a145f42cc8845f1f6bfee71dfa577cb83a8d8b0408c8244994554be60881f0a85770d44675d072

\Users\Admin\AppData\Local\Temp\nso477D.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\PPCB.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\PPCB.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\tmplt.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\tmplt.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarApp.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\instlDay = "19828" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CLSID\ = "{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1\CLSID\ = "{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\afltId = "orgnl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\dfltLng = "EN" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CurVer\ = "bbylnApp.appCore.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarApp.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1\ = "appCore Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\VersionIndependentProgID\ = "bbylnApp.appCore" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\ = "appCore Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\ = "escortApp 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\instlRef C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\sftId = "00bf88c37d2242638039d46bdd0c26aa" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ = "appCore Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarApp.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ = "IappCore" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\prtnrId = "BabylonToolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ = "IappCore" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ProgID\ = "bbylnApp.appCore.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\cntrlId = "ac080de8000000000000d2ef31a6f606" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\hrdId = "ac080de8000000000000d2ef31a6f606" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3008 wrote to memory of 2316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3008 wrote to memory of 2316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarApp.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarApp.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

125s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4136,i,4410927054363474912,1110143490611443301,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\components\FFHst.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\components\FFHst.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\components\FFHst.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240226-en

Max time kernel

112s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ = "IRegmapDisp" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\ = "IReporter" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ = "escrtSrvc Object" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ProgID\ = "esrv.BabylonESrvc.1" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\ = "IIEWndFct" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ = "IxpEmphszr" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc\CurVer C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\ = "bbylntlbrCmn 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ = "IXmlCnfg" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc\CurVer\ = "esrv.BabylonESrvc.1" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\VersionIndependentProgID\ = "esrv.BabylonESrvc" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ = "IxpEmphszr" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ = "IRegmapDisp" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ProgID C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe

"C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bh\BabylonToolbar.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1\ = "escrtBtn Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\ProgID\ = "escort.escrtBtn.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ProgID\ = "escort.escortIEPane.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ = "escort" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ = "escortIEPane Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\ = "CescrtHlpr Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bh\\BabylonToolbar.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\VersionIndependentProgID\ = "escort.escortIEPane" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1\CurVer\ = "escort.escrtBtn.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\AppID = "{BDB69379-802F-4eaf-B541-F8DE92DD98DB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\VersionIndependentProgID\ = "bbylntlbr.bbylntlbrHlpr" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\ = "escrtBtn Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ProgID\ = "bbylntlbr.bbylntlbrHlpr.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CLSID\ = "{2EECD738-5844-4a99-B4B6-146BF802613B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ = "babylonToolbar.com" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bh\\BabylonToolbar.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Instance\InitPropertyBag C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\ = "IescrtBtn" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3718D0AF-A3B8-4F5E-86F3-FAD8D02043BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\AppID = "{BDB69379-802F-4eaf-B541-F8DE92DD98DB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CurVer\ = "bbylntlbr.bbylntlbrHlpr.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Instance\InitPropertyBag\URL = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "CescrtHlpr Object" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bh\BabylonToolbar.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\bh\BabylonToolbar.dll

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 4704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1328 wrote to memory of 4704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1328 wrote to memory of 4704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4704 -ip 4704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\mtrprt.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\mtrprt.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarEng.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\ = "IescrtAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarEng.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\ = "IReporter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ = "IesrvXtrnl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.xtrnl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ = "escrtAx Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ = "IxpEmphszr" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ = "IappInfo" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ = "IXmlCnfg" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.xtrnl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarEng.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarEng.dll

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 228

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\components\FFHst.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 4052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 4052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 4052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\components\FFHst.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\components\FFHst.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarTlbr.dll

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC} = "Babylon Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarTlbr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\ = "escorTlbr 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ProgID\ = "Babylon.dskBnd.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1\CLSID\ = "{98889811-442D-49dd-99D7-DC866BE87DBC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\ = "CDskBnd Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CurVer\ = "Babylon.dskBnd.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarTlbr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1\ = "CDskBnd Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\VersionIndependentProgID\ = "Babylon.dskBnd" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CLSID\ = "{98889811-442D-49dd-99D7-DC866BE87DBC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ = "Babylon Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ = "CDskBnd Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3756 wrote to memory of 4776 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3756 wrote to memory of 4776 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3756 wrote to memory of 4776 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarTlbr.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarTlbr.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\PPCB.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\PPCB.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarTlbr.dll

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC} = "Babylon Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\ = "escorTlbr 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarTlbr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarTlbr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ProgID\ = "Babylon.dskBnd.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ = "CDskBnd Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CLSID\ = "{98889811-442D-49dd-99D7-DC866BE87DBC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CurVer\ = "Babylon.dskBnd.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ = "Babylon Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1\CLSID\ = "{98889811-442D-49dd-99D7-DC866BE87DBC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\VersionIndependentProgID\ = "Babylon.dskBnd" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1\ = "CDskBnd Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\ = "CDskBnd Object" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarTlbr.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarTlbr.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BabylonToolbar = "\"C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\BabylonToolbarsrv.exe\" /md I" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\PPCB.js C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\bbyln.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\toolbar_icons_games.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\cn.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\pbggl.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\fr.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\btnInf.js C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\logo.PNG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\il.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Japanese.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\us.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\mnRadio\chooseStation.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarApp.dll C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Hindi.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\vssver.scc C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\eg.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\jp.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Turkish.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\privecy_16_hot.gif C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\tellafriend.gif C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\gr.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\pl.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\09.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\help_16.gif C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\ae.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\mnRadio\rd_strp.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\defaults\preferences\instlPref.js C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\rd.htm C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Russian.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\arwDwn.gif C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\de.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\vssver.scc C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\ru.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\mnRadio\playBtn.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarEng.dll C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Chinese Simplified.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\no.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\ro.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\tr.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\German.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Thumbs.db C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\cz.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\pt.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\install.rdf C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\English.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Italian.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\uninstall.exe C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\babylon.xul C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Portuguese.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\se.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\nl.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\defaults\preferences\instlPref.js C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\bh\BabylonToolbar.dll C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarTlbr.dll C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Hebrew.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Spanish.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\flgs\ua.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Swedish.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\buy.gif C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\home.gif C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\Korean.JPG C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\lottery.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\content\imgs\mj.png C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\${ELV_GUID} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\${ELV_GUID}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\${ELV_GUID}\AppName = "BabylonToolbarsrv.exe" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\${ELV_GUID}\AppPath = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC} = "Babylon Toolbar" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ProgID\ = "bbylnApp.appCore.1" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.xtrnl.1\ = "escrtAx Object" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib\Version = "1.0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib\Version = "1.0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ = "escrtSrvc Object" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\0 C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\InprocServer32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\bh\\BabylonToolbar.dll" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\LocalServer32\ = "\"C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\BabylonToolbarsrv.exe\"" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\TypeLib\Version = "1.0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1\CLSID C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\0 C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B} C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32 C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CLSID C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ProgID C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc.1\CLSID\ = "{291BCCC1-6890-484a-89D3-318C928DAC1B}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ = "IXtrnlBsc" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8} C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib\Version = "1.0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escrtBtn.1\CLSID C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\AppID = "{BDB69379-802F-4eaf-B541-F8DE92DD98DB}" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\TypeLib C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}\ = "esrv" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\ProxyStubClsid32 C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78868069-5D96-4B47-BE52-3D625EE3D7CB}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\LocalServer32\ThreadingModel = "apartment" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ = "IEHostWnd" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\Version = "1.0" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\BabylonToolbarApp.dll" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\0\win32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\BabylonToolbarEng.dll\\2" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ = "IwebAtrbts" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE} C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}\1.0\0\win32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\bh\\BabylonToolbar.dll" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32 C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1 C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\AppID C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\VersionIndependentProgID\ = "Babylon.dskBnd" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.4.19.1\\BabylonToolbarTlbr.dll" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ = "IescrtSrvc" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}\Programmable C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\ = "escortApp 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\cntrlId = "78d0fb48000000000000eecc548c1f12" C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0394c619492f9ee8cc3ac34dc1454f9_JaffaCakes118.exe"

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe

"C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsi2943.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsi2943.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/1280-21-0x00000000023D0000-0x00000000023FF000-memory.dmp

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarTlbr.dll

MD5 cf158fac1864ee97bfe3221285fec23a
SHA1 329020bc3cb47fab48a978df697aa1d1e919f117
SHA256 8d22f5c4b285edd6237712941a51c14036861d44e68760eb64a4325a9c4f90b8
SHA512 b412d067d5ed9b5b9d581220c71a307956d6a5427c37e0a033a145f42cc8845f1f6bfee71dfa577cb83a8d8b0408c8244994554be60881f0a85770d44675d072

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarsrv.exe

MD5 000a83380536df86efe77d020d812f96
SHA1 93ccca1325a0037ab108ea3417eeaf166d510b76
SHA256 97e8af15a48dbd5c2a57ef6b8bdbd135a47fe9a86570253206477990ed7cc29c
SHA512 7b96aeab7b725060094c841eb3208e9e17f1a3c41dd9dfefacb2f521794c10056ccc4191ee9390bced07c94474dcc36525e9057d1217ae574fe323cb48a62c28

memory/1280-126-0x0000000002410000-0x0000000002449000-memory.dmp

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\bh\BabylonToolbar.dll

MD5 91bcffe9095dfe033125add31ee7ffc1
SHA1 2e62ade3fd726db37e23a16e6961433035a50d44
SHA256 5d2c82a9186fb144245456e12c55744c2ff2b38a50294bda6d881e66e18e9d46
SHA512 e666822cdbd9d6fa88b0936c6403c24d109aecdc28f78ebc27a73a17ee989600932ccafd6362b6687d473bd0c49d98f058076d91d985683f4a73df9fb464a19a

memory/1280-134-0x00000000028B0000-0x0000000002901000-memory.dmp

memory/1280-142-0x00000000028B0000-0x000000000291A000-memory.dmp

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarEng.dll

MD5 ce5d74d6ac19e94164de0506d46b8ae8
SHA1 460787519719512980c651e12faea1ea0f248ba1
SHA256 b56d0b4d10fcf0d3a7b06880e8f0b25922f51b9fcf90aac5851e822a87ae44b1
SHA512 79bfb453bb6a259b847a7577a5f5549b65c472c9aff775b2a48bcf8f8cfc7dd6660354445523264f604de53c95238be2f1399e768538959192217262c565c350

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.1\BabylonToolbarApp.dll

MD5 5f933c75510ce7064600770488159453
SHA1 fd431f71a4a06601df970c160c6f027cdb487454
SHA256 c3aa14523d496a8cb780e568e2dc8fbd52b18d252cdf9b5ec223b6d3788ce82a
SHA512 68a2eb4f5785cb3355409e662513fd54ecf6afea6fc67b18f3bbc7f0fd3724c7ade9bb0cafb2afa89d98fc8e81ecf4864de627bee65e44d0a3f50150deb55c86

C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\defaults\preferences\instlPref.js

MD5 de4ceec95a42bec2e7e22f0be6b3b7cc
SHA1 adf6c33a754d8ddf5187a4567e948f20f88fdcb4
SHA256 6707b78a44f43f960b6213c5b3fcaf0628790668022e322cba39beab266944bf
SHA512 a1ee5a93bf4d4d39773864d3f88461fe43aa5cd431adc05fbcb26372a7aa8b7096f3e3f4ef9889e4e5d719d4766fc8a1e139928458b348e170618d821f2b7ee1

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

116s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarEng.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ = "IXmlCnfg" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\ = "IReporter" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ = "IappInfo" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.xtrnl.1\ = "escrtAx Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.xtrnl\CLSID\ = "{B8276A94-891D-453C-9FF3-715C042A2575}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\ = "IescrtAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ = "IwebAtrbts" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\ = "IReporter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ = "IRegmapDisp" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\ = "IescrtAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ = "Ixtrnlmain" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ = "IXtrnlBsc" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.xtrnl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 3508 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4680 wrote to memory of 3508 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4680 wrote to memory of 3508 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarEng.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarEng.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\tmplt.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\tmplt.js

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\defaults\preferences\instlPref.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\defaults\preferences\instlPref.js

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarApp.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\instlDay = "19828" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CLSID\ = "{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarApp.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\instlRef C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\sftId = "270e5b14bcae447d83d3cd229fd93767" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1\ = "appCore Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\ = "escortApp 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\ = "appCore Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ProgID\ = "bbylnApp.appCore.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\VersionIndependentProgID\ = "bbylnApp.appCore" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\hrdId = "b0e93f760000000000006a83d32c515e" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\prtnrId = "BabylonToolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ = "IappCore" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ = "appCore Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarApp.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1\CLSID\ = "{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\dfltLng = "EN" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\afltId = "orgnl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ = "IappCore" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CurVer\ = "bbylnApp.appCore.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\cntrlId = "b0e93f760000000000006a83d32c515e" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarApp.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BabylonToolbarApp.dll

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ProgID C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc\CurVer C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib\ = "{AD25754E-D76C-42B3-A335-2F81478B722F}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ = "IXmlCnfg" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\0 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ = "Ixtrnlmain" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc.1\ = "escrtSrvc Object" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\VersionIndependentProgID\ = "esrv.BabylonESrvc" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\0 C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BabylonToolbarsrv.exe\"" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ = "IxpEmphszr" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\AppID = "{AD25754E-D76C-42B3-A335-2F81478B722F}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\ = "IIEWndFct" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ = "IRegmapDisp" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393} C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe

"C:\Users\Admin\AppData\Local\Temp\BabylonToolbarsrv.exe"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\bbylnDef.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\bbylnDef.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-15 03:41

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\btnInf.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_13_\extensions\[email protected]\content\btnInf.js

Network

N/A

Files

N/A