Malware Analysis Report

2025-08-05 21:08

Sample ID 241021-rfcq2awgpd
Target d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N
SHA256 d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12
Tags
discovery evasion persistence spyware stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12

Threat Level: Shows suspicious behavior

The file d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Modifies Internet Explorer start page

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 14:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 14:07

Reported

2024-10-21 14:09

Platform

win7-20240903-en

Max time kernel

119s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IELowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B}\AlternateCLSID = "{29D5EC7E-6245-4DC9-9E53-A9A945AD4ABB}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{48E59293-9880-11CF-9754-00AA00C00908} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000008cc9bed7debc970b43f0122dd6f911da3e3de10a5b41d09d938bc6e27fb3078a000000000e8000000002000020000000ef14d23285fd9b93ae63ecbb0be6b7b4b9655a8ab0127bb792c15ba3afab7e1110000000773ee1810740dd4bf2dfcbdad9bc6c6140000000ac39800e46c9884edc4c0b78add62093803b199dc933f3e4051c9e2e38d3dc63b3d45e61c5f78f457cfb42e34532314c25f5855f447f3ff4c79f6fc3ba3c38b5 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{25A3C2C9-8F6E-4140-BEF3-535D4B9709D8}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53749718-F78D-4A67-8703-8AE050075170} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{E44F7BD4-3AB1-4D55-9190-FC53343AD2D2}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53749718-F78D-4A67-8703-8AE050075170}\AlternateCLSID = "{25A3C2C9-8F6E-4140-BEF3-535D4B9709D8}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\AlternateCLSID = "{2B577565-36F7-4351-B2E7-DAFC75E9D72A}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000013245be2b5a0e12dc7ee640a5728d9132dc4e6f7cb2c5ab824d78fcb99c6ef5a000000000e80000000020000200000003fe267ccda4aea174a72790642f260fb78b3fef1b7a244af724de7c9fb96ed12100000008ca7f42e0b81ede78d78789558a7b6ff40000000474d2ff90d35e4db6a1bc3b2214ea790e637e9d1403162c9afda3be871ec5d7940190a39da78424e2f93021f641b690809ea89b3a2bbe53cd3df627ec6aa198b C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000001e13aef618cceeb1edaa4a610514d79a7b416903d34dc843a612acac71d2c7e7000000000e80000000020000200000005766ff1159fd8ab8ac809dc12e7d932b34595868eb94fd9ffabfd2f2d9035ef1100000003846f8fae7236078bf655e4fa400c21840000000469aff0748a1ab5942afe4bb23e36f5a2ce14693adfac7005d4e5386a998ed146de90263ff7c4e69e27945e42b59f1903500240a24cd8d5ae1114559876372a7 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000003e2a9e5b9ddde62af0cf2714c12fe95f962f1acda3ab51d7eb86e14ce386a015000000000e80000000020000200000005460530e1a5fb5ad7829b58605d5500525bd878b5d9acabcdc18774a8e81495e1000000090c43259edfb1acd35ad0e15ab1670e240000000abcf8c84753992423fbb392ec59ccb669cbfc120ea17b45927a45739d7b26a7b8d6be295c19fea7bff92a5578d655329365a9034a478850ef086d734fd12c218 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000c360414714ff40700415b26fd8d1d6ab370d3bfda37afd6364c8b84aafe5ca20000000000e800000000200002000000009e7ee0dfa0855724ecf412d3000e2bbf66bbae3e267b1e6f3239014a54690481000000047b12f1bfa8386c93b52837a6de6956c40000000025454263fc205392e4d97c52818196a4653555e7bbdbf15e74465e7a1c064ab653ae5319680eeaa2ea11214b71e0f18f43382b01160a0820662d59716b50f69 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\AlternateCLSID = "{962F28D6-107D-47A5-9515-2864454CFDD1}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}\AlternateCLSID = "{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{48E59293-9880-11CF-9754-00AA00C00908}\AlternateCLSID = "{E2D211D5-11E4-4D9E-B6DB-1E902C851A49}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000d52261bbd9784c3afbcba0304097012359ec3c6d6c94706f87c5cfecd3645861000000000e80000000020000200000002284bed94f47e04a9d8a09620444631f619ab23aae459b42277403146162aa741000000099aa2eeb561c4b509d6cc0ddc92ec2774000000003ee5ae7decff5ea7095c44a1344da24c68dd7821a8339e3962fe91bfda75b0fe38019c83f3c47a5727259397f40c8360f618994e5cbd81a8e0d8232af216c87 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53749718-F78D-4A67-8703-8AE050075170}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{80B51087-CE4C-4FAE-8401-B6B3809DD234}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{612685EF-57C8-469F-88AB-E4E0B595C5AB}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\AlternateCLSID = "{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{48E59293-9880-11CF-9754-00AA00C00908}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{962F28D6-107D-47A5-9515-2864454CFDD1}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}\AlternateCLSID = "{29D5EC7E-6245-4DC9-9E53-A9A945AD4ABB}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Delta Search" C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000006068908fde9009bd43a987ec0b0b775dc6b91e27691539259f882820fe709ef5000000000e80000000020000200000001cd570962aa919d3553c7375b57ceed267499fc33bcec97ac988cdbcdb6a6cc710000000f6cc1c4b39b6c7d1c5e56c88aa5153d94000000060829acfa3c40d09f83f3f0dc98d3c9272797f292529a02207be06a956d9b60a778d5fae5446cd9cab586666797e11230cca9cc260f95e6e9f9fe6d7d819fa92 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://www.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=5FDEC60424AAF5E1&tsp=9061" C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000041e903fb31b8b63c143bea0f9411546cc3eb713284c1829d670427ebf2f6f2e5000000000e8000000002000020000000a5147a6b314b7daa7dd841f6df7b1f3cccaee35bd3f1d41b3451454fb472b2a6100000008e3492dcdf9e05b6562e434f0b6a3ceb40000000f6613bbd09d950456400fc44450842097b9ab8ca08f49cdee5e49178c7c638bee8dd67f7ac6de42843a8d5f67b4942ca0297c85d6b5fc5755db9106917f67461 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000ac4ca84bdd6295dbc55d33de18a63752456583621d6770e88b3e06aeb28f5449000000000e80000000020000200000006538bbf3dd385a6f35c965a8cea6bf009873f26cc08c285e0f0f0f94723a305a10000000f27e9fbb2bf9b4e724d1ed5b29e4119a40000000cce2387a0c077b26149641aba27d24508219f51ab57d48908f4c4d03ec35928c46a8ff21cadacf3cccfd38476a9133366594897c1ba7b8bbfbd1d19f6d0e04f6 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000c84f853e3c8d189588726960ddf37dacc9b387c0c6172b3f8458705815ea6407000000000e8000000002000020000000c6d2a55a397a1c65e379248c235f6a93d975a015a3e7236e3f20d6fe20287064100000008adfd8b6603ea1c4ae84cda5d1aa69ea40000000fc9f65d4acce63cc1751e2dd32bf38aab135e52ff995e82b7d99c7d55dda0b4bbb2aa13747d66e9021c5a4641c77eb8c4eb5c6ddc0dcdfac68353a5fe6a12b0c C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000027d74625637c9977025d908e523a8c62b387bbe0ee0856c0de8d6cb856f559b1000000000e8000000002000020000000c97fe3be2bc51e04a7294c83ae5270143afccf9733cb77144521712ac7fc6083100000001873163facea87b08fa39e24b6e00479400000004634a936811e872e1ba08b14aec7a4c6d77895ec68cf50b7e0959389e02b1bc9fd3a9ff30a7d1a4c34868bfcdad4c2fec83ec22b8aed0cacc89299912660f9b1 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000041eb1697224cd5afb57a87233662fbcf94a84493f79e7ec86cf61e1fd4e7e30000000000e8000000002000020000000a4771b37e9d06717149719492dc675083b474730d94d1d24cfc0a71daee395c210000000d86a66e0aaa1f8d7b20bdc0d849775c94000000008bbd1dacf8879dbf61fb4285efb030cc224feb790ae0e22172557473e472bfe36419a956603490c191232554784e6bdf3296cd1a29115d7d7f05075839c8a75 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000003ba7b45892d38edede34ffbde7efd16f0bf068777568c34244cd112373670453000000000e8000000002000020000000cb483fa386ac0bab78bb057a0da1a0c7ac8f3c3670a8ff4712b8e8491fa8bbbc10000000cc9a8edcd9f7bd6064a07293fe0b697540000000c2014da19b13cf40c2e293f6de5b442d8a7428979239c954123cb80984fa6d6c4fdbd78495837cc166a28da6c2694489170b7bcde2485010a6c2ebffdcd85617 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000007f50415414b2584272b30ab349d0605aad3d8699e918b2a66e039492a87f3531000000000e80000000020000200000000d47ec6bc630cfd399bffcbbd81a67405987ba1c9728bdc6aa8b66caaeaa6b3110000000502e8693dcee676d5de6b9d1bf26af2a40000000be05de414ebe3128b359748b538a3e37f43104d13863ba1be6a5caa2007767447313e11153e2f19eb213703f44abcbb0557b026e71c6adef7f68c1361eb81083 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.delta-search.com/?babsrc=HP_ss&mntrId=5FDEC60424AAF5E1&tsp=9061" C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\VersionIndependentProgID\ = "COMCTL.TabStrip" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\ProgID C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E80-DF38-11CF-8E74-00A0C90F26F8} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.TabStrip\CLSID\ = "{9ED94440-E5E8-101B-B9B5-444553540000}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8B1-850A-101B-AFC0-4210102A8DA7}\ = "IColumnHeader10" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A3-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.TreeCtrl\CurVer C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8628-0FB3-11CE-8747-524153480004} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53749718-F78D-4A67-8703-8AE050075170} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612685EF-57C8-469F-88AB-E4E0B595C5AB}\MiscStatus C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\ProgID\ = "COMCTL.SBarCtrl.1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8D0-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\ = "Microsoft ImageList Control, version 5.0 (SP2)" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B7E6393-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83602-895E-11D0-B0A6-000000000000}\ = "IListItem" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B577565-36F7-4351-B2E7-DAFC75E9D72A}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612685EF-57C8-469F-88AB-E4E0B595C5AB}\Control C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACBB956-5C57-11CF-8993-00AA00688B10}\ = "ListView Sort Property Page Object" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{612A8625-0FB3-11CE-8747-524153480004}\ = "IToolbar10" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\ = "IListItem11" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53749718-F78D-4A67-8703-8AE050075170}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{962F28D6-107D-47A5-9515-2864454CFDD1}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Slider.1\CLSID C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DA8D90-9D6A-101B-AFC0-4210102A8DA7}\ = "IImageList10" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E44F7BD4-3AB1-4D55-9190-FC53343AD2D2}\Control C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E944-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}\TypeLib\Version = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29D5EC7E-6245-4DC9-9E53-A9A945AD4ABB}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B7E6392-850A-101B-AFC0-4210102A8DA7}\1.4\HELPDIR C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8A-DF38-11CF-8E74-00A0C90F26F8}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E84-DF38-11CF-8E74-00A0C90F26F8}\ = "IProgressBar" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D95-9D6A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80B51087-CE4C-4FAE-8401-B6B3809DD234}\Version\ = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.TreeCtrl.1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97992019-74A6-46C7-9CA3-7F8C0D39940B}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B7E6391-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2D211D5-11E4-4D9E-B6DB-1E902C851A49}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 2096 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 2096 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 2096 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 2096 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 2096 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 2096 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 2352 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 2352 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 2352 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 2352 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 2352 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 2352 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 2352 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 2656 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe
PID 2656 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe
PID 2656 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe
PID 2656 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe
PID 2656 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe
PID 2656 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe
PID 2656 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe
PID 2740 wrote to memory of 1412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2740 wrote to memory of 1412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2740 wrote to memory of 1412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2740 wrote to memory of 1412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 2896 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe
PID 2896 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe
PID 2896 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe
PID 2896 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe
PID 2896 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe
PID 2896 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe
PID 2896 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe
PID 2816 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe
PID 2816 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe
PID 2816 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe
PID 2816 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe
PID 2816 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe
PID 2816 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe
PID 2816 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe
PID 2816 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe
PID 2816 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe
PID 2816 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe
PID 2816 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe
PID 2816 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe
PID 2816 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe
PID 2816 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe

"C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe /mtb=7 /mhp=7 /mnt=7 /mds=7 /aflt=babsst /babTrack="affID=121529" /srcExt=ss /S /instlRef=sst

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe" -xprm="cat=delta" -expg=none /mtb=7 /mhp=7 /mnt=7 /mds=7 /aflt=babsst /babTrack="affID=121529" /srcExt=ss /S /instlRef=sst

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\4008E0~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe -latest -tsp=9061 -xprm="cat=delta" -expg=none /mtb=7 /mhp=7 /mnt=7 /mds=7 /aflt=babsst /babTrack="affID=121529" /srcExt=ss /S /instlRef=sst

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\4008E0~1\Latest\IEHelper.dll,RunAccelerator

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe

"C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe" -setup 3 -wbr 1 -url http://www.delta-search.com/?babsrc=HP_ss&mntrId=5FDEC60424AAF5E1&tsp=9061

C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe

"C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe" affID= dlb=1 slp=0 slppd=3 tmfst=5 mxpd=5 slpcr=2

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\4008E0~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

Network

Country Destination Domain Proto
N/A 127.0.0.1:9876 tcp
US 8.8.8.8:53 info.babylon.com udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babylon.com udp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 stat.info-stream.net udp
US 184.154.27.232:80 stat.info-stream.net tcp
US 184.154.27.232:80 stat.info-stream.net tcp
US 198.143.128.244:80 dl.babylon.com tcp
US 198.143.128.244:80 dl.babylon.com tcp
US 184.154.27.232:80 stat.info-stream.net tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 a334.http.cdn.softlayer.net udp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE

MD5 0f3b66c16ca1044b8867921a4664015a
SHA1 f3c3e44f8c4cf287194a557309dd3734db2b6976
SHA256 efdf55bb626d5dd621f2b65b26bfb9d7f251dfbea9c8dca397592a41f586b522
SHA512 194167f7acac23b94f39335d85c0cf3b4a357c392042f89b241410c14d19365c9b01ea65d70889306ef6226ba200a7f64069b7228f543bfcd30c4af98bc9ab17

memory/2352-24-0x0000000004210000-0x0000000004CCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\comctl32.Ocx

MD5 1fe8ce3f5288bd3d53d188307bc7b218
SHA1 a9f02a6a5effe3b9043a77fd8b56b1720a7c32be
SHA256 ba86931d5386cf5311a6b62a619c9c8f2983e37d2ce752b21106570121c8fd32
SHA512 c5fcd3f1f04e9a0aa0944b6feddc498ffa4d28a7b1a38e2d5674d28318cd666d14954eae06f9d0181639b5ce57097d0d47d9ad2ff20f1e93450b91db24cd9603

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSINET.Ocx

MD5 b920865c9c2f4f28151b269b3a8b11aa
SHA1 3a010883d5c1d4cce968c020f51e1961e3651bbe
SHA256 b1212253d0c2b96dbdc6985b93338be288b0c8d827481f9c607dde5bdfdbfc6b
SHA512 a463377b6a612a9ee82b4d2891b8d01df1b2770e40d8065e5d3e8a33b62171cbeead589599728d3349e4222b2207bb1b293b6510de26eb5820cac6cf284d526f

\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe

MD5 9ade7a15bf99b343354e1faeb47fab67
SHA1 eab3a867fd239ad7d1d5416e8139d3d71f4140fa
SHA256 2bbe800ce4ec5302187e5ad6fad0688e9008e093a8be1ca2ca479db46576b0ed
SHA512 be61865c8f256d92597f37ee746d3743b46538969908c684c8e56e347b1880af0454622bddb116c42c7c659ce32a42a15cb8bc8fc5a7b6e2aad193356065f88a

\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Setup.exe

MD5 35c75786f20dfc31eae53d2fa99be700
SHA1 1b2983dd978db886263b1740e4c7e0ca1cef88c4
SHA256 647989694781215bb3ab22531af6920494f98e1e9f9931a2087b913b5acf3a97
SHA512 9ff1a4ce091bcbaebdfa64672e03e243c6a19a16434eda19d41bbde9adb8e902382d22b9d9c5dd3771001463f044c7705801bce6e09e4574b0e874b8c135b376

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\SetupStrings.dat

MD5 407846797c5ba247abeb5fa7c0c0ba05
SHA1 44386455eed8e74d75e95e9e81e96a19f0b27884
SHA256 0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3
SHA512 7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\bab033.tbinst.dat

MD5 90713ab7a74884cd36a5fb4cfcdece8a
SHA1 7bb56d08fd69a98e543b923bd0a9156f92a9c473
SHA256 bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb
SHA512 639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Babylon.dat

MD5 825e5733974586a0a1229a53361ed13e
SHA1 9ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA256 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512 ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

C:\Users\Admin\AppData\Local\Temp\4008E0~1\IEHelper.dll

MD5 91c79865aefcfce33439046d9645017a
SHA1 ee7646e9a9ecd2fa138a5ee732368d3785e060b2
SHA256 48ca5a7e98cb77243361da71e472f24dd8bf9d57b925c85c49dffdf5fd59d19c
SHA512 9750c829a738fad3556c2a4d7e7e45f74de0973af10f019279647e271694122e85bcfe800a256cbee79f20a37020204001bcb4f2df5c1c1040668ac5038c7372

memory/1412-65-0x0000000000C90000-0x0000000000C92000-memory.dmp

memory/2740-66-0x0000000000220000-0x0000000000222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Babylon\Setup\latest.zpb

MD5 c69c10ba277506ebfe3febb31eff91eb
SHA1 f7d6b249c04c95d16755e6420bd21a3b6180ee23
SHA256 1ce9f6ddd348b1977dbf9418f09ba0fee4e15ec518429a1da3f748ca99667f02
SHA512 20d8f935f86cefb4116d45be06a137d3fd943fda0abb4866627b2ff7db26cf821e8de506be29870c4a1dd35b37cf76a7e4e669184eab5cb34f95d2f98b953c66

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\HtmlScreens\navError.html

MD5 0c464e407c81764ebc09eacbe41f0b3e
SHA1 245afe550a05215e5873d8f5f21c22d12aa46b6a
SHA256 770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26
SHA512 71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\HtmlScreens\loading.html

MD5 f50fa4673555652289652753183fd1ee
SHA1 f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256 afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA512 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\BExternal.dll

MD5 9dd3bee21494a490253a91ed2b473e47
SHA1 f0a5e04842697404275cf4a352455acd5fc44578
SHA256 5e0f673dc9586848c1f1b3b0b678bdf8c9be52cabb251aff400c32ac6404917a
SHA512 4cba8face523b21a5871df516c1fc3ba362bf467a399f4811dba943edcc0ca5d04d369f7c1eb582778e299344ce99609bdae15040a4bd692694025d926e7b483

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\Setup.exe

MD5 de3ac9a7165e4060c97071d1915a2e10
SHA1 2d0329aa862b2b6e316d9fe699c1b265973274ba
SHA256 3e730c6e922264d5722c1add515b5fea49b88ffa86c5f194d19bfa95f78652f5
SHA512 2935c58a8e3acbecde5324cc83fbbed226f0ebbaa23f9e97a17d96bc92ce6a6b984a9d411f822c3401b24f47d829e1f0e45680a9939a763e236707845aa84bfa

\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\browserDetection.dll

MD5 58f15e5a40db8d86543b9811fb9c8698
SHA1 64184cb143f44321f06feb106c158fbababcb7ae
SHA256 06c370b0344e5447aa350da33f52e04fc4180fd000b17b02e70fb5e0d7d4de75
SHA512 61c45e9f65c68ce00216b5934de476b61947e5d8217fb6b6c6efe58ebdad10ab5d4dddd3ecb7d3c8d1712cdc4b137a478c4f8a3c6715a9ecf9ca5f0a8645ddb3

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\browserDetection.aoi

MD5 15335426bf52ace5e73b8f39e61c8f21
SHA1 77c9fd49fba1d2e0685dba1cfd1ce2c6f71598f9
SHA256 aa76caa4be06745dc2de5daa92fa307cc0f0569b83bda42d9f3fb4ea87f6e9ee
SHA512 1f06cfdd80d39a79502120daa0a62eef2eda76a87970ac2ab50d18f90a0b962f08ffc7c35eacf2d3d4e69bfc8f5e09bf14bde94281c5bb519c1903ac49da2e53

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KQ9FP4U1.txt

MD5 76e4cbb66503832578399784f338428e
SHA1 8233317ad293b848ea48e9bf1dead7fbd698a59f
SHA256 40954706c954bdd3485c71d8810a3776f5d106f0ca5b5776a8edd89f840b270d
SHA512 4bcd139c240549659d40b2c7c988bd917376e9cd0820801cfa85dc1bf40c0df821713254a0991901b003659efd30ea51e8d3324dd42af10999f90bd00f325575

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\delta_dmn_154741b7.zpb

MD5 f208d9600a80f6c8225f1b5577ee98dc
SHA1 252e3ead4d3fedd2a1e7135c400b7f62ef46fe9b
SHA256 5cd7adcf0cbe5d4054bf43605d44c40b75ca9b0797ce660ccad1a7ab86d28f60
SHA512 8b8d2129398c44762b61dce2de561f8a8302c98efe63beb7e1c68b52202cc11aa6671b72a5b4f5ee04129a22284616631432e0290e1a77c771378c0b4890f35e

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\kmsdelta_ac84bf20.zpb

MD5 ff7a2f8d37673fc7e5e42dd793086a5b
SHA1 346ebc40da9f9d70697f5fe7adf4d431f12d79e8
SHA256 963d6ac315b0e5a0b77a3de5e8c6497a5d0f5f1a2a6d53bbd1af274816095954
SHA512 616acf62d52b5fa19a1380dfb315ca39d38b69d23bb44e51995360be057112dc8c6f6365c09a964daecc5f0513f92805c4d1cbe10dbd6918994b4803f8b904bf

C:\Users\Admin\AppData\Local\Temp\4008E0~1\Latest\IEHelper.dll

MD5 2c859f4f541b043fc9f8ab4042aa867f
SHA1 f2f16b6b28e622cac95545870f944ffb20c7d317
SHA256 bbb95bb1f9b306068a9e9eadcb28e7405b15b102c486c68ff34af71ede7e59c9
SHA512 476fb03c13b67e637a681d5b0af9220a8bf54ba5267d3b6cdccaff9fec0c76e873c1cfb33a7e5f3338cbd53c247692746196b3fe9c30dee0e2e3880ff721af32

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\setup2_247f86be.zpb

MD5 4d507fc2ad32d1d8a8e74aaa8c01c1ca
SHA1 6fe219d6c97c2482e386de8618b5814a04eef635
SHA256 a551b5fbdfbb2a519edada9902b6dae5be9810db1c6acdf2dfe4bee2aa4caf7d
SHA512 db9caa9fe8bab0d57cf4c8164e2ca5dcb5df8be6ec988f6cd11ff6128ecd31913ac5bbabc6a197948396045e471fd43139bc6a404b44ac31b573503eb58bd443

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\setup2.aof

MD5 84f6030383d24d975507b5937dbc958a
SHA1 fed5d575e3bae09e279de1afbb6a8238b8c370fa
SHA256 d79b11b3ea2811384553bdb586176d1c013298d9aad622dec307a70537aecfbd
SHA512 78b2bdcdd8c44c82ab761f4d9269125fcbbe7d42e92c89ac3161b7c725f678bf2334c2fe54df091a1cef74a8e0c824ec21148455a3f3728968650f2cb1c6bf50

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\buscts_fa14b1f9.zpb

MD5 66760773be28f40d555765224f649a78
SHA1 28af276b377e9a9a3a207e0f4ec70c2053cce4d3
SHA256 7d09da216b30e3a238468f1a120215cced74d419694a2f4b2e67c624ebf57c7d
SHA512 1f97a0c03a93b6aa16b3d48e84c24ddf424ff9f22f4f42e635349fcab3dc07230d2b742a710b9fcc614920502d9af8c559a73d2b7e323f4f20025d94e9e5464d

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\buscts.aof

MD5 3365d53933fa6879e67cd4bde759b5ef
SHA1 9c2b46ff7aa6ee97b492abb440470bcd3c4a70af
SHA256 b7d3d385b3a54753ed33299accc4752b9ca3eda2ac087a4e2073a83a07697e1f
SHA512 19ca814276eded80ed5a76b8d2c77364f4cd67adaaf2e6b8e4007e7faf6a509adb69b1928293dc3196fad66fee3cd62fd233ff304c1f160d585117a1c1d96891

\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\buscts.dll

MD5 6646967f168b60b09b11a5a66da34443
SHA1 2fa4eda7d0b2ec1beae396f0491542cd95215824
SHA256 41edb87439c842a08804b09756314ef90f43b4250fe9cf04de988e406b17ba27
SHA512 daa94fccb75551d2342796f8d72da52ec52272d176d87a964e56b9994ef69a8b64e4cfc1e36a0b1c7dc54237377e0373dff0a864e4e80cecebf66429f3d76081

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\GUninstaller_vt_58c82ec6.zpb

MD5 62e00fbeebeedc16bf6b380683f3004d
SHA1 817b3699db1949b96f85207da262a3f5419a5c11
SHA256 d7c19d0748531c279a322522f7b45b3bb2373d5d11242956f7956c672cf9394e
SHA512 2a265e75bc2c0453810f5f7827bf03032a33fe7fcca036f7a0ab7620caa447909308c2fb95be34e5df6d9b5f5da22a0bc30f97cf9a04810496aba301431f000a

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink_31d48ae8.zpb

MD5 963fd4b53ad57ff23de23dd5ed09ed72
SHA1 4d3a351de3aa8d789076a6a39d9b4a54957852d5
SHA256 850ed48de2c1d0fd8870f457fb12907de9838e26e836a88b1453bbdcc00b5cb3
SHA512 d50b48ae06a6137f99581e4f6ea6b417fe6e1871c82e655b042436b8dcc260e00fa8e7ebbfbb0aef5ab489fed4530a830f3f2c9a2dff4307509154c3b614eb58

C:\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.aof

MD5 c2897c0945f57a10b2941360506db344
SHA1 e65c1216af5ecdf953d97fedb11002743f82c086
SHA256 8865b1bd67493b5c2c444ba208fd8f0c75e676d324b9e8c21ed41711f7715713
SHA512 95550f314baefa0a7f56e9be3d87f7a47a88c6c7cee40e6a0b8920badd6b2efda18132a52ce077bf5bc63935636ec333cf75667a6e368ee75583a39f361630e8

\Users\Admin\AppData\Local\Temp\4008E022-BAB0-7891-929F-7317F4C3E0A8\Latest\DSearchLink.exe

MD5 30b9bd7cd6f7a4395a22b5d8907f302c
SHA1 246ddbc3a2c223a6b9072637d93dc2a2832d097a
SHA256 b7ef2bdac0b3b520f0d32e8af2a18ddbfdcf8683c0e93e061b79a22788fa1081
SHA512 6ed57a5a3df2644532843c49243951cda80f2354e2c076484311c17b7e8658f8da16fb603b77ac367fd7d860fab50311c945a6e4b579cc7bce430c4206e65f89

C:\ProgramData\DSearchLink\Search.lnk

MD5 755822411b409f346058fa4999d6af7a
SHA1 8d2e0edec7adcf1787130cb0d7f37fc9c7ea82cb
SHA256 2c1b2e6dc1f8e5ea129030723d51405c5ae8d03dea3fe83755cc85902f7f61f9
SHA512 1944f690fe54ce6a30be3d38fc58eff3ee89d693464ab3ae763d051f695f6fb7daa9393b1a2ff12a1aa66cf1c12406f08dd64cf13510475d53ef1bae39a7856d

C:\Users\Admin\AppData\Local\Temp\Bb4C1D.exe

MD5 42cdd74f60853c2f4e959416a0157a08
SHA1 490228066cc94dd51c777b837f88b184e782d6fe
SHA256 a638a464ee4759dcd75c171cfade6520e5eb77cabdb84eda55ed29863c5eb31c
SHA512 e171f4747d1295d25d785c82b8325c06de5a556f7b691f97282e4c26c156c697f9a39402e36ed3919ee5478b99a86377aad9c278a2180db3f1f9ac7230f5e8c2

memory/2648-268-0x0000000000190000-0x0000000000192000-memory.dmp

memory/2896-270-0x0000000060900000-0x0000000060970000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 14:07

Reported

2024-10-21 14:09

Platform

win10v2004-20241007-en

Max time kernel

116s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\DSearchLink.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\DSearchLink.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{E44F7BD4-3AB1-4D55-9190-FC53343AD2D2}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{48E59293-9880-11CF-9754-00AA00C00908} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Delta Search" C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{962F28D6-107D-47A5-9515-2864454CFDD1}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\AlternateCLSID = "{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}\AlternateCLSID = "{29D5EC7E-6245-4DC9-9E53-A9A945AD4ABB}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{25A3C2C9-8F6E-4140-BEF3-535D4B9709D8}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53749718-F78D-4A67-8703-8AE050075170}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{80B51087-CE4C-4FAE-8401-B6B3809DD234}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B}\AlternateCLSID = "{29D5EC7E-6245-4DC9-9E53-A9A945AD4ABB}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{48E59293-9880-11CF-9754-00AA00C00908}\AlternateCLSID = "{E2D211D5-11E4-4D9E-B6DB-1E902C851A49}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://www.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=DC8EDA61A5E71E4E&tsp=9061" C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53749718-F78D-4A67-8703-8AE050075170}\AlternateCLSID = "{25A3C2C9-8F6E-4140-BEF3-535D4B9709D8}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}\AlternateCLSID = "{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53749718-F78D-4A67-8703-8AE050075170} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\AlternateCLSID = "{962F28D6-107D-47A5-9515-2864454CFDD1}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D}\AlternateCLSID = "{80B51087-CE4C-4FAE-8401-B6B3809DD234}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{612685EF-57C8-469F-88AB-E4E0B595C5AB}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\AlternateCLSID = "{2B577565-36F7-4351-B2E7-DAFC75E9D72A}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{48E59293-9880-11CF-9754-00AA00C00908}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=121529|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.delta-search.com/?babsrc=HP_ss&mntrId=DC8EDA61A5E71E4E&tsp=9061" C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B7E6391-850A-101B-AFC0-4210102A8DA7}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.TabStrip.1\CLSID\ = "{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97992019-74A6-46C7-9CA3-7F8C0D39940B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E451-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D96-9D6A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.SBarCtrl C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{612A8626-0FB3-11CE-8747-524153480004}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8B1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83602-895E-11D0-B0A6-000000000000} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8B0-850A-101B-AFC0-4210102A8DA7}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A7-850A-101B-AFC0-4210102A8DA7}\ = "INodes10" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A7-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83604-895E-11D0-B0A6-000000000000}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D94-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\VersionIndependentProgID\ = "COMCTL.ProgCtrl" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E451-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A4-850A-101B-AFC0-4210102A8DA7} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD0-E01E-11CF-8E74-00A0C90F26F8}\ = "IImages" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97992019-74A6-46C7-9CA3-7F8C0D39940B}\MiscStatus\1\ = "237969" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9ED94442-E5E8-101B-B9B5-444553540000}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA60-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E82-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80B51087-CE4C-4FAE-8401-B6B3809DD234}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{962F28D6-107D-47A5-9515-2864454CFDD1}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E63A3-850A-101B-AFC0-4210102A8DA7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A5-850A-101B-AFC0-4210102A8DA7}\ = "INode10" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B7E6390-850A-101B-AFC0-4210102A8DA7}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{962F28D6-107D-47A5-9515-2864454CFDD1}\ProgID\ = "COMCTL.SBarCtrl.1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B7E6391-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A3-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83602-895E-11D0-B0A6-000000000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl\ = "Microsoft ListView Control, version 5.0 (SP2)" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94444-E5E8-101B-B9B5-444553540000} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53749718-F78D-4A67-8703-8AE050075170}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.SBarCtrl.1\CLSID C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ = "IPanel11" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Version\ = "1.4" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{962F28D6-107D-47A5-9515-2864454CFDD1}\Version C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E953-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D} C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bb246B.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 3544 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 3544 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
PID 2796 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 2796 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 2796 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe
PID 640 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe
PID 640 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe
PID 640 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe
PID 1812 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe
PID 1812 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe
PID 1812 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe
PID 3872 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 3872 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 3872 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 3872 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\DSearchLink.exe
PID 3872 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\DSearchLink.exe
PID 3872 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\DSearchLink.exe
PID 3872 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb246B.exe
PID 3872 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb246B.exe
PID 3872 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe C:\Users\Admin\AppData\Local\Temp\Bb246B.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe

"C:\Users\Admin\AppData\Local\Temp\d87fc5494a69255c544bce1f314d527714570e24d4c5dcc75f3d00053f982e12N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe /mtb=7 /mhp=7 /mnt=7 /mds=7 /aflt=babsst /babTrack="affID=121529" /srcExt=ss /S /instlRef=sst

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe" -xprm="cat=delta" -expg=none /mtb=7 /mhp=7 /mnt=7 /mds=7 /aflt=babsst /babTrack="affID=121529" /srcExt=ss /S /instlRef=sst

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\D34FFA~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe -latest -tsp=9061 -xprm="cat=delta" -expg=none /mtb=7 /mhp=7 /mnt=7 /mds=7 /aflt=babsst /babTrack="affID=121529" /srcExt=ss /S /instlRef=sst

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\D34FFA~1\Latest\IEHelper.dll,RunAccelerator

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\DSearchLink.exe

"C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\DSearchLink.exe" -setup 3 -wbr 1 -url http://www.delta-search.com/?babsrc=HP_ss&mntrId=DC8EDA61A5E71E4E&tsp=9061

C:\Users\Admin\AppData\Local\Temp\Bb246B.exe

"C:\Users\Admin\AppData\Local\Temp\Bb246B.exe" affID= dlb=1 slp=0 slppd=3 tmfst=5 mxpd=5 slpcr=2

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\D34FFA~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 127.0.0.1:9876 tcp
US 8.8.8.8:53 info.babylon.com udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babylon.com udp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 235.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 232.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 stat.info-stream.net udp
US 184.154.27.232:80 stat.info-stream.net tcp
US 8.8.8.8:53 244.128.143.198.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 184.154.27.232:80 stat.info-stream.net tcp
US 198.143.128.244:80 dl.babylon.com tcp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 184.154.27.232:80 stat.info-stream.net tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 a334.http.cdn.softlayer.net udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE

MD5 0f3b66c16ca1044b8867921a4664015a
SHA1 f3c3e44f8c4cf287194a557309dd3734db2b6976
SHA256 efdf55bb626d5dd621f2b65b26bfb9d7f251dfbea9c8dca397592a41f586b522
SHA512 194167f7acac23b94f39335d85c0cf3b4a357c392042f89b241410c14d19365c9b01ea65d70889306ef6226ba200a7f64069b7228f543bfcd30c4af98bc9ab17

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\comctl32.Ocx

MD5 1fe8ce3f5288bd3d53d188307bc7b218
SHA1 a9f02a6a5effe3b9043a77fd8b56b1720a7c32be
SHA256 ba86931d5386cf5311a6b62a619c9c8f2983e37d2ce752b21106570121c8fd32
SHA512 c5fcd3f1f04e9a0aa0944b6feddc498ffa4d28a7b1a38e2d5674d28318cd666d14954eae06f9d0181639b5ce57097d0d47d9ad2ff20f1e93450b91db24cd9603

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSINET.Ocx

MD5 b920865c9c2f4f28151b269b3a8b11aa
SHA1 3a010883d5c1d4cce968c020f51e1961e3651bbe
SHA256 b1212253d0c2b96dbdc6985b93338be288b0c8d827481f9c607dde5bdfdbfc6b
SHA512 a463377b6a612a9ee82b4d2891b8d01df1b2770e40d8065e5d3e8a33b62171cbeead589599728d3349e4222b2207bb1b293b6510de26eb5820cac6cf284d526f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeltaTB.exe

MD5 9ade7a15bf99b343354e1faeb47fab67
SHA1 eab3a867fd239ad7d1d5416e8139d3d71f4140fa
SHA256 2bbe800ce4ec5302187e5ad6fad0688e9008e093a8be1ca2ca479db46576b0ed
SHA512 be61865c8f256d92597f37ee746d3743b46538969908c684c8e56e347b1880af0454622bddb116c42c7c659ce32a42a15cb8bc8fc5a7b6e2aad193356065f88a

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Setup.exe

MD5 35c75786f20dfc31eae53d2fa99be700
SHA1 1b2983dd978db886263b1740e4c7e0ca1cef88c4
SHA256 647989694781215bb3ab22531af6920494f98e1e9f9931a2087b913b5acf3a97
SHA512 9ff1a4ce091bcbaebdfa64672e03e243c6a19a16434eda19d41bbde9adb8e902382d22b9d9c5dd3771001463f044c7705801bce6e09e4574b0e874b8c135b376

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\SetupStrings.dat

MD5 407846797c5ba247abeb5fa7c0c0ba05
SHA1 44386455eed8e74d75e95e9e81e96a19f0b27884
SHA256 0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3
SHA512 7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\bab033.tbinst.dat

MD5 90713ab7a74884cd36a5fb4cfcdece8a
SHA1 7bb56d08fd69a98e543b923bd0a9156f92a9c473
SHA256 bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb
SHA512 639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Babylon.dat

MD5 825e5733974586a0a1229a53361ed13e
SHA1 9ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA256 0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512 ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

C:\Users\Admin\AppData\Local\Temp\D34FFA~1\IEHelper.dll

MD5 91c79865aefcfce33439046d9645017a
SHA1 ee7646e9a9ecd2fa138a5ee732368d3785e060b2
SHA256 48ca5a7e98cb77243361da71e472f24dd8bf9d57b925c85c49dffdf5fd59d19c
SHA512 9750c829a738fad3556c2a4d7e7e45f74de0973af10f019279647e271694122e85bcfe800a256cbee79f20a37020204001bcb4f2df5c1c1040668ac5038c7372

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Babylon\Setup\latest.zpb

MD5 c69c10ba277506ebfe3febb31eff91eb
SHA1 f7d6b249c04c95d16755e6420bd21a3b6180ee23
SHA256 1ce9f6ddd348b1977dbf9418f09ba0fee4e15ec518429a1da3f748ca99667f02
SHA512 20d8f935f86cefb4116d45be06a137d3fd943fda0abb4866627b2ff7db26cf821e8de506be29870c4a1dd35b37cf76a7e4e669184eab5cb34f95d2f98b953c66

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\HtmlScreens\navError.html

MD5 0c464e407c81764ebc09eacbe41f0b3e
SHA1 245afe550a05215e5873d8f5f21c22d12aa46b6a
SHA256 770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26
SHA512 71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\HtmlScreens\loading.html

MD5 f50fa4673555652289652753183fd1ee
SHA1 f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256 afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA512 6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\BExternal.dll

MD5 9dd3bee21494a490253a91ed2b473e47
SHA1 f0a5e04842697404275cf4a352455acd5fc44578
SHA256 5e0f673dc9586848c1f1b3b0b678bdf8c9be52cabb251aff400c32ac6404917a
SHA512 4cba8face523b21a5871df516c1fc3ba362bf467a399f4811dba943edcc0ca5d04d369f7c1eb582778e299344ce99609bdae15040a4bd692694025d926e7b483

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\Setup.exe

MD5 de3ac9a7165e4060c97071d1915a2e10
SHA1 2d0329aa862b2b6e316d9fe699c1b265973274ba
SHA256 3e730c6e922264d5722c1add515b5fea49b88ffa86c5f194d19bfa95f78652f5
SHA512 2935c58a8e3acbecde5324cc83fbbed226f0ebbaa23f9e97a17d96bc92ce6a6b984a9d411f822c3401b24f47d829e1f0e45680a9939a763e236707845aa84bfa

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\browserDetection.dll

MD5 58f15e5a40db8d86543b9811fb9c8698
SHA1 64184cb143f44321f06feb106c158fbababcb7ae
SHA256 06c370b0344e5447aa350da33f52e04fc4180fd000b17b02e70fb5e0d7d4de75
SHA512 61c45e9f65c68ce00216b5934de476b61947e5d8217fb6b6c6efe58ebdad10ab5d4dddd3ecb7d3c8d1712cdc4b137a478c4f8a3c6715a9ecf9ca5f0a8645ddb3

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\browserDetection.aoi

MD5 15335426bf52ace5e73b8f39e61c8f21
SHA1 77c9fd49fba1d2e0685dba1cfd1ce2c6f71598f9
SHA256 aa76caa4be06745dc2de5daa92fa307cc0f0569b83bda42d9f3fb4ea87f6e9ee
SHA512 1f06cfdd80d39a79502120daa0a62eef2eda76a87970ac2ab50d18f90a0b962f08ffc7c35eacf2d3d4e69bfc8f5e09bf14bde94281c5bb519c1903ac49da2e53

C:\Users\Admin\AppData\Local\Temp\__DC8EDA61A5E71E4E\kmsdelta_ac84bf20.zpb

MD5 ff7a2f8d37673fc7e5e42dd793086a5b
SHA1 346ebc40da9f9d70697f5fe7adf4d431f12d79e8
SHA256 963d6ac315b0e5a0b77a3de5e8c6497a5d0f5f1a2a6d53bbd1af274816095954
SHA512 616acf62d52b5fa19a1380dfb315ca39d38b69d23bb44e51995360be057112dc8c6f6365c09a964daecc5f0513f92805c4d1cbe10dbd6918994b4803f8b904bf

C:\Users\Admin\AppData\Local\Temp\__DC8EDA61A5E71E4E\delta_dmn_154741b7.zpb

MD5 f208d9600a80f6c8225f1b5577ee98dc
SHA1 252e3ead4d3fedd2a1e7135c400b7f62ef46fe9b
SHA256 5cd7adcf0cbe5d4054bf43605d44c40b75ca9b0797ce660ccad1a7ab86d28f60
SHA512 8b8d2129398c44762b61dce2de561f8a8302c98efe63beb7e1c68b52202cc11aa6671b72a5b4f5ee04129a22284616631432e0290e1a77c771378c0b4890f35e

C:\Users\Admin\AppData\Local\Temp\D34FFA~1\Latest\IEHelper.dll

MD5 2c859f4f541b043fc9f8ab4042aa867f
SHA1 f2f16b6b28e622cac95545870f944ffb20c7d317
SHA256 bbb95bb1f9b306068a9e9eadcb28e7405b15b102c486c68ff34af71ede7e59c9
SHA512 476fb03c13b67e637a681d5b0af9220a8bf54ba5267d3b6cdccaff9fec0c76e873c1cfb33a7e5f3338cbd53c247692746196b3fe9c30dee0e2e3880ff721af32

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\setup2_247f86be.zpb

MD5 4d507fc2ad32d1d8a8e74aaa8c01c1ca
SHA1 6fe219d6c97c2482e386de8618b5814a04eef635
SHA256 a551b5fbdfbb2a519edada9902b6dae5be9810db1c6acdf2dfe4bee2aa4caf7d
SHA512 db9caa9fe8bab0d57cf4c8164e2ca5dcb5df8be6ec988f6cd11ff6128ecd31913ac5bbabc6a197948396045e471fd43139bc6a404b44ac31b573503eb58bd443

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\setup2.aof

MD5 84f6030383d24d975507b5937dbc958a
SHA1 fed5d575e3bae09e279de1afbb6a8238b8c370fa
SHA256 d79b11b3ea2811384553bdb586176d1c013298d9aad622dec307a70537aecfbd
SHA512 78b2bdcdd8c44c82ab761f4d9269125fcbbe7d42e92c89ac3161b7c725f678bf2334c2fe54df091a1cef74a8e0c824ec21148455a3f3728968650f2cb1c6bf50

C:\Users\Admin\AppData\Local\Temp\__DC8EDA61A5E71E4E\buscts_fa14b1f9.zpb

MD5 66760773be28f40d555765224f649a78
SHA1 28af276b377e9a9a3a207e0f4ec70c2053cce4d3
SHA256 7d09da216b30e3a238468f1a120215cced74d419694a2f4b2e67c624ebf57c7d
SHA512 1f97a0c03a93b6aa16b3d48e84c24ddf424ff9f22f4f42e635349fcab3dc07230d2b742a710b9fcc614920502d9af8c559a73d2b7e323f4f20025d94e9e5464d

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\buscts.aof

MD5 3365d53933fa6879e67cd4bde759b5ef
SHA1 9c2b46ff7aa6ee97b492abb440470bcd3c4a70af
SHA256 b7d3d385b3a54753ed33299accc4752b9ca3eda2ac087a4e2073a83a07697e1f
SHA512 19ca814276eded80ed5a76b8d2c77364f4cd67adaaf2e6b8e4007e7faf6a509adb69b1928293dc3196fad66fee3cd62fd233ff304c1f160d585117a1c1d96891

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\buscts.dll

MD5 6646967f168b60b09b11a5a66da34443
SHA1 2fa4eda7d0b2ec1beae396f0491542cd95215824
SHA256 41edb87439c842a08804b09756314ef90f43b4250fe9cf04de988e406b17ba27
SHA512 daa94fccb75551d2342796f8d72da52ec52272d176d87a964e56b9994ef69a8b64e4cfc1e36a0b1c7dc54237377e0373dff0a864e4e80cecebf66429f3d76081

C:\Users\Admin\AppData\Local\Temp\__DC8EDA61A5E71E4E\GUninstaller_vt_58c82ec6.zpb

MD5 62e00fbeebeedc16bf6b380683f3004d
SHA1 817b3699db1949b96f85207da262a3f5419a5c11
SHA256 d7c19d0748531c279a322522f7b45b3bb2373d5d11242956f7956c672cf9394e
SHA512 2a265e75bc2c0453810f5f7827bf03032a33fe7fcca036f7a0ab7620caa447909308c2fb95be34e5df6d9b5f5da22a0bc30f97cf9a04810496aba301431f000a

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\DSearchLink.aof

MD5 c2897c0945f57a10b2941360506db344
SHA1 e65c1216af5ecdf953d97fedb11002743f82c086
SHA256 8865b1bd67493b5c2c444ba208fd8f0c75e676d324b9e8c21ed41711f7715713
SHA512 95550f314baefa0a7f56e9be3d87f7a47a88c6c7cee40e6a0b8920badd6b2efda18132a52ce077bf5bc63935636ec333cf75667a6e368ee75583a39f361630e8

C:\Users\Admin\AppData\Local\Temp\__DC8EDA61A5E71E4E\DSearchLink_31d48ae8.zpb

MD5 963fd4b53ad57ff23de23dd5ed09ed72
SHA1 4d3a351de3aa8d789076a6a39d9b4a54957852d5
SHA256 850ed48de2c1d0fd8870f457fb12907de9838e26e836a88b1453bbdcc00b5cb3
SHA512 d50b48ae06a6137f99581e4f6ea6b417fe6e1871c82e655b042436b8dcc260e00fa8e7ebbfbb0aef5ab489fed4530a830f3f2c9a2dff4307509154c3b614eb58

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\DSearchLink.exe

MD5 30b9bd7cd6f7a4395a22b5d8907f302c
SHA1 246ddbc3a2c223a6b9072637d93dc2a2832d097a
SHA256 b7ef2bdac0b3b520f0d32e8af2a18ddbfdcf8683c0e93e061b79a22788fa1081
SHA512 6ed57a5a3df2644532843c49243951cda80f2354e2c076484311c17b7e8658f8da16fb603b77ac367fd7d860fab50311c945a6e4b579cc7bce430c4206e65f89

C:\ProgramData\DSearchLink\Search.lnk

MD5 ba3e417cf9375967e35fc7800caa2fbe
SHA1 4983d671c3fe12f2d1bc3d563b3a4fce71c72447
SHA256 97f16c43257e643030cae70b7af1ad2e38876a103455cd33547929ba858580c4
SHA512 fd77978c292768f5e3fd4e72aa897a8404335ae852756a61757e04ba6007a8930011a0e1acf1721a870e2830557fd1d3c4c2bcae37a4193998347d7af94e7edb

C:\Users\Admin\AppData\Local\Temp\SetupParams.ini

MD5 35ef38cebf17fb917e24adfed6ecea11
SHA1 bc3c81fa18feedaa6bc0c31f0d325473bd387e1e
SHA256 7dcfce4b15328d0f04ec1675061761c4831e95da319fcc4cffc5f340053f8cb0
SHA512 f52c43623afb983e55f5a942be4d14e843b218a1c6799b49d1033155e8b177a562043f1d532c25162ab43721f9002992b14d4ecc6615a81003e68983c06c291d

C:\Users\Admin\AppData\Local\Temp\setupmgr.dll

MD5 0f6dda7d081b239037695947b7f2a451
SHA1 891df6cd2efd6a4e91e5718206f8035ea6265bd0
SHA256 44ad85af39b6f88828aff54100b47767c0dea844bd08c8a597e0d3d9f3cc90eb
SHA512 53d829c7833cb0b0d827ec346d096fa535639247f19d8de38136f63e6e269ef82f187358115ca32c996a0eab977080b394be6d7641c982f19a3380f60bad88da

C:\Users\Admin\AppData\Local\Temp\Bb246B.exe

MD5 42cdd74f60853c2f4e959416a0157a08
SHA1 490228066cc94dd51c777b837f88b184e782d6fe
SHA256 a638a464ee4759dcd75c171cfade6520e5eb77cabdb84eda55ed29863c5eb31c
SHA512 e171f4747d1295d25d785c82b8325c06de5a556f7b691f97282e4c26c156c697f9a39402e36ed3919ee5478b99a86377aad9c278a2180db3f1f9ac7230f5e8c2

memory/1812-243-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\GUninstaller.exe

MD5 59271c345dbdccca05e37abbe19d58e0
SHA1 07f2e033678f173cbb9292c877ac5038807262e5
SHA256 d3ad57e6dee8428b8479c493033e61e1fee03cdbe059af26df7f995a4552ebe3
SHA512 43e8c3e837b1efc2aab04cb605a7ea4a52885a08ed96a3cb7e54d1b9a0eb071505a764f08d17e4008c8c8cc96bada35269348d0225cc505fbf275d7b32561056

C:\Users\Admin\AppData\Local\Temp\D34FFAE5-BAB0-7891-BC68-BE1D52291CD4\Latest\1.txt

MD5 202cb962ac59075b964b07152d234b70
SHA1 40bd001563085fc35165329ea1ff5c5ecbdbbeef
SHA256 a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3
SHA512 3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1eb8b85103e3be7ba613b31bb5c9c36214dc9f14a42fd7a2fdb84856bca5c44c2