Malware Analysis Report

2025-08-05 23:17

Sample ID 250115-12a9rswrcy
Target JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65
SHA256 272efc079641971c1fb576bc5af5fd420fede4d3863f19d95e975af492a67c8d
Tags
discovery upx evasion spyware stealer trojan adware persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

272efc079641971c1fb576bc5af5fd420fede4d3863f19d95e975af492a67c8d

Threat Level: Shows suspicious behavior

The file JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx evasion spyware stealer trojan adware persistence

Deletes itself

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Checks whether UAC is enabled

Installs/modifies Browser Helper Object

UPX packed file

Drops file in Program Files directory

Browser Information Discovery

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

NSIS installer

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 22:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:17

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 d43035bfbf0739ca4a27cee3ed34f696
SHA1 a674e61a0627a0b94080878138c4ea99d20a235d
SHA256 4c8270552b7088a5028283aa7e85dc038af26a6f20e7ad52fa467a7917459dc0
SHA512 53d3b8a871d8dcaba77b5ac258a89e25bc548030d1ef5d8f77998e97eaca4a3607f4edaebaf05177b43de0943b68655939776010b9ff634ff921502c9c80317c

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 4072 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 4072 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 4072 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:16

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcm90.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 4528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1772 wrote to memory of 4528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1772 wrote to memory of 4528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcm90.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcm90.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileHunter.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FileHunter.exe

"C:\Users\Admin\AppData\Local\Temp\FileHunter.exe"

Network

N/A

Files

memory/3016-0-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3016-2-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-4-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3016-3-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-5-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-6-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-7-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-8-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-9-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-10-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-11-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-12-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-13-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-14-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-15-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-16-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/3016-17-0x0000000000400000-0x00000000006C2000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 d43035bfbf0739ca4a27cee3ed34f696
SHA1 a674e61a0627a0b94080878138c4ea99d20a235d
SHA256 4c8270552b7088a5028283aa7e85dc038af26a6f20e7ad52fa467a7917459dc0
SHA512 53d3b8a871d8dcaba77b5ac258a89e25bc548030d1ef5d8f77998e97eaca4a3607f4edaebaf05177b43de0943b68655939776010b9ff634ff921502c9c80317c

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240903-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IELowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe
PID 2308 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe
PID 2308 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe
PID 2308 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe
PID 2308 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe
PID 2308 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe
PID 2308 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe
PID 320 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 320 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 320 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 320 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe" Files\Common Files

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8FDF2B~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babylon.com udp
US 198.143.128.244:80 dl.babylon.com tcp
US 184.154.27.235:80 info.babylon.com tcp

Files

\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Setup.exe

MD5 3eff4d0a2dde24e5afe250ba50887f2c
SHA1 9adb9ea752959e6945d58068cbc55fa04662d8af
SHA256 3cf6717e6bad2e669f96dcd498e79981d2755fbb841e91533f73efa1ffae26cb
SHA512 f7c7fe13849a64e5281d94597d2d150d4db171a4070192e08192aee927e3a51786008fc24ef3de3b3ff3f4c5fe86d6b037602300f9c50b7fd9783c3a32cbb7c4

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

\Users\Admin\AppData\Local\Temp\8FDF2B~1\IECOOK~1.DLL

MD5 a7a1efbbf7a8968223d7e49b60625e30
SHA1 1b2801dd02e9d9b7f27789ed161bc1761943e921
SHA256 1f008544618eab320dc36467887a60283c7d13bd08dc7ca85c9c06869a353373
SHA512 0eba055bf6835b81621065a0dae7e05258405c6f75f5d61ceca4d30862a43682b368a5dce6cd53d86c0ffd6a8c6bd19f0943af71530a48f734d50d8473794f27

memory/2812-38-0x0000000002870000-0x0000000002872000-memory.dmp

memory/320-39-0x0000000000260000-0x0000000000262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\BExternal.dll

MD5 5fb8613b7cf68604bb7a1bf2bbcf048d
SHA1 2688ca41771cc9c5b318c60b8e4dac94d479b00b
SHA256 ce2ffd4eb568f61623a1b94a5c8958140b328b09504aaeebf98c9a8c56ab65ec
SHA512 06fb08f8b54740eaa8b691c39397611f634306e165cc3cf2217d7dd3df038b4f08cdd0852f87dc93984d5f5bea61f5123f896d9634809492da1fe92f0747dd47

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\8FDF2BD2-BAB0-7891-8CA4-7E06D36B3784\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup-tbdef.zpb

MD5 85499627e8e83a35ba23cb860067b468
SHA1 758d2902f93e28b92c1f422b3d5e16d03835c3cb
SHA256 8b1b99fd1eb29d888fef74a3733d60e3c0b5af2405beea8fe2223fffae79f4d0
SHA512 bd2b00be1b78a37b6b8d6462c358045ddba18d46021c820dbc73c5f62309b0c08d5144d3a65666384a9ba646d6e942791b949b220969a27d307352db08dbc052

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20241010-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcm90.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcm90.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcm90.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240729-en

Max time kernel

63s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcp90.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcp90.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcp90.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:16

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcp90.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcp90.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcp90.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:17

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\updater.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\updater.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\updater.exe

"C:\Users\Admin\AppData\Local\Temp\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 loadiload.in udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4248-0-0x0000000074762000-0x0000000074763000-memory.dmp

memory/4248-1-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/4248-2-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/4248-4-0x0000000074762000-0x0000000074763000-memory.dmp

memory/4248-5-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/4248-6-0x0000000074760000-0x0000000074D11000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CompuCare Check for updates = "C:\\Users\\Admin\\AppData\\Roaming\\SuperPump\\updater.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B} C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarApp.dll C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\escortShld.dll C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarTlbr.dll C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\uninstall.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
File created C:\Program Files\Mozilla Firefox\extensions\[email protected]\defaults\preferences\babylon.js C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarEng.dll C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
File created C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\bh\BabylonToolbar.dll C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IELowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542} C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppName = "BabylonToolbarsrv.exe" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppPath = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=108604&babsrc=SP_ss&mntrId=e7c1ae48000000000000eaf82bec9af0" C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006420ea6093d10e48ba892d49f328cb8000000000020000000000106600000001000020000000d0b6a89c6d9f830fce1a7faa321b06123786e9c798124fabb6127724259854a4000000000e8000000002000020000000d971d4361a68626080fab6ded58fa6e66f692b6f925ff3b74539af6bc15ddddc50000000284ca04eb700d38cd6d321e3b921b5e3993ba16bbc0ed918949e1c02e0de4dda074b069f66c83682b115e8f26c170ed19156b00ded8800829b954f36c8d97afe08c84f5539b1a5f7f9625e5f44b60bab4000000094ee82c03ca5e74a8595510eaf2ac95ed473f5a54ef739e125a3e00f11e7d67fb3e8dd46ed334e109c21548f6dea8aaa675e44e30ad519b55ee53fec3cd8153a C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC} = "Babylon Toolbar" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=108604&babsrc=HP_ss&mntrId=e7c1ae48000000000000eaf82bec9af0" C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020} C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ = "escrtAx Object" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\Programmable C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\ = "bbylntlbrCmn 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997} C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\LocalServer32 C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\VersionIndependentProgID\ = "escort.escortIEPane" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\CLSID C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ = "CDskBnd Object" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\dfltLng\dfltLng = "en" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CurVer\ = "bbylntlbr.bbylntlbrHlpr.1" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{35C1605E-438B-4D64-AAB1-8885F097A9B1}" C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A} C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\autoRvrt = "false" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\1.0\0 C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ProgID\ = "bbylnApp.appCore.1" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC} C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\dfltLng C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\b C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\admin = "false" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\dsFFX = "Search the web (Babylon)" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\TypeLib C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\ = "escortApp 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E} C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0 C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\dpblck C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\TypeLib C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CurVer C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\InprocServer32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10\\bh\\BabylonToolbar.dll" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\InprocServer32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10\\BabylonToolbarEng.dll" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\1.0\0\win32 C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe
PID 2920 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe
PID 2920 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe
PID 2920 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe
PID 2920 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe
PID 2920 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe
PID 2920 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe
PID 2920 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe
PID 2920 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe
PID 2920 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe
PID 2920 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe
PID 2920 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe
PID 2920 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe
PID 2920 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe
PID 2920 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe
PID 2920 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe
PID 2920 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe
PID 2920 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe
PID 1332 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe
PID 1332 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe
PID 1332 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe
PID 1332 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe
PID 1332 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe
PID 1332 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe
PID 1332 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe
PID 1876 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1876 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1876 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1876 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe
PID 1720 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe
PID 1720 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe
PID 1720 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe
PID 1720 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe
PID 1896 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe
PID 1896 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe
PID 1896 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe
PID 1896 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe
PID 1896 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe
PID 1896 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe
PID 1896 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe
PID 1896 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe
PID 1640 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe
PID 1640 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe
PID 1640 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe
PID 1640 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe"

C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe

"C:\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe" "madre.cojiendose.a.su.hija.menorhttphotfiledir.com"

C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe

"C:\Users\Admin\AppData\Roaming\SuperPump\updater.exe"

C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe" /aflt=babsst /babTrack="affID=108604" /srcExt=ss /instlRef=sst /S /mds /mhp /mht

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe" /aflt=babsst /babTrack="affID=108604" /srcExt=ss /instlRef=sst /S /mds /mhp /mht

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2BC231~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe /lng=en /babTrack="affID=108604" /instlRef=sst /aflt=babsst /srcExt=ss

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe

"C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe" /lng=en /babTrack="affID=108604" /instlRef=sst /aflt=babsst /srcExt=ss

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe /lng=en /babTrack="affID=108604" /instlRef=sst /aflt=babsst /srcExt=ss

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe

"C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe" /RegServer

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2BC231~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 torrentz.eu udp
US 8.8.8.8:53 loadiload.in udp
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 dl.babylon.com udp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 ocsp.thawte.com udp
GB 104.78.173.45:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
GB 104.78.173.45:80 crl.thawte.com tcp
US 8.8.8.8:53 cs-g2-crl.thawte.com udp
GB 104.78.173.45:80 cs-g2-crl.thawte.com tcp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.165:80 reports.montiera.com tcp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 loadiload.in udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
ID 23.37.198.101:80 www.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nso55D0.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/2920-18-0x0000000003880000-0x00000000038C0000-memory.dmp

memory/2920-19-0x0000000074961000-0x0000000074962000-memory.dmp

memory/2920-23-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/2920-24-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/2920-25-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/2920-26-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/2920-29-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/2920-30-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/2920-31-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/2920-38-0x0000000003880000-0x00000000038C0000-memory.dmp

memory/2920-39-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/2920-40-0x0000000074960000-0x0000000074F0B000-memory.dmp

\Users\Admin\AppData\Roaming\SuperPump\FileHunter.exe

MD5 42a2254574d663e3cf53f1c26d7edc12
SHA1 5dd5b7707a1eab91f5d2b15f37da02dea9b1aa58
SHA256 0a7844f24d0fc8cb8f6d680bb7a268f912d773e9152397607431ff1275e8dce6
SHA512 f901a32e745912ae54d257093e564eeefd64c7a62f157e3a36cb079a1a3d24d791b638aad369db15ba4b62e8741c09f8d77080ed506902b764064d296debae33

\Users\Admin\AppData\Roaming\SuperPump\updater.exe

MD5 14560f2d4eda150916b0b1dac4ca6362
SHA1 2476f57dba548edb544db860d5cf7190099c179c
SHA256 96e471eee44692eb387411b6789831fd5802b3636a53c18fde9e6643f6914ec0
SHA512 5d2b1a2f79c31d74513d4569515fa82ba51a9311d6e22f91a7835d9aaf9efa72e2db7c37a17516a2841f190712469430b3e8ed9da78352dfbdf6910065996cf8

C:\Users\Admin\AppData\Local\Temp\nso55D0.tmp\bundle.exe

MD5 d4fe9619462d7613a6750256c94f4589
SHA1 eb6aa6e142a33cee2c2b47c3c201bdf6b28fa846
SHA256 38615621239677224d4ff592dc91df1164d700be52a346e81df91f37a648b91c
SHA512 ef9fd81eb3deb85cf8c4325039a4b2a9bb286069ad4510403d96c3784a0d71a14a2b729ba0667d3c4bddddfa8b926d25cd25f128133d26928d1912c15905c7b8

memory/2920-69-0x000000000C2E0000-0x000000000C5A2000-memory.dmp

memory/568-71-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/2920-68-0x000000000C2E0000-0x000000000C5A2000-memory.dmp

memory/2920-67-0x000000000BB00000-0x000000000BB10000-memory.dmp

C:\Users\Admin\AppData\Roaming\SystemUpdaterApp\id.txt

MD5 f28612d9698ab28fc5ff224097c73b7e
SHA1 d2cf9b78a5f6e3b56e622ad7a53bebc631f730b1
SHA256 fb217d49180aed810c1ed622e469407c14df3101a22e704635b0bd139f9c7eba
SHA512 350aee6bb738b446c148a23d82b020a0ce559b1f1ee8665acf919eb03e4b57fc0982ccf3add0796c798895edbc840d244a4f87ff9c18376af6ae1a53260fa392

\Users\Admin\AppData\Local\Temp\nso55D0.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nso55D0.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Setup.exe

MD5 3eff4d0a2dde24e5afe250ba50887f2c
SHA1 9adb9ea752959e6945d58068cbc55fa04662d8af
SHA256 3cf6717e6bad2e669f96dcd498e79981d2755fbb841e91533f73efa1ffae26cb
SHA512 f7c7fe13849a64e5281d94597d2d150d4db171a4070192e08192aee927e3a51786008fc24ef3de3b3ff3f4c5fe86d6b037602300f9c50b7fd9783c3a32cbb7c4

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\2BC231~1\IECOOK~1.DLL

MD5 a7a1efbbf7a8968223d7e49b60625e30
SHA1 1b2801dd02e9d9b7f27789ed161bc1761943e921
SHA256 1f008544618eab320dc36467887a60283c7d13bd08dc7ca85c9c06869a353373
SHA512 0eba055bf6835b81621065a0dae7e05258405c6f75f5d61ceca4d30862a43682b368a5dce6cd53d86c0ffd6a8c6bd19f0943af71530a48f734d50d8473794f27

memory/1908-121-0x0000000000CB0000-0x0000000000CB2000-memory.dmp

memory/1876-122-0x0000000000290000-0x0000000000292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

memory/2920-127-0x0000000074960000-0x0000000074F0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\BExternal.dll

MD5 5fb8613b7cf68604bb7a1bf2bbcf048d
SHA1 2688ca41771cc9c5b318c60b8e4dac94d479b00b
SHA256 ce2ffd4eb568f61623a1b94a5c8958140b328b09504aaeebf98c9a8c56ab65ec
SHA512 06fb08f8b54740eaa8b691c39397611f634306e165cc3cf2217d7dd3df038b4f08cdd0852f87dc93984d5f5bea61f5123f896d9634809492da1fe92f0747dd47

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

memory/2920-226-0x0000000003880000-0x00000000038C0000-memory.dmp

memory/2920-227-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/568-228-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/1720-229-0x0000000060900000-0x0000000060970000-memory.dmp

memory/568-230-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-231-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-233-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-235-0x0000000000400000-0x00000000006C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2722.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2744.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1720-298-0x00000000031A0000-0x00000000031A2000-memory.dmp

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup-tbdef.zpb

MD5 85499627e8e83a35ba23cb860067b468
SHA1 758d2902f93e28b92c1f422b3d5e16d03835c3cb
SHA256 8b1b99fd1eb29d888fef74a3733d60e3c0b5af2405beea8fe2223fffae79f4d0
SHA512 bd2b00be1b78a37b6b8d6462c358045ddba18d46021c820dbc73c5f62309b0c08d5144d3a65666384a9ba646d6e942791b949b220969a27d307352db08dbc052

\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\MyBabylonTB.exe

MD5 7c82cc9aca3eb71e463ff607cd607e3b
SHA1 5ffcc47376a89ec39fba8516694fb37c3b7d2bda
SHA256 9c1b8b8b3372737fe355bb6f4f96fc9b04bcdda5f3bfbe9617d22cbc35a400ea
SHA512 7ef9e92153607646f9eb9dec4fd087e9523df523d4f06eff994698d79ddc4e8e1f681fde13e1eb888e5a85457db558b10ffaf190c17bdc98688a59a90efc4670

\Users\Admin\AppData\Local\Temp\nso2F5B.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nso2F5B.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nso2F5B.tmp\chrmPref.dll

MD5 241d60c30189b740c9086e34ff259e66
SHA1 7be0132de11c34018b6326d1de20fe9f20dea790
SHA256 8b3d8f239f11b53bc28f645546696441446e9a593be59cbf604fcc28a7e6d474
SHA512 ad342cea73ba3f7e7afc57828abc7320c0c5e39e20f5b06637c565a2b4579f05d81540e02b094776abbb17b021712a0f28e5f62637d8cea04b832e79252dd5fc

\Users\Admin\AppData\Local\Temp\nso2F5B.tmp\mt.dll

MD5 4fae8b7d6c73ca9e5fc4fe8d96c14583
SHA1 10865e388f36174297ec4ecdafd6265b331bfdcd
SHA256 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f
SHA512 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

\Users\Admin\AppData\Local\Temp\nso2F5B.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\nsj2FDA.tmp

MD5 19a64655457b36c27920e68bd01d5bde
SHA1 0b064be45d41f8cd82a33894a5d5392c3d94f691
SHA256 58c4ce9aeb4c0d4c7b544d0c70bf017426c98347e9dab34ae7eccf453c9e559c
SHA512 f374068dfa01c67f46d923ebb8e288fc2411d095cd72dad9c601f0a5b657126ffe86b896be87da820502d81c06448f3924b4682daefc801686be79b845a06916

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\nse300A.tmp

MD5 c9050d020c0b459f0eb6ab1b89c6cad4
SHA1 7a1b72e7c784006bed198bc5cd23fe1b21732bdf
SHA256 1af1bb393e689dcbe7e99f135cd41ea441dc7aa0adbf0b1492d31d6f27767e9f
SHA512 5bd05d78e4637b10663797ef8e7c400c85274d4e1aa991438638d2cb2de580cb26632d73e29370d67376f64c2eec225ef9bece082634912b76869559c6433409

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\nsj302A.tmp

MD5 f6abf26891434f5c1da533557c20b125
SHA1 183844392b249b47a9d141dfa411e929607fa3ab
SHA256 18f3c4fb52e43871fcc2b2263c8c15ac2f0b0bee6a82c16076a56c2646eee8bd
SHA512 2014574467a054d8163d264a9cb0f8ed85b0ec9957995295eed5abad4ab3fd47c1d4a7632b03f5d531797c7f3b539c0b64cedd1d4a76c88fa09966787b0a307e

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\nsj302B.tmp

MD5 4221b6382c6cb300ac6aea49eea6b066
SHA1 ed59d159efa4a96efb988ce7478347cf15b60253
SHA256 b760a077039e396d2f49d83eb7b2fc6422c97e10d737640cc00f894c3181a7f8
SHA512 f52d36a7cb705ea0bbfb516bd36dfd614d5e68c73995a958dc15fe405507b7921bae6d8ca84e2cc80cc743aad308b5cb7e84cda216a7468f908085d681e226eb

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nst3101.tmp

MD5 e36113def65e7fcbdd2459e926b9a828
SHA1 d61134f5732a66e25626265a7eb90ae3174c8a24
SHA256 cbc88630294bae69c2de0d376d24c1f9af627f9a748b35569db9fcee4e653100
SHA512 0e337c33bccc42f636059c197806a895b38603537e85a3caf651ba1ff24b1755f9840516aa64f4dcd1a96453824a7ef114eea7690daa592c2d7a415a502880f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 dd3de92378955c57798eb433ca9756d0
SHA1 35c5b2970cdbb558114452c16980987537cb6a0a
SHA256 d704d056fa8ab53e52ecdfc17574755b3919eafb1ea37ab00d5fb6a8fabe9e3d
SHA512 05f0d8c81690a3e30f32a1b9e63f26574021d97cf4663060548de43b6dc53da33402b031b14a16dea17abe8c8468561bd55a91cf069b3b8341c17c6229d9c9d3

C:\Users\Admin\AppData\Local\Temp\nst30B2.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\uninstall.exe

MD5 d5cafd1094c003ed8b5ee0769d40468b
SHA1 36accbcc1114475aae0195d193f9d0a0d978cf6c
SHA256 938703cd98e89398e129ccbea6ae0546d8aa5eb90bbaf96c2ecf18f88852941e
SHA512 0395cf4e48ef1f49793eac95cb25089c4a7c24546af65080d8feecdda7532a461a13596cad928550926a90ca971ed7a9bd1cfb651ee1d1d18133e01912228d7a

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nse3193.tmp

MD5 20ae570fa3434fe5667e32c0662a9f0e
SHA1 7380517bc8e011a97bb521be01241880adc1b8ee
SHA256 15afd7d0b918e65c649665d72f0c82bc5184e136833eac328c75d2f3506c949b
SHA512 c4fe9bb4742b085857aeb8a3467cdf042c81e392b87a2300e393c2e546431b62cbb4a4ddca6911cff05e48cf3621619d4f98c27c37da7c88b9dcc984e14add2b

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsy31C2.tmp

MD5 625b290ae8fb4519b2f0114a1951e8b6
SHA1 8ed79cb357616274d2e59528b0e5d76ebd7996ad
SHA256 7cc2ca5decf61b4ec5e167dd923761b0c9b23108353e3eb4e8a1fa26afd86621
SHA512 5522437633df96fa77d1d1f98839ed0d65c1df469131a19fa5bc6140c8bd1d466b609cbd51a9daf45f15cd622fd9ce8becf443095ce1616997c758020644a7af

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nse31F2.tmp

MD5 536129e004d7a5b301fca8c4a4b68f13
SHA1 81f371d1e306a2596771bb31d6d009cc23cbb4e7
SHA256 9a00b1dabe9e1526f140a0c7eef8d6b4ac9d77d75e16c7ce7ef190b13f4f21bd
SHA512 a4708344c5134ecd87355b5d32ab1ada67f78e91d270d876c678dbae0f61b9cb31a8fcdb51efdee7975ebbdf9cf94e041ea6bc1949acaf6c2a46f28e4f993110

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsy3212.tmp

MD5 99ba089b11a31b400e3f086485f38a61
SHA1 6d655344bfd1968dd6563e0c9132d0e6b36f017a
SHA256 2417c3e73b5d4724e24b78381516e24bfed5d486eeedd3b65354de64e83073c1
SHA512 34fd340f51e687d4f2df65238d15dd78df6ad198962f560363495c56429c335ea9bc7dbfa3785d83b5fe304aadfb6c3c0f685a34a55ebf439c100914c4393d5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 437963cc9f16ed05f19172398ff8bb0e
SHA1 85f713492a91d587cbf474a0a8b304af4108f85d
SHA256 654c54bb2f9e99dad7e248a0832a5eb691b819243931ddcc48087acde0f6fc96
SHA512 b533305248f540d3729fcdabe921f60e4f6421c14ed3dfbc501b69f573377f4725f3ea7cb1d508e3c1398bc1c41595e5f336403c44f42d43b458ef5afee4b825

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nso33AB.tmp

MD5 244c49faa4bf2478970b0ef33822a23a
SHA1 d24ce8c83aa71bb95fee9a7d618db76221e7f566
SHA256 e658b74d801071eb3a71ab67f50cc26561f2e4de59358347a70782b7231c5c8c
SHA512 4e0bd1a4d8a07724fa1f5de9814a45eb5d7a1fc7b7bd61bd9ed5c0aee2f3c88c88d8dde625e72084865a998775b6248c1ff153f1a549db64763dd3eec003e975

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nso33FA.tmp

MD5 da29ccc241369f1d1da28b237e5022b6
SHA1 3e98567f9d96ada64ee42082c911a8b045b67950
SHA256 2a8723b37239ba524393cf7af5bfeda3ff55ffc62cf6ad403da503f3fe2c78ff
SHA512 59c5dcf57f1e0cb1f3939f369478c109db5ff4559f561ccedd623cf4d70efcd03fd111baae5cf3ab7dfe483de8dbaa57dea1eb72c3df589ed75c82dfb645ca6e

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsj342A.tmp

MD5 35088912887e03ee4e7c9b318b42afb5
SHA1 406c6a9c5d1d2458f76cd0b73070f4930c22c00a
SHA256 1386aa7f0814e595439f9656fd5154436986be3b9adf22cc710ca3ee2a244817
SHA512 2704452c15cee51c6a61fdb3135685529e67a1976928bbdaa7684d54bda573bde2e3b6aa858691fb40f267c931abc816b2509668203cab6232c454c1707e1584

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nso344A.tmp

MD5 a11c9db66666721b98732fbdac53f047
SHA1 3f7bb59559e7a9e2016f5d7f667a8f4f6d2fbdca
SHA256 15d517a9793f9ab087692d494a770205619935c759e46a0f632b6c01e115b2a4
SHA512 98dba9d72c7b9c3972a4c18ee3ad5ef2b1ed646f99acc515d05e4d22f21d6dd876c1ad033f331e4923f223468a7f105da0a7f5dc1ba7cf47ee0137194bb378fa

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nst34B9.tmp

MD5 956b6c965543a80e2838dbc836566fe4
SHA1 a3eabba4f7eaa665845761ca91b4447d3a1f22bb
SHA256 07029094071012627106df5f5b2d2fecb7deba56a40a9b824f35be84c4d8283f
SHA512 40bd7e1a290c59251b46cd8b059b70146e23b5a6bf6715c8a0cbbd3c7b1fc3d36ec0802e0cbcb3a3902e5d4b9d6b4dca350c345c7a26138b33b9c59b9d0d7ea5

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsy34D9.tmp

MD5 f851b6ecfb1d43e61de4dcfd642cd3b7
SHA1 3349873681c6828dab796c5bd00829b89420f734
SHA256 7f3691413da419c9e67b6c427fd0f4f8f153a047c7a8c1500f42ea7de33d97a6
SHA512 fb8b5f327b54af05a32ef0fdfcaf079724a83feb784eda5e1e5f5050314fe15c9faf6e519ca657d223c436983c347b8918363cecc6712273d9a46118640dd322

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nst3509.tmp

MD5 ee31995ac549b02b706dcc36909f0cce
SHA1 7fd99884b7e1b086391a2fa68e00d6248b9dcb1c
SHA256 ddc363585aeda4646df7bc1f04f06d865fa0960ca389d561a6fb974739f35908
SHA512 afdec03c46a533b74a31b7568cdc9c8885249a2d86b0cbf6c7188d2b48e5de9b42ad4f1118f056beac490c5c0155c9cc943b567cb4430f624b8d0db5e9801cd7

memory/568-2529-0x0000000000400000-0x00000000006C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\user.js

MD5 f38c124b945f90c8f12d5213ec8522e8
SHA1 4b72d7ab5f628fc39658c6012105ce24a8c3ec4d
SHA256 0cdae7ba3cead5d1463934b0c29ce4d6dbb309c800dc631cb0e3ffae08581e5f
SHA512 d09ba66defe6fc387ef74c1e3fc4d86c772502d730f540240d112114e166ae08689f6a79ea0ae616a0ada2e8e5060066c76aa7051a0793cfea04f98e731a0348

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsj3607.tmp

MD5 c90ad105698ba8098eb8fe8336a2626c
SHA1 765d5ea85fe8f1ebdc89e90170758c7031c560b9
SHA256 bfa7f794e9e991658485247a6756170d80cfb724fe22d45e01b4c103a54b924d
SHA512 cf49b14e8d9eb420c31986691bdad91ef19cbfaba096901de2e5383701d7a7fbe62ebb1beb86a1c5a21d914811a0b9b24f3b11091e45a883ce003edd74829c0b

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsy3617.tmp

MD5 3936061af3577abd739b1da9442d4f25
SHA1 61f338d75b45964c24faf6f14d9341fa142f3c98
SHA256 9e358658f1df005a995c2204fef3b9215668fab41916c04492f4491d4442e08b
SHA512 bc9b39301471af26f759fa6f97702a6ce5397324001d12f680ff1051ebb7ea6da4f77bd758d9b4d28316dadc4443f94cfbd15c3fb65819bd7606cd4e5d7fd106

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nso3628.tmp

MD5 017ec98c21d0e4d76e5e63b6e7498d21
SHA1 09ff8d82fe93a0e049108498026d3ef3a5c9f145
SHA256 d704d69d6eb11aa1babe16e1f1daae86ca17f013d45f0fff3785af01e58156c2
SHA512 5c82e650de5a3bf2e628f82c2b3d0852bff4938efd00f1a2b1499fcc20671d9fb9c66ba6f40bc4d606b7e46212c374ab4080d9f13aeb703de276854be1d91a96

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nso3629.tmp

MD5 c400c39e37dda874ea982a0fd6a985f1
SHA1 058be4a4f6d43139ad6ec99c38295cceabb79014
SHA256 f3e97d4a45b58d5cc36dafb6a0462c7fb9b5ec8c1b2d6acbb83377ee7c060108
SHA512 8a93f13979a3e141c6b4f201ef4dbed233a34fddef61e20eed1518dbcda2bb610ad6a0af2da8a2eeb8d9d0ee72a330fc5d233e558f767dd39d8518f58bae0b56

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nse363A.tmp

MD5 ef75da7b645f741fcfeb8e7bd88165ee
SHA1 fcb45e1f7eb00b566a6f884d023d855180a035f3
SHA256 7b207845180177ca6dc1042a266989af00a9467a5984def79a424ccf7cc26936
SHA512 a6d4ac9fde16972c633a135345f61764ff70b6e184dac9fbf1635389e1a2a0e56671dd57eac17694310f87abfcf98cb4af76c3dbb9af448f82fc4f9a00680b74

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nst364A.tmp

MD5 fa00c3e0ac79be8627cb363de78983a2
SHA1 e36f0edf1e31ddb2137ad4f6089e0d9e48ae46ca
SHA256 bc20f56a5c99fccc3f9ad44e17064e6d33404dbc0ef048962ff0a73f9000e8fb
SHA512 9e3e6d191e9345f5305081dab44794f8769d3863990c6d80b650cfa9c682ca2fb5d4638dc46df5fd252501ad17d18328683fab24142378802ccb93ec1cfc464e

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsj365B.tmp

MD5 b8b654acccd48a3ad88822c834ef0057
SHA1 5d9ab56f74481ba13a526065f01adab0f8c85f5d
SHA256 94cb5879079bcff5fabe9ab1d018bf4d98f8624e74cca0962403133dc3e54f34
SHA512 c207334c4253b3cb4c599a4ab7466f6f199553ce4c9d3cfb8cc7ebd91e417272f39dfcf3e29814be121d6b8340365462eabc19183bdbc014fd675f86752e6ff9

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nso367C.tmp

MD5 6012f6197edb2549a7afb75e901f6108
SHA1 822e6638e5b3597d76657c6850f59e1338a4c6d6
SHA256 eaa60e8386fb985148b9dc0798b635f2ac150ed89613ebe80530345393628a08
SHA512 39355861ce21aacd33ddfc5f1cdf98db5758600d91006a1c308c832101499fdbca1f44f285ca15581a04813ea09299b8990159dc3a4c5e52471d9f4f09a9a309

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js

MD5 2068393959a82260f7b94f9d18212a5c
SHA1 380a0d4f2443bbbe4bed3bab69401d6a669737de
SHA256 15b50f341b4bd4865edbaa7d1d60dac25e2a5b06e97eeaecf1216ab729ef9bea
SHA512 622ab64339e6cc15978ebdadd679def41af458ad4aa1f7d2b09af8eda3b8337339db341539b5cf6b8926d9315c1d88c35d8781b42a87231b35d0581736c768e0

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsj36AD.tmp

MD5 5549ecf9f03f5d719b943876c809cbdc
SHA1 ccd20274a7e114343417379baa3ebea1af8d039e
SHA256 86f8419c024e0eaf3d1c60151d6c924dfaed8b4ffb2cb9fcdcbfceeb35b8e1b0
SHA512 6df7469fc5e8c5855e9c93a484475298870cf3bf48ba4454d093935bf713fc2afe84d133225c933593ea39f9b414517d11fb38770741563349a74d49544d1db0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\user.js

MD5 541db3699a583338a58fa86fb288355e
SHA1 691bda11426f97c4d7e1f00007968720e3f7e7f0
SHA256 0a71f590608cc3a798cdae545c9dca70975f9b1e3454330d5cfcf8ee14f850a3
SHA512 012cc8142fc61a6201ea6dea81a3e77ced19bc741518e1825e10c1eb3b7a2a45396c03f189ccade2dd5745d6d4556bf5a85e8234766d720d79f94f1e4144465e

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsj36FE.tmp

MD5 2866898d98a0cdf749e8b4966d6eb3a9
SHA1 4af1b7140b4eb205a6b5d53781088f538b7a70f4
SHA256 17e294b767207b61e740d4f1a1e37df4947e8caa699ce5631bd9c170159d2afc
SHA512 b3cdaccd23d457bef62c3f27829c7e5e9747b6980085ad954ead65f8d2df4ec85b7a2c63ffbe40719ed5543222fd35b56953716ea11cbfca3c65e9de97e05cb2

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nst373E.tmp

MD5 ccaa1790a869dee75a35ac66883d5215
SHA1 87bb81bde280dd1df438c24b7ce7c4eb9845cd67
SHA256 e6e7cde12082176e212b2f9415276cf53bdd99b4de6af86c4f2d79dd48ee1236
SHA512 9c7723969b94da86477aecfbff5c92158eb2abe0b0a8c6d17c453f44887016c7a3861c48a72dd103272a1778d61d03c8de52c1e89c5c7af3555032286d8f1f6b

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsj374F.tmp

MD5 00a00b0cd13089141255490af736d76f
SHA1 34ef3bb8554efaa3ee274354eda3697c73de61a3
SHA256 5d688856b9ce5577c0069dc7eb7fc6b2974cf16af0fcf2e67f3aa2b47c5801eb
SHA512 9d433a5f6ac3df15736c493d355cb1e640f388b0812aadcfa9b6b88268affccd5fa2b00d01949e393c0071eab925e3071aa74d4360ff3ebc5b2d603564f91ed0

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nso376F.tmp

MD5 14fa0251ec818c101a54ad8bbc27f7c1
SHA1 8af954e7f7d726ddea247d72c49aee467c308634
SHA256 d1c6c480ca914c900e3ffb8a962de0d905b8fed6a9b571af42e279ef4db294c1
SHA512 36ffaf6a8dad10bbe2c0342a9edb23f10f5767cc660ffd530fd93e1b5cfe3be10f13de3dfc62aaa73a7cb6f876c28fb748038e2862c15305f4a2018a12b1564f

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nst378F.tmp

MD5 b2eb40fc655f4dd071cc1a49df667498
SHA1 6b9926e1d62a0fa032fc718336f5e92aa9129bef
SHA256 12f6dc0c62736b2585db47bf948004e30cb6ae83ffff747187120849a655bb7d
SHA512 5b2b9ae39a1bcc7d3668a15b1cdc6bc8a9158d3b2816d7efdddaa723f498450403a7cf80d5b7c9d3b558fb9f1c608cb0f6601833911f7bdef721fe1bda820c1e

C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsy37AF.tmp

MD5 b07697f18b3eb63f7c6d6c46070fe7b4
SHA1 0c6a8084dfecd21c9c1d51c885bb728c553000af
SHA256 7aabe9250d62375686275535ac9b763f83d2153bcedca74c36d3a967840ec0d8
SHA512 c45e527b8d1a59506f608ba6711444d60fc01a4ac101a0265b0aa6d2e386d3230594198e1c9175bf794d983fb818494c2d2e160a4237429d398ff2b38f0fb47b

memory/1720-4769-0x0000000060900000-0x0000000060970000-memory.dmp

memory/1896-4777-0x0000000002B80000-0x0000000002B92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso2F5B.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

C:\Users\Admin\AppData\Local\Temp\nso2F5B.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

memory/768-4803-0x00000000001D0000-0x00000000001D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2BC231F3-BAB0-7891-9A71-A93B2EE36E7E\TBConfig.inf

MD5 e6d6dbe1e36a9ccc040369ab905e0d4a
SHA1 f7b40129e12f9f8ec3dae49d281ea1b8171642c5
SHA256 24d0d8de57d4bb9d88c6079d19b0efb51c18c8006ddb805fcc6cb7c302f94a12
SHA512 caa6c8ba543b92a49e41b736d560a3dd62651885f3c0c30ebb309e57bc77ec0dd1ccc20ebc6d4ff04d17083f112f3b6427356ff585ed40de6d08b51e6771dbea

memory/568-4807-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-4808-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-4809-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-4810-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-4811-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-4812-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-4813-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-4814-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/568-4815-0x0000000000400000-0x00000000006C2000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:15

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 3620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 3620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 3620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3620 -ip 3620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:17

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcr90.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcr90.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcr90.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:14

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6327c5a3030d6c2fddf0bcdef01daf65.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc98F6.tmp\tools.dll

MD5 e12f05661436f2974cf91b5fc76fb5f4
SHA1 5e0b7887950204713bef3da0018911279f2540ec
SHA256 1873de723938193f9f0877b08c160884b79503b6607598158ad99bd909189fdc
SHA512 61d42e055865dd98552b29dd69dc3d761bc7f77c1af108ad13b0b390059be5668657645258c0c08052a5fe1e9f6bdb018da136eb103b7335097487ec0de5d22d

memory/1204-18-0x0000000003400000-0x0000000003410000-memory.dmp

memory/1204-19-0x00000000749E2000-0x00000000749E3000-memory.dmp

memory/1204-23-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/1204-24-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/1204-26-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/1204-27-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/1204-29-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/1204-30-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/1204-31-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/1204-32-0x0000000003400000-0x0000000003410000-memory.dmp

memory/1204-33-0x00000000749E2000-0x00000000749E3000-memory.dmp

memory/1204-34-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/1204-35-0x00000000749E0000-0x0000000074F91000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 224

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240903-en

Max time kernel

121s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\tools.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\tools.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\tools.dll,#1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 500

Network

N/A

Files

memory/2968-0-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/2968-1-0x00000000749A1000-0x00000000749A2000-memory.dmp

memory/2968-2-0x00000000749A0000-0x0000000074F4B000-memory.dmp

memory/2968-3-0x00000000749A0000-0x0000000074F4B000-memory.dmp

memory/1444-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2968-5-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/2968-6-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20241023-en

Max time kernel

118s

Max time network

131s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\layout.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000006a3a3bd6d67bed45030260927f486b1b8c8375c5c36cc8d0de12981d190db551000000000e800000000200002000000030de80a669c1a05f8df8cff20ac288944525352fce4ffa5b7f2cb65ea9bfebe82000000089e611ca91f5c53369501ab07fd8409ec3ede00695d50e73749f906d141edaf2400000008bfe93013d2a9903619458120a5edec9397b067ede5925696d21d98f2e4286c3a585f2161627548aa1814db27f22aef89ce17bda8a6ae5a52790e57815e92462 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443140769" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b32a109a67db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf00000000020000000000106600000001000020000000a99f74f680783bd57d06484e3e09bae5fc331c0447427ad5068b3cc7d9b0ae08000000000e800000000200002000000014c52555f8a75a976695778ebc8b9be5530d85d9f6927b76dc32ec987d47d29d90000000169488c741e226ae111e6d10492486b8d47cc2c6ea14afcf7d0ed6002faa7e404a11149a20a9a7cd14227256cfe083b6b14390632463113089619e7b32f06fb4ddf781a03dcd70bcad4584e3378ee8d1fcdd85f4a0ec98aaa65f22fe8b06353fb4e34b8ce01654a74feb2a4bd095c5657c22e4065fa012ba73c5fcffe02a4b3fb98df34e9c4ebb22240d8cdc69e5562a4000000030987ad6e497bba7afd36e5886c168f250fe84ab3788008e192bd7e91906bffb379d72d5f8daa9a6935df35f83346b6704ff71c2dd3091a0d025e8190ca3a337 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B8295F1-D38D-11EF-8F09-6AE97CBD91D4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\layout.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabDD48.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDE06.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af8f94ef1f3c54ca7e06e19131c994a6
SHA1 1b5f62ef32fa417bb0d987bfcfe11097493365c6
SHA256 9bded20c083a482b48aad07c47a2eef4168fcb563b4aba9d9c9a4bcc9bf035ea
SHA512 82323fbe783154d7f4cd758cdabff382752174fb81a2171f2e01617c38a43e277201c0dd093befae12c0d2ad5897224dbe37789366d1a4ae644f95846db49741

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fefffb7a8d3bd9f4b12ee5abd43ade8
SHA1 f574d46de93e228200cbe542687d870504a65aca
SHA256 c27e5a657aaaa509dece732f066b924cc0be8b1b03453849569dc55ba1857e83
SHA512 8a1e343ce848a401402c85086b8f060ab48cf49675b58adbaec861b8f13c4fdbcc26cf18befb7438209d3c8a848252b74cfd411a023bfb7603cda17edd4fced6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 626b5ecc2ba83841cab252c8f6faded0
SHA1 4f507b5b6c1e84a92010dc1a9dfad5925adde3a2
SHA256 26e4621ae41bba371e12cc652064f6d75bc6022186a561d54c796f5091a60901
SHA512 c06f93739673d8ee84073591b0f14b73af1a8c0abc5ce026e286ab3c1443eee30afb9116840738014c482c3c20067bf9fd686de689b1c89b7a03dab5e00ab885

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d68a1c242f665a0d7d6f26f0131462f
SHA1 396445bd73996c46aeb636c87b724daf605e01d1
SHA256 3e6c075dbeca64db17e33080de7612321c71ddb56dc2cadbc9418134c918190a
SHA512 060970d51b8f37397e220c2bd45711f87e1bed3e0ce5435cb7c9dd90c2be6bbb18a85edc59669b17c5e6e50fcd2be004610c2d7788b3997ec47306c676b3a3f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 213dc435d671a6cb735f61fa5b52a0f0
SHA1 f62957e1efcf18137139fd87d97308ea58a6d06e
SHA256 e9472843bfab446f63fb0c120554065a480033479d50d414406b43a102576265
SHA512 5dcbc6a39db107ae1ee1dbe4220d341dce7c0cb8959ff53430357f6d44e36dbf54cf971ee98be8b4d84d00e9ab32e2f44902eb74a8464d3ad942c6ec9fd61818

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cdce11c399f9982f11802bff83883a2
SHA1 22cd1855c18d4d1918ea9f9f51e11e9e008a9f48
SHA256 a81e225f84684d5a13a664b85b8a80c31873c65a4c1abf0d5a7dfa47ad8d9539
SHA512 a79937f5ba6c14303b5aaaddc2faeffca2494ada652da489007c00525486a498a6cb2eced8c2490291061ae44ad92889493bc8b7a4ef6cc890ba617ceb03e2da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1075cf1207119672d9eabf1b701d2fd9
SHA1 5aebe391ee9dde6c10468092c6f0c39b7dfb0f81
SHA256 f10af0b307839f4130a0a9508c210c7729d82b408258737aae7bead02001fc0a
SHA512 9ebb753ac8bff45db628b3f1c262afe568f4cd3c8b2f57befb04cc41ef86774dadc5291635884573e13f3198c3d83c637f8a3c47762beed3a71db33a02a366a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bbb6ba9a939bfe93e5ebd3bde93055a
SHA1 f3e1f4eadb7fd663d1821c65bfacf328e63d4d4e
SHA256 a74bf8f506efc2b66cf06511c51b8ef0564e23a48f21a7bf588c0c65cc048840
SHA512 1f7f28124e176aa16a1cbfe1466b1f202fcf961474ed586877d1a280a40e906bee85f49ac13c6b813fb5f1ad4de00312e925f68b254926dbeeeaac208b970fef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a47a509eb69c9bfa35882ab5bc778d66
SHA1 2334e4a7c91475ff2a9c972b375b2b4e12e748ac
SHA256 c48d725b2b1f1684e97a6e393e32c3b3f528d9e211760025416f1071fb6dabc1
SHA512 15d622899b1e47bb3c09c48a3985e560f6c4c91e03da9cf7ae57472758196bded368222592c10cb8555173c744dd48029fc01dcb7bfeb5782d3a8083340a96f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 112c4f2fb835fadbecb0d02f7c6e780b
SHA1 0ffdbc9443f91be70fefc3b301581fbd12f1e781
SHA256 e5768c861e0dda65317117e0b0b319f963be082c54bbc0dbaf620d293d3e6f90
SHA512 ba8767e643040062d6c2b0f73844cc3022f8b12f771a8e8dbf18c4138e8bce80c267423efca4c53e756057221634723bc0d341c4fd84a2d2955e6249e9287fb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1aea52c85989f6af03cbe35f6a3d8737
SHA1 f7714d631e7b60ce5aaabfc047bb44f192aad552
SHA256 bccd0bbd59ffba0c998dd4b256157ca69755faa7569600e0aef2db4fdba696fd
SHA512 74ec53c632c537d4754f498c7e65fc90e070c0ad9bd254bd84adbfbf27bfaae8799c9d087c4b2cd24d94d0e2a059b5aba334a18da1dcc4318e9dcc2abd8b971a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bec3f238c316fcd2c1a5fb508b68cc4
SHA1 5430c60a0e26fb73b52be44bd8aa2af71a282f9e
SHA256 956af5122b1d45b725e4e4ac775071ef8d054e11d144d6d36f4563b8441f7948
SHA512 6ac481f508e44cfaed4931d86d1a1ef0ba9239f578c8eff8fd8fc80c91bf3a474f9074629ecf5844aa80df1c61bd9f719f33d2ba9d7b1845c3394c2a1659b8b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 840e74a4524f5d60cdae07da78cacd2e
SHA1 d5e667147aff14e0d19c769321f7f3acfcac9f69
SHA256 3a3d28fe125b52f18b2e6ae8259c497a7bd3f74b20976450ce8d958939796e41
SHA512 5e94afafdbfa3bf4fcd271de997402dc523cb6766e6184adfdfd94965c42b93c70beeda9e6cc920c19fce9a8364349de9f0de26820daf2812761fb1063668e63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e92f4f07d4d8786835fa8c1d1bfb172d
SHA1 bb5e56c9159dcce49da51c54c4e789a1d4c9b4cc
SHA256 8e57f33d7a3d57adbb7dbd46a2a5785e7c4e3f9c04c25817e92a6b2c4f27fc3c
SHA512 79494d9204b2bb8d7cc83fcf781cbabd2f244f3637a14bd024ce3799f66e604ba4af44e5e81d18d3e9398a76b972e3a3f7b13ee9e99e870488f970c219567783

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab33a416cc486970e361d7e9c190ba84
SHA1 df9739c07cd70a56461ef422f71d65ac53c1438f
SHA256 f274f8acdc84f140e29102303485e9bf7e0effa5bad05a1c9e2045b3a0d3cb9c
SHA512 fc20ab88ed8bf77b2094fb13e793e94ea86c58ac225ab6bc8c1aad04ad2b59261a618a5089cab615fdeecef3174f00394e4620d24e95225e73f83dfd33ad84ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 773b19c2e888f37c6188f405cb198cd7
SHA1 08eb97b1d6d520fe15bc5d9dbbf49e5184df846a
SHA256 b5c8fffd0cfdf9e4540aecec72bdbdafdfb839d943de00262100d3e0d453f4e1
SHA512 da32443625a7a8badc67a054403ecdbf857d4794d44a20dc479f7cfc8217d9614350373ad20f7f39ec5c314b0d5290a0ae3048c6c6171e181def3e00beeb7757

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bab81c0d9637dba02c202c895a9c25c1
SHA1 52c3da7ded679687d6c76533af6a42e0bcdaaf4f
SHA256 19daefae704a1e7214940aeb24e6e35e441d8de92eaa5af0194fc65c950bf11b
SHA512 964f1bd31ba75a3237e69049a78fbca43daf6035a21f797452c3f6e59d23bba10dc983f85997dfe0822e176d8f3da49db7c6ca7359d3c4423d96992360d792f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 822a24c45bb69bb3e3158cd0a62141b3
SHA1 0511cce83ac18bb23aff00d3e6a1d2c41bba6216
SHA256 418ad3f3b58f5ec4fff76e8f63e762ba0be37a4ec960995343b0b15cb8277857
SHA512 9113b4ddf0e664a6c2655c41cd22bae008f585bd69e04dd2d6cd634feec08e9ceed95f9248bbd71432b7e77744be3d3aa8337e1f63c8d205a5a8cb704d3397a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a87ed7c4241a97c1fe5b351b66f3fa2f
SHA1 680058b0ea7db7b67c75517d2c919a820dd93061
SHA256 6764357cb5f3b141192e30457ffce473226547aef26d2cfd127b4a47cd724722
SHA512 139e948b5281e1c91e03cc4ab49e7fdc6cb532c2d69267881fde3adaf2051efb083ead41c723258a37cada868f355987601181a4ca6ed3734186150e04659e15

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240903-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcr90.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcr90.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\msvcr90.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:17

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\tools.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\tools.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\tools.dll,#1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1004

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp

Files

memory/884-0-0x0000000002120000-0x0000000002130000-memory.dmp

memory/884-1-0x00000000745F2000-0x00000000745F3000-memory.dmp

memory/884-2-0x00000000745F0000-0x0000000074BA1000-memory.dmp

memory/884-3-0x00000000745F0000-0x0000000074BA1000-memory.dmp

memory/884-10-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240729-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\updater.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\updater.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\updater.exe

"C:\Users\Admin\AppData\Local\Temp\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 loadiload.in udp

Files

memory/2252-0-0x0000000074081000-0x0000000074082000-memory.dmp

memory/2252-1-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2252-3-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2252-4-0x0000000074080000-0x000000007462B000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:15

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 4528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 532 wrote to memory of 4528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 532 wrote to memory of 4528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4528 -ip 4528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:16

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe" Files\Common Files

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3FF06B~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 info.babylon.com udp
US 184.154.27.235:80 info.babylon.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stp.babylon.com udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 235.27.154.184.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 184.154.27.232:80 stp.babylon.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 dl.babylon.com udp
US 198.143.128.244:80 dl.babylon.com tcp
US 8.8.8.8:53 244.128.143.198.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Setup.exe

MD5 3eff4d0a2dde24e5afe250ba50887f2c
SHA1 9adb9ea752959e6945d58068cbc55fa04662d8af
SHA256 3cf6717e6bad2e669f96dcd498e79981d2755fbb841e91533f73efa1ffae26cb
SHA512 f7c7fe13849a64e5281d94597d2d150d4db171a4070192e08192aee927e3a51786008fc24ef3de3b3ff3f4c5fe86d6b037602300f9c50b7fd9783c3a32cbb7c4

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\bab033.tbinst.dat

MD5 1ee8c638e49ee7137607722768afc5a2
SHA1 8719d7a498a49b042cd6fc411cac6c44f3c0f43a
SHA256 1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e
SHA512 2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\bab091.norecovericon.dat

MD5 4f6e1fdbef102cdbd379fdac550b9f48
SHA1 5da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256 e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA512 54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\SetupStrings.dat

MD5 07bb1523dc51ec1fd5913b0a70ab98ee
SHA1 216f853cb251f32f5c91345404efd48f041ad5bd
SHA256 31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2
SHA512 8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\Babylon.dat

MD5 adbb6a655ae518830ba1afefdb84668f
SHA1 a1be53d99a67fff011ea035c310588e635c718e1
SHA256 7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c
SHA512 b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\IECookieLow.dll

MD5 a7a1efbbf7a8968223d7e49b60625e30
SHA1 1b2801dd02e9d9b7f27789ed161bc1761943e921
SHA256 1f008544618eab320dc36467887a60283c7d13bd08dc7ca85c9c06869a353373
SHA512 0eba055bf6835b81621065a0dae7e05258405c6f75f5d61ceca4d30862a43682b368a5dce6cd53d86c0ffd6a8c6bd19f0943af71530a48f734d50d8473794f27

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\BExternal.dll

MD5 5fb8613b7cf68604bb7a1bf2bbcf048d
SHA1 2688ca41771cc9c5b318c60b8e4dac94d479b00b
SHA256 ce2ffd4eb568f61623a1b94a5c8958140b328b09504aaeebf98c9a8c56ab65ec
SHA512 06fb08f8b54740eaa8b691c39397611f634306e165cc3cf2217d7dd3df038b4f08cdd0852f87dc93984d5f5bea61f5123f896d9634809492da1fe92f0747dd47

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\blueStar.png

MD5 a7fcdf142648bac756fcfe06a31f42e4
SHA1 4df99b119c183c821ed1bf0f825536318c9c3353
SHA256 008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22
SHA512 ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\eula.html

MD5 1b73a781f7f5b0d61624bd97050a2ed0
SHA1 01b848625761d5dede115e8599e4c72f126f8a3c
SHA256 f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5
SHA512 76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\globe.png

MD5 cc53fb9e9456eb79479151090cb16cbd
SHA1 e61004bf729757f3f225f77f0236b82518f68662
SHA256 3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42
SHA512 0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\options.js

MD5 771f230f8bbc96a03b13976667918f1f
SHA1 0fba422c76b89cdb5d12e657064c49a9b1b7abae
SHA256 92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252
SHA512 b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\page0.html

MD5 cf33120dd42cee842d96532843bb1961
SHA1 1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf
SHA256 783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f
SHA512 889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\page2.css

MD5 085cf46c4d1c8dea9edd79ee37d6d5bd
SHA1 30cb66994c45261a4aaa6d9ecdf1b1890ed09b45
SHA256 9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d
SHA512 66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\page2.html

MD5 12152ded3604e8baaf82c078f8034d60
SHA1 0867dec241a257e3e9ad9e8d20b9e06e3bce7184
SHA256 abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485
SHA512 a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\page3.css

MD5 07784ad77f30fa018949e412b2257aab
SHA1 8595c222a3741bfa83c5a4d982c845c8038062a6
SHA256 226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf
SHA512 2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\page2Lrg.css

MD5 db15b568f9d195635b3fcab87ef6293f
SHA1 6ae0f374531cb3013857880e8469a103492b8393
SHA256 5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d
SHA512 a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\page3.html

MD5 b23c25988099403433efb7fb64715676
SHA1 e833527e1c021b311286e6e2d1c2f0530be0a565
SHA256 7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c
SHA512 8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\page3Lrg.css

MD5 b3520c555c46a7020d8f27bfe81df0ca
SHA1 59398086abe3987c2a91edacb74eca94bbd63d7d
SHA256 74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6
SHA512 0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\pBar.gif

MD5 26621cb27bbc94f6bab3561791ac013b
SHA1 4010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256 e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA512 9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\progress.png

MD5 dee08d8cbcdeb8013adf28ecf150aaf3
SHA1 c61cd9b1bd0127244b9d311f493fc514aa5c08d6
SHA256 eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5
SHA512 c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\setup.js

MD5 a95607ce49fa0af8ed7a3f5667c3eb31
SHA1 5e4b5a30e56c42329afdf216625bf35be69a82aa
SHA256 01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c
SHA512 1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\title.png

MD5 12ef76069cc40b8ad478d9091915ded6
SHA1 fabad560b6e6839f9e5ae1268695d11ca35f9d74
SHA256 4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c
SHA512 5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

C:\Users\Admin\AppData\Local\Temp\3FF06B0B-BAB0-7891-9208-68AD6B64F5D0\HtmlScreens\toolBar.jpg

MD5 56dc3cb42b46309e642c15167003685d
SHA1 045749de2c1492e5dfc4c44f9eb6c0feefe06b3d
SHA256 bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1
SHA512 5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

memory/5092-100-0x0000000060900000-0x0000000060970000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:16

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\layout.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 4460 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 4460 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 3012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 3012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2684 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\layout.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd317946f8,0x7ffd31794708,0x7ffd31794718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,15627411173102801432,5323950778897965160,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2700 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36988ca14952e1848e81a959880ea217
SHA1 a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256 d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512 d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

\??\pipe\LOCAL\crashpad_2684_JMLBYZQHLQNSACAH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fab8d8d865e33fe195732aa7dcb91c30
SHA1 2637e832f38acc70af3e511f5eba80fbd7461f2c
SHA256 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA512 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 505166d002902d16cff084c2b55f3f99
SHA1 b52fcb5a031ee663a79ad4e32e1bed458a904a71
SHA256 f6954f65db91847a57c8f3f0c7b3d7533a44dbaaef66caa9fa1b968b85a4a393
SHA512 4900d020d29fb4308f02d08ee610a4488ef0111e0ad8b570c48d43407613fe8ac5436dea077daae04396af65a6a177666f98cd94e4efbb390d628e4c2e5a8b88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2eae3a6b00ffbdfaecf82c3baf1401e7
SHA1 bae7f5eb51e35e2e72fa4cb1a1b42d70483dcf73
SHA256 d3b80da82c0dcef4b17ec10619a50d086e7ccc84fcdaba799469fbb5c21dd801
SHA512 6de9accfc49a3ef801183777df8a2aa70e1a4585e31b7521dfaa6e8e18b8ee8f1a1f1d65cb5c1cb44c536e9f553a90fac8d1c896d85b8ba35c33f2290801cfbf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\14b09114-6819-44f8-a056-981ef3be4a3d.tmp

MD5 f98393d8d77ba63f36dd00a85b8562a8
SHA1 e9abade6a7e09962bc009d43a1937bceeecf74c8
SHA256 20a28fb36a62dfbe43869cece75742f25d9862366c261beba5f93db43f2757f4
SHA512 c5daf9ff2e6441d451dc36c93b3d1bfcb5d579d564fc8dfabb91ebbfd4cd84ed45cde542fb8441b44b5558b7212a75c58cc718d8903183499787e740c07fd283

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\updater.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\updater.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\updater.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 loadiload.in udp

Files

memory/2936-0-0x0000000074B41000-0x0000000074B42000-memory.dmp

memory/2936-1-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/2936-2-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/2936-4-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/2936-5-0x0000000074B40000-0x00000000750EB000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:17

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\updater.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\updater.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\updater.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 loadiload.in udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp

Files

memory/1528-0-0x0000000074EB2000-0x0000000074EB3000-memory.dmp

memory/1528-1-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/1528-2-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/1528-4-0x0000000074EB2000-0x0000000074EB3000-memory.dmp

memory/1528-5-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/1528-6-0x0000000074EB0000-0x0000000075461000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:17

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileHunter.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileHunter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FileHunter.exe

"C:\Users\Admin\AppData\Local\Temp\FileHunter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4460-0-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-1-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/4460-2-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-4-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/4460-3-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-5-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-6-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-7-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-8-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-9-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-10-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-11-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-12-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-13-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-14-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-15-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-16-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/4460-17-0x0000000000400000-0x00000000006C2000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-15 22:08

Reported

2025-01-15 22:10

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 228

Network

N/A

Files

N/A