babylonrat | 66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	regsvr32.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	zzzz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3416-0-0x0000000000F80000-0x0000000001073000-memory.dmp	upx
behavioral1/files/0x000b00000002815e-1.dat	upx
behavioral1/memory/3416-2-0x0000000000F80000-0x0000000001073000-memory.dmp	upx
behavioral1/memory/5992-3-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1248-5-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/5992-6-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/5992-7-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1248-9-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/5992-10-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2352-37-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2448-41-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1144-40-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2448-43-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2448-44-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/4452-46-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2448-47-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/5880-53-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/5900-55-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/5880-57-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/5880-58-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3740-60-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3148-115-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3148-126-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2012-128-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3148-283-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3148-689-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3148-695-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3148-703-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3148-706-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1232-713-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2864-715-0x0000000000350000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1232-714-0x0000000000350000-0x0000000000443000-memory.dmp	upx

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-36LQH.tmp	unlocker-setup.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Unlocker\unins000.dat	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\is-0KP6G.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-PE66A.tmp	unlocker-setup.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Unlocker\update.ini	IObitUnlocker.exe
File created	C:\Program Files (x86)\IObit\IObit Unlocker\is-6SI4J.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-LU5A4.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-2LDC2.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\unins000.dat	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-PH4MD.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-IAE9G.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-NJB46.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-V9NAM.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\help\is-ES1N2.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-9RFGO.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\is-K7JPE.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-90SJP.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-L47Q9.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-NKM56.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-71DHF.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-OJ672.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-T1MUK.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-MRC0I.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-OI9GI.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\is-2FV30.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\unins000.msg	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.log	IObitUnlocker.exe
File opened for modification	C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.dll	unlocker-setup.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlockerExtension.dll	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-PONIR.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-TBFAD.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-C34FC.tmp	unlocker-setup.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.log	IObitUnlocker.exe
File created	C:\Program Files (x86)\IObit\IObit Unlocker\is-EQMPF.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-U9AOC.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-I44VQ.tmp	unlocker-setup.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\is-MUBII.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\is-CF7PD.tmp	unlocker-setup.tmp
File created	C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-0DNGU.tmp	unlocker-setup.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unlocker-setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unlocker-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

defense_evasion spyware trojan

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\0\win64\ = "C:\\Program Files (x86)\\IObit\\IObit Unlocker\\IObitUnlockerExtension.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59A55EF0-525F-4276-AB62-8F7E5F230399}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Unlocker\\IObitUnlockerExtension.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnLockerMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\ = "PfShellExtension 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL\AppID = "{59A55EF0-525F-4276-AB62-8F7E5F230399}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\ = "UnLockerMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\UnLockerMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59A55EF0-525F-4276-AB62-8F7E5F230399}\ = "PfShellExtension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\UnLockerMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\IObit\\IObit Unlocker"	regsvr32.exe

Modifies system certificate store 2 TTPs 12 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	IObitUnlocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	IObitUnlocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8	IObitUnlocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 040000000100000010000000ebf59d290d61f9421f7cc2ba6de315090f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d980b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d0049002900000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030162000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d1d00000001000000100000003475b6ae07580528b505a98d7f0fe1f47e000000010000000800000000409120d035d90103000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e81900000001000000100000004fca18b530ab2d3765b8830436884be620000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	IObitUnlocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	IObitUnlocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	IObitUnlocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 5c0000000100000004000000000800001900000001000000100000004fca18b530ab2d3765b8830436884be603000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e87e000000010000000800000000409120d035d9011d00000001000000100000003475b6ae07580528b505a98d7f0fe1f4140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d62000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba79687997f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030153000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d004900290000000f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d98040000000100000010000000ebf59d290d61f9421f7cc2ba6de3150920000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	IObitUnlocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	IObitUnlocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	IObitUnlocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	IObitUnlocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	IObitUnlocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	IObitUnlocker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5992	client.exe
3148	client.exe
4904	taskmgr.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3416	zzzz.exe
Token: SeDebugPrivilege	3416	zzzz.exe
Token: SeTcbPrivilege	3416	zzzz.exe
Token: SeShutdownPrivilege	5992	client.exe
Token: SeDebugPrivilege	5992	client.exe
Token: SeTcbPrivilege	5992	client.exe
Token: SeShutdownPrivilege	1248	client.exe
Token: SeDebugPrivilege	1248	client.exe
Token: SeTcbPrivilege	1248	client.exe
Token: SeDebugPrivilege	4904	taskmgr.exe
Token: SeSystemProfilePrivilege	4904	taskmgr.exe
Token: SeCreateGlobalPrivilege	4904	taskmgr.exe
Token: SeShutdownPrivilege	2352	client.exe
Token: SeDebugPrivilege	2352	client.exe
Token: SeTcbPrivilege	2352	client.exe
Token: SeShutdownPrivilege	1144	client.exe
Token: SeDebugPrivilege	1144	client.exe
Token: SeTcbPrivilege	1144	client.exe
Token: SeShutdownPrivilege	2448	client.exe
Token: SeDebugPrivilege	2448	client.exe
Token: SeTcbPrivilege	2448	client.exe
Token: SeShutdownPrivilege	4452	client.exe
Token: SeDebugPrivilege	4452	client.exe
Token: SeTcbPrivilege	4452	client.exe
Token: SeShutdownPrivilege	5880	client.exe
Token: SeDebugPrivilege	5880	client.exe
Token: SeTcbPrivilege	5880	client.exe
Token: SeShutdownPrivilege	5900	client.exe
Token: SeDebugPrivilege	5900	client.exe
Token: SeTcbPrivilege	5900	client.exe
Token: SeShutdownPrivilege	3740	client.exe
Token: SeDebugPrivilege	3740	client.exe
Token: SeTcbPrivilege	3740	client.exe
Token: SeShutdownPrivilege	3148	client.exe
Token: SeDebugPrivilege	3148	client.exe
Token: SeTcbPrivilege	3148	client.exe
Token: SeShutdownPrivilege	2012	client.exe
Token: SeDebugPrivilege	2012	client.exe
Token: SeTcbPrivilege	2012	client.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5992	client.exe
2352	client.exe
2448	client.exe
5880	client.exe
3148	client.exe
1232	client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 5992	3416	zzzz.exe	80
PID 3416 wrote to memory of 5992	3416	zzzz.exe	80
PID 3416 wrote to memory of 5992	3416	zzzz.exe	80
PID 5992 wrote to memory of 1248	5992	client.exe	81
PID 5992 wrote to memory of 1248	5992	client.exe	81
PID 5992 wrote to memory of 1248	5992	client.exe	81
PID 1248 wrote to memory of 2352	1248	client.exe	88
PID 1248 wrote to memory of 2352	1248	client.exe	88
PID 1248 wrote to memory of 2352	1248	client.exe	88
PID 2352 wrote to memory of 1144	2352	client.exe	89
PID 2352 wrote to memory of 1144	2352	client.exe	89
PID 2352 wrote to memory of 1144	2352	client.exe	89
PID 1144 wrote to memory of 2448	1144	client.exe	90
PID 1144 wrote to memory of 2448	1144	client.exe	90
PID 1144 wrote to memory of 2448	1144	client.exe	90
PID 2448 wrote to memory of 4452	2448	client.exe	91
PID 2448 wrote to memory of 4452	2448	client.exe	91
PID 2448 wrote to memory of 4452	2448	client.exe	91
PID 4452 wrote to memory of 5880	4452	client.exe	94
PID 4452 wrote to memory of 5880	4452	client.exe	94
PID 4452 wrote to memory of 5880	4452	client.exe	94
PID 5880 wrote to memory of 5900	5880	client.exe	95
PID 5880 wrote to memory of 5900	5880	client.exe	95
PID 5880 wrote to memory of 5900	5880	client.exe	95
PID 5880 wrote to memory of 3740	5880	client.exe	97
PID 5880 wrote to memory of 3740	5880	client.exe	97
PID 5880 wrote to memory of 3740	5880	client.exe	97
PID 3740 wrote to memory of 3148	3740	client.exe	99
PID 3740 wrote to memory of 3148	3740	client.exe	99
PID 3740 wrote to memory of 3148	3740	client.exe	99
PID 3148 wrote to memory of 2012	3148	client.exe	100
PID 3148 wrote to memory of 2012	3148	client.exe	100
PID 3148 wrote to memory of 2012	3148	client.exe	100
PID 2040 wrote to memory of 4652	2040	chrome.exe	104
PID 2040 wrote to memory of 4652	2040	chrome.exe	104
PID 2040 wrote to memory of 2876	2040	chrome.exe	106
PID 2040 wrote to memory of 2876	2040	chrome.exe	106
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107
PID 2040 wrote to memory of 5448	2040	chrome.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416
- C:\ProgramData\Babylon RAT\client.exe
  "C:\ProgramData\Babylon RAT\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5992
- - C:\ProgramData\Babylon RAT\client.exe
    "C:\ProgramData\Babylon RAT\client.exe" 5992
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\ProgramData\Babylon RAT\client.exe
      "C:\ProgramData\Babylon RAT\client.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe" 2352
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe" 2448
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5880
        
        C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe" 5880
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
        
        C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe" 5880
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe" 3148
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\ProgramData\Babylon RAT\client.exe
        
        "C:\ProgramData\Babylon RAT\client.exe" 1232
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UseComplete.vbs"
1⤵
PID:4932

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7fff4cb5dcf8,0x7fff4cb5dd04,0x7fff4cb5dd10
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2056,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:5324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1632,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4312,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4320 /prefetch:2
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4756,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5368,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5572,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5808,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5460,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6076,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:1800
- C:\Users\Admin\Downloads\unlocker-setup.exe
  "C:\Users\Admin\Downloads\unlocker-setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp" /SL5="$40444,1689069,139776,C:\Users\Admin\Downloads\unlocker-setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4592
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlockerExtension.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5288
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlockerExtension.dll"
        5⤵
        Loads dropped DLL
        Modifies system executable filetype association
        Modifies registry class
        
        PID:2556
  - - C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe
      "C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:5576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=508,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6080,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6108,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:4724

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery