Malware Analysis Report

2025-04-03 09:09

Sample ID 250315-kz39rsy1fx
Target zzzz.exe
SHA256 66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a
Tags
babylonrat discovery persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a

Threat Level: Known bad

The file zzzz.exe was found to be: Known bad.

Malicious Activity Summary

babylonrat discovery persistence privilege_escalation trojan upx

Babylonrat family

Babylon RAT

Modifies system executable filetype association

Loads dropped DLL

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy WMI provider

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-15 09:03

Signatures

Babylonrat family

babylonrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-15 09:03

Reported

2025-03-15 09:06

Platform

win10ltsc2021-20250314-en

Max time kernel

202s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"

Signatures

Babylon RAT

trojan babylonrat

Babylonrat family

babylonrat

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}" C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" C:\ProgramData\Babylon RAT\client.exe N/A

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-36LQH.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File opened for modification C:\Program Files (x86)\IObit\IObit Unlocker\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\is-0KP6G.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-PE66A.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File opened for modification C:\Program Files (x86)\IObit\IObit Unlocker\update.ini C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\is-6SI4J.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-LU5A4.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-2LDC2.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-PH4MD.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-IAE9G.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-NJB46.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-V9NAM.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\help\is-ES1N2.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-9RFGO.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\is-K7JPE.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-90SJP.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-L47Q9.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-NKM56.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-71DHF.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-OJ672.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-T1MUK.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-MRC0I.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-OI9GI.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\is-2FV30.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.log C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
File opened for modification C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.dll C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File opened for modification C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlockerExtension.dll C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-PONIR.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-TBFAD.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-C34FC.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File opened for modification C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.log C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\is-EQMPF.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-U9AOC.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\help\img\is-I44VQ.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File opened for modification C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\is-MUBII.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\is-CF7PD.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
File created C:\Program Files (x86)\IObit\IObit Unlocker\Language\is-0DNGU.tmp C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\unlocker-setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Babylon RAT\client.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\0\win64\ = "C:\\Program Files (x86)\\IObit\\IObit Unlocker\\IObitUnlockerExtension.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59A55EF0-525F-4276-AB62-8F7E5F230399} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Unlocker\\IObitUnlockerExtension.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnLockerMenu C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\ = "PfShellExtension 1.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL\AppID = "{59A55EF0-525F-4276-AB62-8F7E5F230399}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\ = "UnLockerMenu Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\UnLockerMenu C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59A55EF0-525F-4276-AB62-8F7E5F230399}\ = "PfShellExtension" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\UnLockerMenu C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\IObit\\IObit Unlocker" C:\Windows\system32\regsvr32.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8 C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 040000000100000010000000ebf59d290d61f9421f7cc2ba6de315090f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d980b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d0049002900000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030162000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d1d00000001000000100000003475b6ae07580528b505a98d7f0fe1f47e000000010000000800000000409120d035d90103000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e81900000001000000100000004fca18b530ab2d3765b8830436884be620000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442 C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 5c0000000100000004000000000800001900000001000000100000004fca18b530ab2d3765b8830436884be603000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e87e000000010000000800000000409120d035d9011d00000001000000100000003475b6ae07580528b505a98d7f0fe1f4140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d62000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba79687997f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030153000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d004900290000000f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d98040000000100000010000000ebf59d290d61f9421f7cc2ba6de3150920000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442 C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\Babylon RAT\client.exe N/A
N/A N/A C:\ProgramData\Babylon RAT\client.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Babylon RAT\client.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 5992 N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe C:\ProgramData\Babylon RAT\client.exe
PID 3416 wrote to memory of 5992 N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe C:\ProgramData\Babylon RAT\client.exe
PID 3416 wrote to memory of 5992 N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe C:\ProgramData\Babylon RAT\client.exe
PID 5992 wrote to memory of 1248 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 5992 wrote to memory of 1248 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 5992 wrote to memory of 1248 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 1248 wrote to memory of 2352 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 1248 wrote to memory of 2352 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 1248 wrote to memory of 2352 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 2352 wrote to memory of 1144 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 2352 wrote to memory of 1144 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 2352 wrote to memory of 1144 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 1144 wrote to memory of 2448 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 1144 wrote to memory of 2448 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 1144 wrote to memory of 2448 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 2448 wrote to memory of 4452 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 2448 wrote to memory of 4452 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 2448 wrote to memory of 4452 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 4452 wrote to memory of 5880 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 4452 wrote to memory of 5880 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 4452 wrote to memory of 5880 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 5880 wrote to memory of 5900 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 5880 wrote to memory of 5900 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 5880 wrote to memory of 5900 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 5880 wrote to memory of 3740 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 5880 wrote to memory of 3740 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 5880 wrote to memory of 3740 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 3740 wrote to memory of 3148 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 3740 wrote to memory of 3148 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 3740 wrote to memory of 3148 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 3148 wrote to memory of 2012 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 3148 wrote to memory of 2012 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 3148 wrote to memory of 2012 N/A C:\ProgramData\Babylon RAT\client.exe C:\ProgramData\Babylon RAT\client.exe
PID 2040 wrote to memory of 4652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 4652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 2876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 2876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2040 wrote to memory of 5448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\zzzz.exe

"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe"

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe" 5992

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UseComplete.vbs"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe"

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe" 2352

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe"

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe" 2448

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe"

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe" 5880

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe" 5880

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe"

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe" 3148

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7fff4cb5dcf8,0x7fff4cb5dd04,0x7fff4cb5dd10

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2056,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2052 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1632,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2512 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3140 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3176 /prefetch:1

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4312,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4320 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4756,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5368,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5572,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5580 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5808,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5828 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5460,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5408 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6076,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6072 /prefetch:8

C:\Users\Admin\Downloads\unlocker-setup.exe

"C:\Users\Admin\Downloads\unlocker-setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp" /SL5="$40444,1689069,139776,C:\Users\Admin\Downloads\unlocker-setup.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlockerExtension.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlockerExtension.dll"

C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe

"C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=508,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6084 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6080,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6228 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6108,i,11806144829592713354,2571237456725856127,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6232 /prefetch:8

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe"

C:\ProgramData\Babylon RAT\client.exe

"C:\ProgramData\Babylon RAT\client.exe" 1232

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
GB 172.217.169.46:443 play.google.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 dns-tunnel-check.googlezip.net udp
US 8.8.8.8:53 tunnel.googlezip.net udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 142.250.200.42:443 ogads-pa.googleapis.com tcp
GB 142.250.200.42:443 ogads-pa.googleapis.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 172.217.169.46:443 play.google.com tcp
GB 172.217.169.46:443 play.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 216.58.204.78:443 consent.google.com tcp
US 8.8.8.8:53 www.iobit.com udp
US 3.212.140.11:443 www.iobit.com tcp
US 3.212.140.11:443 www.iobit.com tcp
US 3.212.140.11:443 www.iobit.com tcp
US 3.212.140.11:443 www.iobit.com tcp
US 3.212.140.11:443 www.iobit.com tcp
US 3.212.140.11:443 www.iobit.com tcp
US 8.8.8.8:53 bat.bing.com udp
US 150.171.28.10:443 bat.bing.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.16.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 216.239.34.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 cdn.iobit.com udp
GB 2.18.190.173:443 cdn.iobit.com tcp
US 8.8.8.8:53 update.iobit.com udp
GB 2.18.190.179:80 update.iobit.com tcp

Files

memory/3416-0-0x0000000000F80000-0x0000000001073000-memory.dmp

C:\ProgramData\Babylon RAT\client.exe

MD5 91dfc3dc22ce12c3cb94b2afb29735f9
SHA1 4478a7cca636b5163e24328478f6c654ffc02184
SHA256 66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a
SHA512 6799e99a258f3c65ef511e5faf7f5b843a30f6ae0a8e6112505cf9fc09c12732f8147e8498922d8451af1c5f5a899e55da8ad68a6c6f0555e358d9b9ed9321a9

memory/3416-2-0x0000000000F80000-0x0000000001073000-memory.dmp

memory/5992-3-0x0000000000350000-0x0000000000443000-memory.dmp

memory/1248-5-0x0000000000350000-0x0000000000443000-memory.dmp

memory/5992-6-0x0000000000350000-0x0000000000443000-memory.dmp

memory/5992-7-0x0000000000350000-0x0000000000443000-memory.dmp

memory/1248-9-0x0000000000350000-0x0000000000443000-memory.dmp

memory/5992-10-0x0000000000350000-0x0000000000443000-memory.dmp

memory/4904-18-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/4904-20-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/4904-19-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/4904-30-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/4904-29-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/4904-28-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/4904-27-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/4904-26-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/4904-25-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/4904-24-0x0000022AD7CD0000-0x0000022AD7CD1000-memory.dmp

memory/2352-37-0x0000000000350000-0x0000000000443000-memory.dmp

memory/2448-41-0x0000000000350000-0x0000000000443000-memory.dmp

memory/1144-40-0x0000000000350000-0x0000000000443000-memory.dmp

memory/2448-43-0x0000000000350000-0x0000000000443000-memory.dmp

memory/2448-44-0x0000000000350000-0x0000000000443000-memory.dmp

memory/4452-46-0x0000000000350000-0x0000000000443000-memory.dmp

memory/2448-47-0x0000000000350000-0x0000000000443000-memory.dmp

memory/5880-53-0x0000000000350000-0x0000000000443000-memory.dmp

memory/5900-55-0x0000000000350000-0x0000000000443000-memory.dmp

memory/5880-57-0x0000000000350000-0x0000000000443000-memory.dmp

memory/5880-58-0x0000000000350000-0x0000000000443000-memory.dmp

memory/3740-60-0x0000000000350000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f41c0c46965f60209e14aff3ecd372b8
SHA1 acb88186407100f84fda697f2de2dce64da28c3e
SHA256 9fdc0f0d57efcc859b56637877884a888f66918a90581280f5d1719536c2b711
SHA512 42b27c54c4e4394d1f064bdc93d4a5e07db6b51c53df02be43c418ab67886dbf70f6e717addcd7e76605fdf676c8d4edd15eca0bd0c88ab6bbe193a808ac730c

\??\pipe\crashpad_2040_QOUGZVZBAAWHEZBY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/3148-115-0x0000000000350000-0x0000000000443000-memory.dmp

memory/3148-126-0x0000000000350000-0x0000000000443000-memory.dmp

memory/2012-128-0x0000000000350000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 b3e0706898d21fab2d8135f7b6c7b652
SHA1 024b996499bf4c6589988ce2d429d37f25db8d10
SHA256 5f439d82804fbbbf99e8e4d5b47497258519a9240169d629bff11c29f57ea46f
SHA512 42a896c0888854227fa1f75a93c65c0087ca0e2003f2b64a5b4101c13cc2d119f774c722b5d870e8961a440f65971ead5c4d996ca148a25b231bb204d669b3f4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 756fb2818f4c0a564beb714ddfdafb2f
SHA1 6374dae19adf16e49df15dfe5380729f6e74071b
SHA256 0567ff1f5c6d42b89e1d751f95f818392c41d3fb81d654bb84f0998a068363cc
SHA512 ca3a1971e4f461b569d996f9f447fa50ecef983fb15737b5df82f8ff59923b3c5680db419dd11d62e85ab1d2e63a35db84c59043cac96e2fa694472ad05c4f8c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b9618443cec021ab7c8e44cac9bf5235
SHA1 66015e2d4f0ceb82aafa2c33f27464dccef80222
SHA256 c4bec0389e51990a65b777f3d0099f7f9c8a26b2fba21c9282c2b15e5a525251
SHA512 b2c49eae6b969f62209ef43f80ad04c1427a1d077caf5ea79b3fe75096540dcf29f529479159d93b79d1f6cf3e3cc5923a8da6d238f127f03d66a6a22b2b3041

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7dd653c7fa484bb550c1a45561a06cfe
SHA1 b11a7acdfb3c15865ac34dd823d2dc5279aed20a
SHA256 c0fed1b3d1162c3ed103a211c06b229a4da0086886200601abae1febec7bc7c4
SHA512 893eca2072c39bb6ae19565ff2df17fef9ae7db584771f094e08fc08befe326a47a19f8a2575fee97b6a33fae3ae7680453c007d806b7828aa051c34422e45ac

memory/3148-283-0x0000000000350000-0x0000000000443000-memory.dmp

C:\Users\Admin\Downloads\Unconfirmed 447318.crdownload

MD5 646261d89e30c36b938da1d7134691c9
SHA1 b25491854b409f454277586d97d2ead28168e6ec
SHA256 2efdffd1cf3adab21ff760f009d8893d8c4cbcf63b2c3bfcc1139457c9cd430b
SHA512 529160fe12a38d986f0b670d0334acc377490b86dc30e6d03227507b1f28b0d85ed17a4f1351108e516bf1635d5f5d73b10e6cc39fcc87e7e94b486c10fcde82

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 f80d3295ec2ad49c17269fda831c2015
SHA1 7ab5237f3b3046e7bb8a25762f641ea03032cde8
SHA256 7c6ad408b1a78f8fb5d2b1f5e8a5977b888c5ac1ca23c98af4f7389f783fa30e
SHA512 739966db267dbc8a185c4f6206f8bb957a12245804c4bb2fe1f0584b878b68b1ed5d34da147b266c24ffd3d6ff34722a5a538b963da7d4fffd5c2d98e118e438

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59c78c.TMP

MD5 98197480196cdde156131adb8852ccaa
SHA1 5f0ad661aeabf17dc405874883ae07f4cbf9fe5d
SHA256 d5ab16777d1ff32db06ebdd7cb889f261edb9cadb2f2a2ec6316b793f2516a8b
SHA512 b4a25c3c0dc7f2db8dd204de11ebe59b84c3647122ef2b7855d66013bc0f406dc83ea6d5b714f80e004c50343bb559a21363433072ba1eb01baea0ed5b99e5a0

memory/1372-380-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4BKMB.tmp\unlocker-setup.tmp

MD5 fbb6d0b67050d1ee042db466ba03d174
SHA1 0dcbf75fb11a218825b3921a759f7e34674d38e6
SHA256 ed72dfbdc876c601c6cd5048f71976ea4eae477fe18ddf8e0e02c88a872f60be
SHA512 b3f4f82102bd2758cd3afc5fa5a561a820f6b1e770f85e80de487ec3d44fe4a1acd4d461886b88416d3acc6536c37120aea4de1b9c8d0571851ec60ab863fe14

C:\Users\Admin\AppData\Local\Temp\is-JF1HE.tmp\IObitUnlocker.dll

MD5 2c6233c8dbc560027ee1427f5413e4b1
SHA1 88b7d4b896539abd11a7ad9376ef62d6a7f42896
SHA256 37d2a1626dc205d60f0bec8746ab256569267e4ef2f8f84dff4d9d792aa3af30
SHA512 cc8b369b27b303dbe1daef20fa4641f0c4c46b7698d893785fa79877b5a4371574b1bb48a71b0b7b5169a5f09a2444d66e773d8bb42760cb27f4d48a286728a8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d56755525d9de8092d597e975f149362
SHA1 a55aeef5c04c4e6a86e79accf140745ac676021e
SHA256 e38ed56b6194949041755a935e0cdc5ff2846ffb7ffaf00fd6b6e923105df64f
SHA512 9890ba44d2116f9efe97f852ac764b6552e9db396854b81d8ff9a9a1fc97690487233d511140358740520463924eabe06b6fab49a9260a43ec5905ab3dd5971e

C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe

MD5 2541290195ffe29716ebbc7aac76d82f
SHA1 d8e22adc26ef1628b826785682830c3d128a0d43
SHA256 eaa9dc1c9dc8620549fee54d81399488292349d2c8767b58b7d0396564fb43e7
SHA512 b6130c658cfeae6b8ed004cbac85c1080f586bb53b9f423ddabaeb4c69ea965f6bca8c1bd577795ef3d67a32a4bf90c515e4d68524c23866588864d215204f91

C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlockerExtension.dll

MD5 1ec2724be59f64f05f7107728b51624f
SHA1 a2102270c3cb8db9fdd71f2411ee457aa470e3de
SHA256 01fe66a8aaea0faa04b12127caa3b76ee11be9ed0b1bfcd1eeef71aa5489faaa
SHA512 9179fdeb9d5dbbd245d7333bb048773e855659355aa17ac2d1005ec847d4828a247005e310eeb82bcf90f080ce310dcd88e9a173c348bd512487b3146c50268d

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Arabic.lng

MD5 3b6e5d586108290ec90b7ee8aa09a672
SHA1 f5a48251313a68a0d5fe08136707af425911691a
SHA256 699f38f71da3cff1d7224f3c3701707ba287fcf025ca24e8fbf55a1217145e77
SHA512 121269585ac4e2d9f95d5dc97b216f24f8104455db8bd76f803edc46b45cf37b84565e40280ac2cebf83e41d92cbc83cf0f233875dd59ca1c1f57c931f97e5c3

C:\Program Files (x86)\IObit\IObit Unlocker\SpecialDir.ini

MD5 f2d6eff40a0dd85d53c39250242c7e7e
SHA1 1056c8486e2b8fced98740444ae55e951491ec1b
SHA256 7d63c9d8cc5ce2b7786257d1e2f551bdda8b2a434f560d4fed05ed3f10f65700
SHA512 9928d50ea7a8ccdf7373477b6f714f50107ec42df8ec1cbe721aca7df49add83ac404d71059e3125321418470785c3a75f81f3ffcfd6025c122d8cf33c0051b5

C:\ProgramData\IObit\IObit UnLocker\Main.ini

MD5 40e41706d00324f625b4079afeda2e28
SHA1 43f3dff89fbdaf711f5c32d11ea036c726b3d4b0
SHA256 63ee4e87cf0edc49c52173a904be985c461784795e3cc8e0cf736d03d58c4740
SHA512 ca17bbca3c6f330d554a810083ae441c0ad823421842596d0309f190759256689f41072097b4235e65a308529b813c911dbda5c1aa8f6c36a603a21de9b89331

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Turkish.lng

MD5 98ad40b352b1500142e3d796a73bd6d1
SHA1 35e830eba30d77d2b2e2d7979d54440cce9cc2d7
SHA256 47d56d71d51c3d4e96439ee7945477735b09f1582d787df180d8fea5ff93abbe
SHA512 6880f85003841389572b0dfac29be3fbe286e83059af5ea98b0e542e7d2577d3acc200e30d5bd0da2b333a3626e8ca2ef27bb150f069e582aa5e66444d6b7741

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Swedish.lng

MD5 3f7cf4d1dfa8ebdcb509001247cf2f91
SHA1 081c53b08e8c817e466c8500b1628d49be196593
SHA256 681ec1fd8c99dddb57935190f39dd7a88da9ca35c9086cea474e2264fc6c0716
SHA512 87240305b6e3a108d0c4a5c9495ffbf828c65c6d8a2f2efdc20cec70fa9b010f5e05fb510dbc85daa4fd01ccd0dfbbc546b361beacab2d2540324306f1ad7665

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Spanish.lng

MD5 c353d15b926e335dda7b58d6d31959f6
SHA1 d378fd4b8155592e50fbd04bc64206b1a032718e
SHA256 4c595cf20cb72696f429567f60a3da0ac81e6957b1e056918678da89d7d7d7e5
SHA512 5698b017e29d0fa775e36870b6ae80456978703d280475ebace9738cdaaefb737540a3ea950f85b59cdef3e7e7b4ba95c9be3b084d9e0a4cce23a53d9cd9646c

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Russian.lng

MD5 f3601cd1c2fecc1b7190cbd724ced684
SHA1 8cf1e731050aee6afcbba0f32c81ed7578f0f41e
SHA256 84bfadabf7893eec7123b5f1ca41394d3a69d237b5f355f3f2ce29f1854888d8
SHA512 06e7c202036d5403e9da27884d04d216bd6b1b92b8d8b0a1caf105722d4668c2727be91fa5c8cacdf91aa838ec7408d5c0354476945e2736ce3437a360b7dd0e

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Polish.lng

MD5 05e11996cd6c94dbd0ab0f7f1d2876b0
SHA1 f5da0cc5c96049030e3e2e553c6f6123a1e6bd66
SHA256 d24f9b863e8d0d11b6bfa679b92526f9bd509bfaa96364ea9388fb1ea5123133
SHA512 c69dfe534c8fdefb9dbd4b8d3ab13c9ade884f3c4e6a18f32b8f5dd746214c4c47288c93b0a4baed0c53c5841f9a32b45b1696215978b33e8cbc3e50fdc052ca

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Japanese.lng

MD5 7ec91418117a44939dc92d65e3359d03
SHA1 81e57bebe8b7d37617e2dddda97575a083776887
SHA256 651f189e637587821dbbfe7ddbef7f2869448ad9fbb1cbe0ec4afc2c81c4672d
SHA512 5ff00ce99dce870ece27120c5470112c6d319f33630217496fb1b48ee425a4165242185341648e5b49059d4b0ea2ad6b851d5411551fde74f3b2d5fb59057d41

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Italian.lng

MD5 71fe34913ae027c56ab88dc718c2eed5
SHA1 2e6023633d311a1ffb151712639b48d59797dee5
SHA256 d57caecfee173e3fd679e4fecdafb8d736f9c009a881bade375486928ca2ca48
SHA512 ea073db529b990be990f87cf1055c00c8ceeb41725c4a32266c9be3e468a27274b3fc0feb94492e6a9db20fbbe8ef059af173415b1eb9c7a0368a4d9d30a1c09

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Hungarian.lng

MD5 65f6e74b7c0ca1c64bd9c32bb8531fff
SHA1 6bc2c9205182fd4c5d25cbe2ef5ed7131356525f
SHA256 33ba3481f4dd39aaa847e41ea777e30395a5606373abc511106e67cc51d0617c
SHA512 04ae37bfc41f35b1974fb5f8bbb5e523a0b1e1a1f6ecefcd37238a374567f15c24cbcddb78aed649c7cf3687177ca038c1bc2daa819bf1b0d80c6f4e013b5d7a

C:\Program Files (x86)\IObit\IObit Unlocker\Language\German.lng

MD5 2436b14b3712922f225427425009ba44
SHA1 8f896ffa283a77a6911a150303f12d067aad72eb
SHA256 bc7d3c4f581a3fd12be1e2d59686780bd94d5fc383c65518dd89fb6cad111c98
SHA512 94d346a3de795a4cace50efe46106448a69bc173534b4610e8ab831bbea158556218694bbeb6c93dd2a55e7932b0d49f02bd3410847ab048ac7e90e788f1d79e

C:\Program Files (x86)\IObit\IObit Unlocker\Language\French.lng

MD5 f03cdbb8696b0528dc1caedaaeda7119
SHA1 b9a6ecf30641ac5dfb365b1e2de90b03a6e62418
SHA256 166e80f93ac5cf28e1e3bf76483f0843f9d32d829e500cfa982c9d3664cc7074
SHA512 249c7ea6662499042185123145a39ea2f6321e79152bb4b1d0271717ea4328cdcea18fc5bdb863865f33e5aa8b762fc6c47c298a2c3a984b6ecd5537fc1d351e

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Finnish.lng

MD5 cde455a6ba3c8534a4a5acc8ea0de3a3
SHA1 3cf44c592cb4ce4be9954ef91a571b7a2355e35f
SHA256 0a9c0405f08aa930a2e82fbe2ae80a917423ed379a2b9eeb3b62109f5aca2443
SHA512 bb8d2b8612a351286ce27fd6a58023c9145991b9a34cb5f7e9a2be45a8624aec09dad25700abae973484865ec4316792627047485809ad621f5f533692363f8f

C:\Program Files (x86)\IObit\IObit Unlocker\Language\English.lng

MD5 083620520c4fb96da4eb5c102a3ea84e
SHA1 9df10ac766a2879b4c9f3c6f258caf48cda252d8
SHA256 905ff04266f76618e0a369332594b49422ecc23f707e424655a55ca279cb7c62
SHA512 51e294ef9a5a2b9861b0252cfd635b05b46336e9eb2b02477819f56cfbec7d5cc0176557a6389dc48dfcb9bc6f8440be5b8734410dc6d205c2d47f6ac27d128e

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Dutch.lng

MD5 74fcffdda39abbc429741816b919a841
SHA1 61a1d03f2512771ac0d8ccbf2ef60ced97bc0e47
SHA256 ab2752577faa9ff94e1af58c5819e1c9e95c3d77eb966082bda7b7651886ed3e
SHA512 06b53ad4f95b562fe6ea56e294dc2e9f04f227ac457f3cf71c7986e42a381ad1977c65f628a56a0e71e1eb208ac63165ea7880d70ae1a8a79ea5ff4320e2c014

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Danish.lng

MD5 4c46432a05ce09bb563f48437a395f70
SHA1 ea7ff52387b973d29a9cd03d62593369fc96b765
SHA256 184f0c95f5d3433c0d5845099fc1da5d7e196ebaad993f2cd49d237cec34d292
SHA512 ca4e5f6e472b32a17a3345bfcadc5eed8861b7d216bcecb02a1d8f03ed62fc10fe0e0a311ff8c73ed7b58b1d5afe0d2175936e956d734a3d16e7af9f6a96eebf

C:\Program Files (x86)\IObit\IObit Unlocker\Language\Czech.lng

MD5 542118a2cc938ac82a922abb171a6df5
SHA1 c3ef3b652555fbc79ba1d794125afe0ee190b8bd
SHA256 ef6b496609073be75cf44941126d4f79920711ec8c4ef2aded9d4b1dbf7c10a8
SHA512 31a9b6dd84e9053d4410678d74b9f2d0dff236eb2c207b6529e5e3a23bae8f8437579508545eb1469c3ef730cf03de8e3dce58e7e0513959334403bc372f1986

C:\Program Files (x86)\IObit\IObit Unlocker\Language\ChineseTrad.lng

MD5 ded65624ae87dc84494f625596e58c2d
SHA1 6d4e7fc5bdfeac77d9a35a5dab34a8750728b78a
SHA256 d467dd9bc2ca9d4c5633b001615e2d6c127a84f16c7f3e95eb76f4549d69b20c
SHA512 ba979453dccb3d07fb3913d9bc1243330aa8ee4cb857043d281be48e471f28dbf296b564c1d02336b089c0e8e712ba131245cfbb26896a458efc67829ba79bfc

C:\Program Files (x86)\IObit\IObit Unlocker\Language\ChineseSimp.lng

MD5 b57e51a5bf610b47005bb03a9357f3ad
SHA1 77f217553c5b33910f4cdc4ae946f7c36c9add38
SHA256 fa24efbe6df04ac3af19e7e444caebb0ec3c71997aa5c648f91ce7c87dda4eb7
SHA512 f9bf1bc24157e78da2b94fb46321bdca06639d74a66470eac93fd62c0e03706403052cb012e458a60784faf4f8032070e69a62e7b5a65275ffb9698d1afe6ea7

C:\ProgramData\IObit\IObit Unlocker\IObitUnlocker.ini

MD5 31c59b1f44a7fe642c69f2d55c15ee9f
SHA1 eb26b2164797360d34505c4339d4b38963d887bc
SHA256 869adc1c9541c23440655933252d394d852ea1edf80be0cf16573dfa74d2f903
SHA512 1626d332f919856878a4a81d0b68a3a71a95282aa5e287cff06510d0376104849f8870495947025b1a6d1b09110c902ee1e3bdbf382e024e3036532202a4347d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 046a0c94dd1c9f86c52b034ecf082f79
SHA1 95c0da7c6bcf9395ed78d827406e2bde970e98a2
SHA256 4cb3ddcbb99c511aee19a23c17af24083ba7aee54219b5cffd9733d91593dc92
SHA512 0eca04073baec606ac98e2fabc8ba39646809292c43aeddc9d1552d11b8325bc4bea5b4437595b1f1cdf991de4f62300e63c893cee21cf2c286e5c2385c99954

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 98b9d1b131dea9b042ebf04d251d8c95
SHA1 432dca7e7aa1e72691aaf911e436ec23e24d4262
SHA256 7bbd7ab21055ded4c2355a69b38106439acc30d384d7c50e7d4bb32b427a4212
SHA512 c4fe36740e70c501071a4cf801006b7fb71be2f264e5a99a1a1be79d156d071f66c8c0f876e08db61cbc0741cca7cecec5de55a54ef42728efea290ed8288bdc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 86653df1beae257199e40b0e3c3d1a41
SHA1 e545c381aa6711ce4729c917b511a363db90583c
SHA256 21075f42f5657ac24ee349a10720ee0a09383eddc8f4595f0e39904609e05601
SHA512 1a49eda553d61dddac6769ce0ca66e148e6b4c94969af900f34b1b3f017feceef9a8db674c9de829d82ada289674891870dbe7ff12d0142993d99bcf5041fd05

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 016b2b82d1c9693aa57861e01ce4fc1a
SHA1 40d9cbd72e77dee78003fdf8d88bb5c5588fa00b
SHA256 9ab915d3e48e048a71154d57e1fc14bab262db4f3bf6ca93b308e215628800f6
SHA512 0b5ace72cf0bf1c2d96ea5a433982ac897a29034ea1beb36a4d350e3ece7fe0fde91d2be5c6f9b35aa2fab614a122b27527806b70b3b41e79f08684366ad9259

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

MD5 623c671579d4b2ddab6646173826bb88
SHA1 b6a1d352041983dae155c77c972ce6f4f7e97a75
SHA256 cf7124741f4933007dfc767702c72e5df41e542f41d4d7aeb585d5d16ebeaaeb
SHA512 2c6e900b1b9e3bfba17492c3eb13bc5c2f34b54757a97056696ef8946f09d11da47aea58677d0aada4f67f0a454582df68019bcd5f6c83d35113f852e51d822c

memory/4592-685-0x0000000000400000-0x0000000000531000-memory.dmp

memory/1372-686-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3148-689-0x0000000000350000-0x0000000000443000-memory.dmp

memory/5576-693-0x0000000000400000-0x00000000006DC000-memory.dmp

memory/3148-695-0x0000000000350000-0x0000000000443000-memory.dmp

memory/5576-698-0x0000000000400000-0x00000000006DC000-memory.dmp

memory/3148-703-0x0000000000350000-0x0000000000443000-memory.dmp

memory/3148-706-0x0000000000350000-0x0000000000443000-memory.dmp

memory/1232-713-0x0000000000350000-0x0000000000443000-memory.dmp

memory/2864-715-0x0000000000350000-0x0000000000443000-memory.dmp

memory/1232-714-0x0000000000350000-0x0000000000443000-memory.dmp