File name:

Unlocker1.9.2.exe

Full analysis: https://app.any.run/tasks/a2abd06a-2238-4af6-b4f9-4ee83c83c3cc
Verdict: Malicious activity
Analysis date: December 06, 2022, 05:40:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
babylon
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

1E02D6AA4A199448719113AE3926AFB2

SHA1:

F1EFF6451CED129C0E5C0A510955F234A01158A0

SHA256:

FB6B1171776554A808C62F4045F5167603F70BF7611DE64311ECE0624B365397

SSDEEP:

24576:eLMeYSiGTpTLDxxwqQcqOj5eyHox6ZGmAuXE7ZBlbT:+PbVvwqQpoLHontDrlbT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • UnlockerAssistant.exe (PID: 3228)
      • Unlocker1.9.2.exe (PID: 1232)
      • DllHost.exe (PID: 2616)
      • Setup.exe (PID: 3256)
      • rundll32.exe (PID: 3636)
      • Explorer.EXE (PID: 1084)

    • Application was dropped or rewritten from another process

      • Setup.exe (PID: 3256)
      • UnlockerAssistant.exe (PID: 3228)
      • DeltaTB.exe (PID: 3244)
      • Setup.exe (PID: 3404)

    • Drops the executable file immediately after the start

      • DeltaTB.exe (PID: 3244)
      • Unlocker1.9.2.exe (PID: 1232)

    • BABYLON was detected

      • Setup.exe (PID: 3256)

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • Setup.exe (PID: 3256)

    • Executable content was dropped or overwritten

      • DeltaTB.exe (PID: 3244)
      • Unlocker1.9.2.exe (PID: 1232)

    • Drops a file with too old compile date

      • Unlocker1.9.2.exe (PID: 1232)

  • INFO

    • Drops a file that was compiled in debug mode

      • Unlocker1.9.2.exe (PID: 1232)
      • DeltaTB.exe (PID: 3244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2009-Dec-05 22:50:41
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 216

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2009-Dec-05 22:50:41
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
22738
23040
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.4331
.rdata
28672
4496
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.17976
.data
36864
110456
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.6178
.ndata
147456
40960
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
188416
22632
23040
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.41727

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.86229
2216
UNKNOWN
English - United States
RT_ICON
2
1.76086
1384
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.56193
288
UNKNOWN
English - United States
RT_DIALOG
104
2.6666
280
UNKNOWN
English - United States
RT_DIALOG
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG
110
2.82633
1638
UNKNOWN
English - United States
RT_BITMAP
111
2.92787
238
UNKNOWN
English - United States
RT_DIALOG
202
2.9709
180
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start unlocker1.9.2.exe no specs unlocker1.9.2.exe deltatb.exe #BABYLON setup.exe rundll32.exe no specs ielowutil.exe no specs unlockerassistant.exe no specs setup.exe no specs WinInetBrokerServer no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Users\admin\AppData\Local\Temp\Unlocker1.9.2.exe" C:\Users\admin\AppData\Local\Temp\Unlocker1.9.2.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\unlocker1.9.2.exe
c:\windows\system32\ntdll.dll
1232"C:\Users\admin\AppData\Local\Temp\Unlocker1.9.2.exe" C:\Users\admin\AppData\Local\Temp\Unlocker1.9.2.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\unlocker1.9.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
3244"C:\Users\admin\AppData\Local\Temp\DeltaTB.exe" /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mntC:\Users\admin\AppData\Local\Temp\DeltaTB.exe
Unlocker1.9.2.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\deltatb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3256"C:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mntC:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\Setup.exe
DeltaTB.exe
User:
admin
Company:
Babylon Ltd.
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
9.1.1.10
Modules
Images
c:\users\admin\appdata\local\temp\4f1c3f09-bab0-7891-97cb-ece2c9afe59a\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3636"C:\Windows\system32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\4F1C3F~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.comC:\Windows\system32\rundll32.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2332"C:\Program Files\Internet Explorer\IELowutil.exe" -PID:123C:\Program Files\Internet Explorer\IELowutil.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Low-Mic Utility Tool
Exit code:
2147942487
Version:
11.00.9600.19597 (winblue_ltsb_escrow.191216-1311)
Modules
Images
c:\program files\internet explorer\ielowutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
3228"C:\Program Files\Unlocker\UnlockerAssistant.exe" C:\Program Files\Unlocker\UnlockerAssistant.exeUnlocker1.9.2.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files\unlocker\unlockerassistant.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
3404C:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mntC:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\Latest\Setup.exeSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\4f1c3f09-bab0-7891-97cb-ece2c9afe59a\latest\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2616C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1084C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 440
Read events
3 064
Write events
358
Delete events
18

Modification events

(PID) Process:(1084) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB010000008DAEBB14DAA9454A8FA3FE6EA5788441000000000200000000001066000000010000200000000FA79913340CB7683ABE03E23BC5E53CC7685A42C34276AA815EB8C17EEABCF5000000000E80000000020000200000009EE84F34D9A36922F14090F7AEE0ECA5D9FFF9D41D9BB73564139D589CBBE37E300000003218BED6D4090E5AC6F06B9B2571C4FEFC740BBA496C0E348C0F01D18A6952BB0E0E218D0C181AC8F271271A94FA7B4B40000000A838E04A24C5C78273187054E54C47F8562E2CAF5F4E55262324BA30F61DA571B8A130CB3FE549CA0AFBCCAC879C041BDE1BB1B0DD660A51BEE57A625905EFBE
(PID) Process:(1084) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:P:\Hfref\nqzva\NccQngn\Ybpny\Grzc\Haybpxre1.9.2.rkr
Value:
00000000000000000000000062140000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:(1084) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
00000000500100008902000066DB1E013F0000004A0000008E0F0D004D006900630072006F0073006F00660074002E0049006E007400650072006E00650074004500780070006C006F007200650072002E00440065006600610075006C007400000028003E004000A4E75102B8E651020000000000000000000000000000080274E45102000008026CE25102000000000000D26CFFFFFFFF705911750000000000000000A4E251027C900D75000400000000000008E35102FFFFFFFF38EA7000FFFFFFFF080A7400D80E740030EA7000D4E25102F7AF3D7680D0707614F05102081D3E76E4613E766820700008E351020000000071000000BBF2CB00E8E25102A1693E766820700008E351020000000014E551023F613E766820700008E3510200000400000000800400000026E4510298E351025DA5147726E45102D26E147779A51477D6794D7526E4510210E65102000100006400610072E3510226E451026F0061006D0069006E0067005C006D006900630072006F0073006F0066007400CCE351023400000080E35102DE70310033003300350033003800310030003000F8E551025A000000A0E351021DA71477D6610E02D4E351025A00000010E651025C00000011000000104F7000084F7000F8E55102C4E3510220E40000D7F3CB00D0E351025E903E7620E45102D4E3510203943E760000000064561802FCE35102A9933E7664561802A8E45102D8511802BD933E7600000000D8511802A8E4510204E45102000000007700000099475E004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C0000004200390046004100380045007D005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C00570049004E0057004F00520044002E0045005800450000002D0031003500300030003700320038003500360034002D003300330035003300380032003500390030002D00310030003000300000000000000064E93A025D39DE74D4E93A0235E3F47681BFF801FEFFFFFF9CE93A02BD6BDB747CEE3A0268EF3A0200000000D4E93A025F38F8766438F876BD413A750000000068EF3A027CEE3A02ACE93A02010000004CEE3A0235E3F47681BFF801FEFFFFFFE4E93A02BD6BDB747E00000068EF3A025CEE3A02A36CDB7411000000204F2400184F2400100000009D01050068006A0068EF3A0278EA000074A1BC847CEA00007CA1BC8430EA3A025E9055757CEA3A02AC1B000048A1BC8444EA3A02929B5575B01B0B034C0600005CEA3A0220170B0368EA3A02549B557511000000204F2400184F240040170B03CCEA000000A1BC847CEA3A025E905575CCEA3A0280EA3A020394557500000000AC1B0B03A8EA3A02A9935575AC1B0B0354EB3A0220170B03BD9355750000000020170B0354EB3A02B0EA3A02000000007700000099475E004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C0000004200390046004100380045007D005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C00570049004E0057004F00520044002E0045005800450000002D0031003500300030003700320038003500360034002D003300330035003300380032003500390030002D00310030003000300000000000000064E93A025D39DE74D4E93A0235E3F47681BFF801FEFFFFFF9CE93A02BD6BDB747CEE3A0268EF3A0200000000D4E93A025F38F8766438F876BD413A750000000068EF3A027CEE3A02ACE93A02010000004CEE3A0235E3F47681BFF801FEFFFFFFE4E93A02BD6BDB747E00000068EF3A025CEE3A02A36CDB7411000000204F2400184F2400100000009D01050068006A0068EF3A0278EA000074A1BC847CEA00007CA1BC8430EA3A025E9055757CEA3A02AC1B000048A1BC8444EA3A02929B5575B01B0B034C0600005CEA3A0220170B0368EA3A02549B557511000000204F2400184F240040170B03CCEA000000A1BC847CEA3A025E905575CCEA3A0280EA3A020394557500000000AC1B0B03A8EA3A02A9935575AC1B0B0354EB3A0220170B03BD9355750000000020170B0354EB3A02B0EA3A02
(PID) Process:(1232) Unlocker1.9.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Unlocker
Operation:writeName:Language
Value:
1033
(PID) Process:(3256) Setup.exeKey:HKEY_CURRENT_USER\Software\BabyTest
Operation:delete keyName:(default)
Value:
(PID) Process:(3256) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\BabyTest
Operation:delete keyName:(default)
Value:
(PID) Process:(3256) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Test.cap
Operation:delete keyName:(default)
Value:
(PID) Process:(3636) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3636) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3636) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
18
Suspicious files
20
Text files
16
Unknown types
5

Dropped files

PID
Process
Filename
Type
1232Unlocker1.9.2.exeC:\Users\admin\AppData\Local\Temp\nseFA73.tmp\Delta.iniini
MD5:DE261469D3F56FFAB2F0DBD61BA3CF04
SHA256:708CCCF0B0A8A6B2344C40826CEC5A2752C1433045E9B31CC09472050D381641
3244DeltaTB.exeC:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\Babylon.datbinary
MD5:825E5733974586A0A1229A53361ED13E
SHA256:0A90B96EAF5D92D33B36F73B36B7F9CE3971E5F294DA51ED04DA3FB43DD71A96
1232Unlocker1.9.2.exeC:\Users\admin\AppData\Local\Temp\nseFA73.tmp\LangDLL.dllexecutable
MD5:9384F4007C492D4FA040924F31C00166
SHA256:60A964095AF1BE79F6A99B22212FEFE2D16F5A0AFD7E707D14394E4143E3F4F5
1232Unlocker1.9.2.exeC:\Users\admin\AppData\Local\Temp\DeltaTB.exeexecutable
MD5:EB2764885565B6C01CB32E5F51F213B3
SHA256:D7146999FF94B3AE092F3213DDF0217615F1D38798393B66778D11AAE2B68EAF
3244DeltaTB.exeC:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\bab456.TB_OldWay.datbinary
MD5:7E72D256E34635D351092955D1F8516B
SHA256:39EB1667A67149B5D930E5408896027E3C3FC06282735E61CB8D85F5B38F587C
3244DeltaTB.exeC:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\bab307.sp_pop0.datbinary
MD5:0B7BE9C4B72C2C5166BFD61CA5EBBFED
SHA256:673BF972D308BC6108360575608CF72F393413F2D3993489B06DA4A6EFC749BD
3244DeltaTB.exeC:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\bab148.spreg.datbinary
MD5:A4AF0A0C254B38F2F9EECBF0E00B08FE
SHA256:810E0E32D54B9E1557DA7CCF1CA9F6354814E90DADC6B4AF5E1CBDF87FAC925A
3244DeltaTB.exeC:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\BExternal.dllexecutable
MD5:B212865E7E478A28A97268F960079A8D
SHA256:D6138AEF3F7674E2442ADD75013C86CA8FDA3D5BA69737A9B881E7F7BBC730E6
3244DeltaTB.exeC:\Users\admin\AppData\Local\Temp\4F1C3F09-BAB0-7891-97CB-ECE2C9AFE59A\HtmlScreens\pBar.gifimage
MD5:26621CB27BBC94F6BAB3561791AC013B
SHA256:E512D5B772FEF448F724767662E3A6374230157E35CAB6F4226496ACC7AA7AD3
1232Unlocker1.9.2.exeC:\Users\admin\AppData\Local\Temp\nseFA73.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
3
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3256
Setup.exe
GET
200
184.154.27.232:80
http://stp.babylon.com/downloader.php?ver=9.1.1.10&affilID=122471&guid={7E952698-F958-4BA5-8312-0862246459AA}&mntrId=C4BA12A9866C77DE&moldid=c4ba364700000000000012a9866c77de&sufn=Unlocker1.9.2.exe&iev=11&ffv=83&crv=86&dwb=ie&dlb=ie&wbr=1&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=601&tbtp=def&tbinst=1&cntry=US&cat=delta&uac=1&osp=hp0:642845648;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1
US
text
274 b
whitelisted
3256
Setup.exe
GET
200
184.154.27.232:80
http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.1.10&affilID=122471&guid={7E952698-F958-4BA5-8312-0862246459AA}&mntrId=C4BA12A9866C77DE&moldid=c4ba364700000000000012a9866c77de&sufn=Unlocker1.9.2.exe&iev=11&ffv=83&crv=86&dwb=ie&dlb=ie&wbr=1&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=601&tbtp=def&tbinst=1&cntry=US&cat=delta&uac=1&osp=hp0:642845648;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&hp=1&dsp=1&tb=1&hpx=0&dspx=0&rvrt=0&excd=0&stm=3&nvs=0&dnld=100&dcnt=1&dtot=1&dlerr=200&dltm=0&dlsz=3844&dsflr=0&errurl=Setup2.zpb&hpc=1998245871&spc=1998245871&tbx=0
US
image
43 b
whitelisted
3256
Setup.exe
GET
200
198.143.175.67:80
http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb
US
binary
3.75 Kb
malicious
3256
Setup.exe
GET
200
184.154.27.232:80
http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.1.10&affilID=122471&guid={7E952698-F958-4BA5-8312-0862246459AA}&mntrId=C4BA12A9866C77DE&moldid=c4ba364700000000000012a9866c77de&sufn=Unlocker1.9.2.exe&iev=11&ffv=83&crv=86&dwb=ie&dlb=ie&wbr=1&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=601&tbtp=def&tbinst=1&cntry=US&cat=delta&uac=1&osp=hp0:642845648;hp1:0;hp2:0;dsp0:-886302982;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0
US
image
43 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3256
Setup.exe
184.154.27.232:80
stat.info-stream.net
SINGLEHOP-LLC
US
malicious
3256
Setup.exe
198.143.175.67:80
dl.babylon.com
SINGLEHOP-LLC
US
malicious

DNS requests

Domain
IP
Reputation
stat.info-stream.net
  • 184.154.27.232
whitelisted
stp.babylon.com
  • 184.154.27.232
whitelisted
dl.babylon.com
  • 198.143.175.67
malicious

Threats

PID
Process
Class
Message
3256
Setup.exe
Potential Corporate Privacy Violation
ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)
3256
Setup.exe
Potential Corporate Privacy Violation
ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)
3256
Setup.exe
Potential Corporate Privacy Violation
ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)
3256
Setup.exe
Potential Corporate Privacy Violation
ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Unlocker1.9.2.exe