464513ae3e9368b8782eb52cd36a5853154310a396174ae62bce03f1bda8e82c

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/bundle.exe
Size

1.4MB
MD5

2d1a8fe877c2c3a251d9b064438fa132
SHA1

af6eed972b2c3d819c20b1cca83b91b1819fb4f5
SHA256

c919043ac844a08523b83e22071824de50998307b11e719503d08cf2d532f847
SHA512

86d57ba82c93a1dea122b993b9f735cbf080efc6ce8bdea76f4585edc39a936ca043c05123976c15d5a9edaa6a55d0888fbf6434f2fea5c2d4e9eae30434f24d
SSDEEP

24576:GPOaKA8LjZ6hD2La+5mPIalInV/CpGkL7QB2BSAVv+6GsB93xXvAwsj6DQM71Wnw:Q8YWaDwae/oGi722QAVv+TsBDvArj68M

Score

7^/10

adware discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2668	MyBabylonTB.exe
2804	Setup.exe
1744	MainInstaller.exe
1612	Setup.exe
1248	PingMe.exe
2184	PingMe.exe

Loads dropped DLL 17 IoCs

pid	Process
2388	bundle.exe
2388	bundle.exe
2668	MyBabylonTB.exe
2616	rundll32.exe
2616	rundll32.exe
2616	rundll32.exe
2616	rundll32.exe
2804	Setup.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2388	bundle.exe
1744	MainInstaller.exe
1612	Setup.exe
1744	MainInstaller.exe
2388	bundle.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll"	Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1"	Setup.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\2YourFace\2YourFace.crx	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js	Setup.exe
File created	C:\Program Files (x86)\2YourFace\bho.dll	Setup.exe
File created	C:\Program Files (x86)\2YourFace\FF8Installer.exe	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\install.rdf	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul	Setup.exe
File created	C:\Program Files (x86)\2YourFace\uninst.exe	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral9/files/0x0006000000018b6e-207.dat	nsis_installer_1
behavioral9/files/0x0006000000018b6e-207.dat	nsis_installer_2
behavioral9/files/0x0006000000012217-211.dat	nsis_installer_1
behavioral9/files/0x0006000000012217-211.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=c77b031c0000000000005e688c03ef37"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c1930000000000200000000001066000000010000200000006b5d00a62daeb80fff9d8fa352aee173c9cb159f465d118ae588e38b10996cfb000000000e80000000020000200000009ee1b671fea10603d43eceed7ed707fcc0ddae90bf0cf057cbd748540c13223850000000647a685cd630280941731593cd778c6bba9964f7d720145d634df6ae32ff1c011f648eec23ad024f871715fd31003ec2a6f2e941034c0af6c30aa591cab420c881dd4936ad27260c8fe00596a7f5ca8240000000da37e6545f7b37a3d42f78498f69911778421fa2a7ff66650d1708c378238191316803843e66c5830eb40eebfb0d16681de1ee62035f6496560ffb011833eeca	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID="	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\User Preferences	Setup.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=c77b031c0000000000005e688c03ef37"	Setup.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a174b5763235343535d334743435d13534b175d275713135d0b3773030b373353372743c35a060101810319cc97001da70bbf	Setup.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	Setup.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2804	Setup.exe
2804	Setup.exe
2804	Setup.exe
2804	Setup.exe
2804	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2804	Setup.exe
Token: SeTakeOwnershipPrivilege	2804	Setup.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2668	2388	bundle.exe	28
PID 2388 wrote to memory of 2668	2388	bundle.exe	28
PID 2388 wrote to memory of 2668	2388	bundle.exe	28
PID 2388 wrote to memory of 2668	2388	bundle.exe	28
PID 2388 wrote to memory of 2668	2388	bundle.exe	28
PID 2388 wrote to memory of 2668	2388	bundle.exe	28
PID 2388 wrote to memory of 2668	2388	bundle.exe	28
PID 2668 wrote to memory of 2804	2668	MyBabylonTB.exe	29
PID 2668 wrote to memory of 2804	2668	MyBabylonTB.exe	29
PID 2668 wrote to memory of 2804	2668	MyBabylonTB.exe	29
PID 2668 wrote to memory of 2804	2668	MyBabylonTB.exe	29
PID 2668 wrote to memory of 2804	2668	MyBabylonTB.exe	29
PID 2668 wrote to memory of 2804	2668	MyBabylonTB.exe	29
PID 2668 wrote to memory of 2804	2668	MyBabylonTB.exe	29
PID 2616 wrote to memory of 2564	2616	rundll32.exe	31
PID 2616 wrote to memory of 2564	2616	rundll32.exe	31
PID 2616 wrote to memory of 2564	2616	rundll32.exe	31
PID 2616 wrote to memory of 2564	2616	rundll32.exe	31
PID 2388 wrote to memory of 1744	2388	bundle.exe	34
PID 2388 wrote to memory of 1744	2388	bundle.exe	34
PID 2388 wrote to memory of 1744	2388	bundle.exe	34
PID 2388 wrote to memory of 1744	2388	bundle.exe	34
PID 2388 wrote to memory of 1744	2388	bundle.exe	34
PID 2388 wrote to memory of 1744	2388	bundle.exe	34
PID 2388 wrote to memory of 1744	2388	bundle.exe	34
PID 1744 wrote to memory of 1612	1744	MainInstaller.exe	35
PID 1744 wrote to memory of 1612	1744	MainInstaller.exe	35
PID 1744 wrote to memory of 1612	1744	MainInstaller.exe	35
PID 1744 wrote to memory of 1612	1744	MainInstaller.exe	35
PID 1744 wrote to memory of 1612	1744	MainInstaller.exe	35
PID 1744 wrote to memory of 1612	1744	MainInstaller.exe	35
PID 1744 wrote to memory of 1612	1744	MainInstaller.exe	35
PID 1744 wrote to memory of 1248	1744	MainInstaller.exe	37
PID 1744 wrote to memory of 1248	1744	MainInstaller.exe	37
PID 1744 wrote to memory of 1248	1744	MainInstaller.exe	37
PID 1744 wrote to memory of 1248	1744	MainInstaller.exe	37
PID 2388 wrote to memory of 2184	2388	bundle.exe	36
PID 2388 wrote to memory of 2184	2388	bundle.exe	36
PID 2388 wrote to memory of 2184	2388	bundle.exe	36
PID 2388 wrote to memory of 2184	2388	bundle.exe	36

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
  C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DF2C49~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Program Files (x86)\Internet Explorer\IELowutil.exe
        
        "C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
        5⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DF2C49~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
      4⤵
      Loads dropped DLL
      Modifies Internet Explorer settings
      PID:2312
- C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
  C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies registry class
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\PingMe.exe
    "C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0
    3⤵
    - Executes dropped EXE
    PID:1248
- C:\Users\Admin\AppData\Local\Temp\PingMe.exe
  "C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=
  2⤵
  - Executes dropped EXE
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe

Filesize
421KB

MD5
9ab816a0f4b118aa93b924f8727c9f05

SHA1
42e01b1d6d0d74f9e873c5369220d1e2d7357264

SHA256
ed8817053ab3bfba9cc11d1db2cfe8d74f9fa3a4ad7dcfd03ece4b5d926b5238

SHA512
9c3d8797c857506dddd48f829fe227944b5d5d43f500a322e1db4ac80b172dd22ef39ad3bdb031b3dde6572d7e6fe7a37057d5f496313a72b8bf84d03aff220a

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

Filesize
3KB

MD5
5e6230b3b16798e23720958756ac6d9e

SHA1
c7bcb001c48a67d4c9d6e70e92473ebd85b30585

SHA256
d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2

SHA512
6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7B0B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\BExternal.dll

Filesize
126KB

MD5
743acbf54eb091066be6ab3cb12c5988

SHA1
43a205985790c47a7e611fa2d3cab9b4eb59121f

SHA256
fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0

SHA512
014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\BabyTBConf.ini

Filesize
578B

MD5
940c29779ede0db50c8d25f85648ef48

SHA1
77a2e50a0816b33390cdad568c1bacdfd0caeaed

SHA256
c711f3350e4915231d210e2400576177f8a3d2e3ba8982016638e36b7d98832a

SHA512
779e895fe9aa262b7368bc71de4e87a75eb92a2a763f411ce7200d94ba0189fe5a429c42a405f67e97ad27a9822a1017c9da76e88dab0e22e2e782242dedfb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\Babylon.dat

Filesize
8KB

MD5
c4505672ab92f7736a3e74345bc5debb

SHA1
ceaaa3399970d64b0dc011628651e1f0a87fbbbe

SHA256
cd3c38dd26d7d27c0683bf2585f96b13e18c18df12004854f084a91607fef010

SHA512
a4f348f44a5d6ab12d8c4360f48407534fd33704840493bc303d7b8f1bf32385e18da1870c21e906a986d05a2c4fff576fc83dbde5369c06ef6067d43685cb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\blueStar.png

Filesize
14KB

MD5
a7fcdf142648bac756fcfe06a31f42e4

SHA1
4df99b119c183c821ed1bf0f825536318c9c3353

SHA256
008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22

SHA512
ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\eula.html

Filesize
79KB

MD5
1b73a781f7f5b0d61624bd97050a2ed0

SHA1
01b848625761d5dede115e8599e4c72f126f8a3c

SHA256
f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5

SHA512
76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\globe.png

Filesize
33KB

MD5
cc53fb9e9456eb79479151090cb16cbd

SHA1
e61004bf729757f3f225f77f0236b82518f68662

SHA256
3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42

SHA512
0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\options.js

Filesize
119B

MD5
771f230f8bbc96a03b13976667918f1f

SHA1
0fba422c76b89cdb5d12e657064c49a9b1b7abae

SHA256
92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252

SHA512
b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\pBar.gif

Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\page0.html

Filesize
1KB

MD5
cf33120dd42cee842d96532843bb1961

SHA1
1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf

SHA256
783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f

SHA512
889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\page2.css

Filesize
2KB

MD5
085cf46c4d1c8dea9edd79ee37d6d5bd

SHA1
30cb66994c45261a4aaa6d9ecdf1b1890ed09b45

SHA256
9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d

SHA512
66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\page2.html

Filesize
3KB

MD5
12152ded3604e8baaf82c078f8034d60

SHA1
0867dec241a257e3e9ad9e8d20b9e06e3bce7184

SHA256
abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485

SHA512
a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\page2Lrg.css

Filesize
1KB

MD5
db15b568f9d195635b3fcab87ef6293f

SHA1
6ae0f374531cb3013857880e8469a103492b8393

SHA256
5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d

SHA512
a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\page3.css

Filesize
1KB

MD5
07784ad77f30fa018949e412b2257aab

SHA1
8595c222a3741bfa83c5a4d982c845c8038062a6

SHA256
226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf

SHA512
2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\page3.html

Filesize
1KB

MD5
b23c25988099403433efb7fb64715676

SHA1
e833527e1c021b311286e6e2d1c2f0530be0a565

SHA256
7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c

SHA512
8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\page3Lrg.css

Filesize
977B

MD5
b3520c555c46a7020d8f27bfe81df0ca

SHA1
59398086abe3987c2a91edacb74eca94bbd63d7d

SHA256
74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6

SHA512
0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\progress.png

Filesize
2KB

MD5
dee08d8cbcdeb8013adf28ecf150aaf3

SHA1
c61cd9b1bd0127244b9d311f493fc514aa5c08d6

SHA256
eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5

SHA512
c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\setup.js

Filesize
13KB

MD5
a95607ce49fa0af8ed7a3f5667c3eb31

SHA1
5e4b5a30e56c42329afdf216625bf35be69a82aa

SHA256
01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c

SHA512
1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\title.png

Filesize
25KB

MD5
12ef76069cc40b8ad478d9091915ded6

SHA1
fabad560b6e6839f9e5ae1268695d11ca35f9d74

SHA256
4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c

SHA512
5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\HtmlScreens\toolBar.jpg

Filesize
19KB

MD5
56dc3cb42b46309e642c15167003685d

SHA1
045749de2c1492e5dfc4c44f9eb6c0feefe06b3d

SHA256
bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1

SHA512
5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\Latest\kstp.txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\Latest\setup.exe

Filesize
8KB

MD5
5790a04f78c61c3caea7ddd6f01829d2

SHA1
9d783d964338a5378280dd3c3b72519d11f73ffa

SHA256
726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606

SHA512
9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\Setup.exe

Filesize
125KB

MD5
29a80fd1901a4dfb96d3846ff7e0ee2a

SHA1
713d4c40702795f11fda4924917510890985a17a

SHA256
e713425e7f68d1a8862312761be7cfa6eff939dca7174fae9f19df172f22a0b1

SHA512
e00c3b1658d389c5a9dee070e1fda1d1f00c84b181da01cf8d3f1ba5b5872c18d86f13ae8130230306a64ab09c0264fd868c99fbd144fa9eeb1132ae29117d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\Setup.exe

Filesize
247KB

MD5
34f6fd113987de5dbb3f3ff006f387f9

SHA1
c50dfef5d046fed94fc203acf932c2a66114f3b9

SHA256
db3dd46e52f5fb67b834f105e45b57f8e324cd2f0cbfe11562bca192600a8dab

SHA512
9de32804a1ced292403b131e1564f6c499ae1eb012f7592d124550ac2c36581fb7d108987d24775e28c745dc04c867884da75d31daca65023d08f8197ef80b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\SetupStrings.dat

Filesize
63KB

MD5
07bb1523dc51ec1fd5913b0a70ab98ee

SHA1
216f853cb251f32f5c91345404efd48f041ad5bd

SHA256
31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2

SHA512
8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\bab033.tbinst.dat

Filesize
236B

MD5
1ee8c638e49ee7137607722768afc5a2

SHA1
8719d7a498a49b042cd6fc411cac6c44f3c0f43a

SHA256
1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e

SHA512
2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\sign

Filesize
80KB

MD5
73dbc500e121b83ec57bb2563203259a

SHA1
658adac13fc362f5292cbbda19ade1d228ff7901

SHA256
9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878

SHA512
c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\sqlite3.dll

Filesize
487KB

MD5
78f97bca17ab8e76c5866da9d117e421

SHA1
68c4549b0ef7c9aafb87d8db2b0945c45824059e

SHA256
01426ab370ff391bb02889da8d02f2198e52e1b7fa3d881c7bb95ba8894bdbbb

SHA512
03f89fd1ff1c14c6b8d9dd73550c860f997f629a7fcc5e4255b4b1199f311cbec7862871b8d5e628f8f5d4175e39189d07499bb62e36e86976b018cccd2a2ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

Filesize
531KB

MD5
9ce448dcd7cf13dd950725957361bdff

SHA1
5831ff31825ea82d90a2989e0fc0a33b859d5f97

SHA256
3dbc5aff076ef9c86a90ad30e963581f7cb22f8e212aa38db29d82cf45b73f80

SHA512
b4a175da3677cd3380cb3789f281f2afb10aa00dc9592217062d66eb9b5e73805886b692975d7244cdd439d8d5bcd0eb5810533284ba4b13ff02a20b792bf74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

Filesize
322KB

MD5
6012d719d664cd0dab751849bc3da328

SHA1
b37720b49d098c95bc4a1f3e8a87da42bd945ad0

SHA256
1ea1ccd4f5156e5f0447e7f5f7d6e342b700d6bf30f81374790a9bac0ef618ac

SHA512
c4db74f910b9ae7188fa3b0e493c4a522ebf16228badfe33a0b84d78342d8b9f2daad502cee2abcfaccd63692ef5461f63aa0628dff49802cc36b6c891fea418

Download Submit
C:\Users\Admin\AppData\Local\Temp\PingMe.exe

Filesize
7KB

MD5
991cd458830ae2008be0c2d8e26c8bd0

SHA1
d519a7ffd8360a47450e60b7d665e666d9df89bc

SHA256
f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71

SHA512
e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7B4D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\Setup.exe

Filesize
214KB

MD5
5bb92580e92eb5d98f1d8e963a6e4529

SHA1
7ce3c4db350beec6cd2f84c2de3f38427b66a112

SHA256
fbe382699d82be5cd4c8cc55ac1c7e39d966c279c3a3ef6ccfd9a781f465e3d8

SHA512
8ff35886d625b6a62edb70c9fd31f6037ff09089c65f45d8d6e542d3bff468cbb175881fa038e7c6447e7230b84a62c3575ceace7ab82cbda72d86f47b2aab0f

Download Submit
\Users\Admin\AppData\Local\Temp\DF2C4973-BAB0-7891-B3B1-76E5180463BC\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
\Users\Admin\AppData\Local\Temp\DF2C49~1\IECOOK~1.DLL

Filesize
5KB

MD5
5a27c8702510d0b6c698163053fde6d1

SHA1
69fdc602a51e52c603f23a80e9b087c262dce940

SHA256
ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437

SHA512
ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

Download Submit
\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

Filesize
431KB

MD5
5d92a9fe344dacd3187bf4ff02b35b92

SHA1
d34521d5f05fb5e37579e98dd9726020f6fd0259

SHA256
7c588c57fda89a17d542424310154ec814543cd1b25c3b0d03caf03df485b63f

SHA512
edfad3dd5d31116c0e87e471d9925d4e0f76afd0f1674facfb10028026fdb75f50469eb86d518fe46cebb4c27c858896778233de6e2155ab3dbb0280eccd342c

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
505KB

MD5
5d8d0c08384ad73216d52a2eabc064f5

SHA1
0fa5c77fd6b6323b926c9648679e063d1bbc8bcc

SHA256
30522715240f4a05859099ac370dfb516097ab257402981c6a9ad31951f36cce

SHA512
42a3003019e39622082506c7ae50d8a27e2920fdfdf15eb9a8dbf7f1dbd49a02cd0390dabd74c136ed44e9d8ba270540ce9390f31aa84c2fc9fdfcc9e912dd57

Download Submit
\Users\Admin\AppData\Local\Temp\nst6C2C.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1248-252-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/1248-250-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/1248-246-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/1248-245-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-248-0x0000000002070000-0x00000000020F0000-memory.dmp

Filesize
512KB

Download
memory/2184-247-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-249-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-251-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-197-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2564-50-0x0000000001F90000-0x0000000001F92000-memory.dmp

Filesize
8KB

Download
memory/2616-51-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2804-192-0x00000000037C0000-0x00000000037C2000-memory.dmp

Filesize
8KB

Download
memory/2804-199-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download