498113b29a64ee2857837b4454259540743a793a74514ffd8b356ab7a5a868df

Analysis

max time kernel
92s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/bundle.exe
Size

1.4MB
MD5

2d1a8fe877c2c3a251d9b064438fa132
SHA1

af6eed972b2c3d819c20b1cca83b91b1819fb4f5
SHA256

c919043ac844a08523b83e22071824de50998307b11e719503d08cf2d532f847
SHA512

86d57ba82c93a1dea122b993b9f735cbf080efc6ce8bdea76f4585edc39a936ca043c05123976c15d5a9edaa6a55d0888fbf6434f2fea5c2d4e9eae30434f24d
SSDEEP

24576:GPOaKA8LjZ6hD2La+5mPIalInV/CpGkL7QB2BSAVv+6GsB93xXvAwsj6DQM71Wnw:Q8YWaDwae/oGi722QAVv+TsBDvArj68M

Score

7^/10

adware discovery evasion spyware stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	MainInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	bundle.exe

Executes dropped EXE 6 IoCs

pid	Process
1500	MyBabylonTB.exe
4384	Setup.exe
4620	MainInstaller.exe
1588	Setup.exe
5024	PingMe.exe
2464	PingMe.exe

Loads dropped DLL 5 IoCs

pid	Process
3828	bundle.exe
4108	rundll32.exe
4384	Setup.exe
4792	rundll32.exe
1588	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll"	Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\NoExplorer = "1"	Setup.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\skin\overlay.css	Setup.exe
File created	C:\Program Files (x86)\2YourFace\2YourFace.crx	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome.manifest	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.xul	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.properties	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\install.rdf	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\content\overlay.js	Setup.exe
File created	C:\Program Files (x86)\2YourFace\uninst.exe	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\content\ff-overlay.js	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\chrome\locale\en-US\overlay.dtd	Setup.exe
File created	C:\Program Files (x86)\2YourFace\bho.dll	Setup.exe
File created	C:\Program Files (x86)\2YourFace\ffextension\defaults\preferences\prefs.js	Setup.exe
File created	C:\Program Files (x86)\2YourFace\FF8Installer.exe	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral10/files/0x0006000000023228-124.dat	nsis_installer_1
behavioral10/files/0x0006000000023228-124.dat	nsis_installer_2
behavioral10/files/0x0006000000023228-123.dat	nsis_installer_1
behavioral10/files/0x0006000000023228-123.dat	nsis_installer_2
behavioral10/files/0x0004000000022e1f-128.dat	nsis_installer_1
behavioral10/files/0x0004000000022e1f-128.dat	nsis_installer_2
behavioral10/files/0x0004000000022e1f-129.dat	nsis_installer_1
behavioral10/files/0x0004000000022e1f-129.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=109035&babsrc=SP_ss&mntrId=2c5a624700000000000066bcdf92515d"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID="	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}	Setup.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=109035&babsrc=HP_ss&mntrId=2c5a624700000000000066bcdf92515d"	Setup.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a0b374b233323170b5d730367175d133763035d4b434b375d675753533337130b234373935a06010101fde36aed001e710b66	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ = "C:\\Program Files (x86)\\2YourFace\\bho.dll"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32\ThreadingModel = "Apartment"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\ = "2YourFace Addon"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}\InProcServer32	Setup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4384	Setup.exe
Token: SeTakeOwnershipPrivilege	4384	Setup.exe
Token: SeDebugPrivilege	2464	PingMe.exe
Token: SeDebugPrivilege	5024	PingMe.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 1500	3828	bundle.exe	40
PID 3828 wrote to memory of 1500	3828	bundle.exe	40
PID 3828 wrote to memory of 1500	3828	bundle.exe	40
PID 1500 wrote to memory of 4384	1500	MyBabylonTB.exe	49
PID 1500 wrote to memory of 4384	1500	MyBabylonTB.exe	49
PID 1500 wrote to memory of 4384	1500	MyBabylonTB.exe	49
PID 3828 wrote to memory of 4620	3828	bundle.exe	86
PID 3828 wrote to memory of 4620	3828	bundle.exe	86
PID 3828 wrote to memory of 4620	3828	bundle.exe	86
PID 4620 wrote to memory of 1588	4620	MainInstaller.exe	87
PID 4620 wrote to memory of 1588	4620	MainInstaller.exe	87
PID 4620 wrote to memory of 1588	4620	MainInstaller.exe	87
PID 4620 wrote to memory of 5024	4620	MainInstaller.exe	91
PID 4620 wrote to memory of 5024	4620	MainInstaller.exe	91
PID 3828 wrote to memory of 2464	3828	bundle.exe	89
PID 3828 wrote to memory of 2464	3828	bundle.exe	89

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bundle.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe
  C:\Users\Admin\AppData\Local\Temp\\MyBabylonTB.exe /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\Setup.exe" /aflt=babsst /babTrack="affID=109035" /srcExt=ss /instlRef=sst /S /mhp /mnt /mds -notb
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EB12F4~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache URI|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      Modifies Internet Explorer settings
      PID:4108
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EB12F4~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      Modifies Internet Explorer settings
      PID:4792
- C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe
  C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe /PID=104 /SUB= /NOTIFY=0 /FFP=0 /SILENT=1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    C:\Users\Admin\AppData\Local\Temp\Setup.exe /PID=104 /NOTIFY=0 /FFR=1 /FFP=0 /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies registry class
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\PingMe.exe
    "C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=2YourFace&status=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- C:\Users\Admin\AppData\Local\Temp\PingMe.exe
  "C:\Users\Admin\AppData\Local\Temp\PingMe.exe" http://www.outbrowse.com/install.php?publisher=104&bundle=2YourFace&product=Babylon&status=
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\BExternal.dll

Filesize
126KB

MD5
743acbf54eb091066be6ab3cb12c5988

SHA1
43a205985790c47a7e611fa2d3cab9b4eb59121f

SHA256
fcee9d5c80b11b82add301e142dea2b40b05f0839ef7cd0a8b0fff84a67eccd0

SHA512
014cf6b9896a2f76b8d110bce862c46a56471ae74582cbae7af672af49ae052d7827fc28806dbe80c911d05c4688d7e08ef486bc7d7acc2b05fa7b2b3f2a3689

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\BabyTBConf.ini

Filesize
578B

MD5
d30ad61ae6fa1947eefef0ff2b90dd4d

SHA1
463c4c14f7c9ddb1068d385f01e684a24f091fda

SHA256
5ef9285d7304e48bb54d43940842b03b49a6e0fb2d6bc73cfee902086203878d

SHA512
014fb1826e9c15e299eeedbfc20a9842d1d849814b60804b0c6a0226b934cc97c74089fb5e820198c116ffa93c90f14ee8773ecb26d81e5ff20bf1609aa07845

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\Babylon.dat

Filesize
12KB

MD5
adbb6a655ae518830ba1afefdb84668f

SHA1
a1be53d99a67fff011ea035c310588e635c718e1

SHA256
7029ed42440ab0b23c76c2800871002151776f927cc77855590e79b31b96838c

SHA512
b5ddfa301fdcd852a35c6b8a5d4eed78c43bc250d7e2c7d95b548d5f5ce216f2b9f5eabf5e1c0c87691d735fc1ac7a33a5c236c5560a4777ef7bf75510f0b228

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\blueStar.png

Filesize
14KB

MD5
a7fcdf142648bac756fcfe06a31f42e4

SHA1
4df99b119c183c821ed1bf0f825536318c9c3353

SHA256
008aebc73a7bd79e914db753b83a385c1aac320ebbcf4ead8fa49f74e3f30f22

SHA512
ddd8571b02909ede720af8e27044e126002a749719f41fe65d44004a5165ebfd90e5cca007e6014194de510a0076862839ecd056bf0043113337ab25086037eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\eula.html

Filesize
79KB

MD5
1b73a781f7f5b0d61624bd97050a2ed0

SHA1
01b848625761d5dede115e8599e4c72f126f8a3c

SHA256
f7f4148b58242a889a8694d734e49ca96bdad63d7fa5d5be130acfa9414b5cb5

SHA512
76eb4cd01eae14b0050802ad4cd0e401e2e65705d4d4b8c25e3632bd24745ec85df129c51332500823953755314a51907f0a713d0c2011054490acebc9c2787f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\globe.png

Filesize
33KB

MD5
cc53fb9e9456eb79479151090cb16cbd

SHA1
e61004bf729757f3f225f77f0236b82518f68662

SHA256
3eca21891a2b484a38098410c5d8410361e91ae4dd84cb565891281145501f42

SHA512
0aac27727044ef9cf05e7a8d35d4395c9812a9169fd1661f95f53a2d809a7a73a034058b8080529ab50471688877cfdb45a282308ef86eb4812a2d734e02d28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\options.js

Filesize
119B

MD5
771f230f8bbc96a03b13976667918f1f

SHA1
0fba422c76b89cdb5d12e657064c49a9b1b7abae

SHA256
92db8b549583a5498689a42840a282f33d734c3cb081ac6f896377e56d043252

SHA512
b8209b679f30fea49ea34b77b7f4126acef962a17b292cbab711660c7ec23646bab91e66ce49fde6570ee3c053bb6b8d521b6917cb16f3e925ce8f82d7b4c8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\pBar.gif

Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\page0.html

Filesize
1KB

MD5
cf33120dd42cee842d96532843bb1961

SHA1
1db4f3e0aa1e4036a078a05f48fefdbb8744e3cf

SHA256
783a0e39d4a751462e26e4acfcf6fb4953f818980ad3d7d7fb821ac35c00c29f

SHA512
889d4043672b551a08979054add55bca4c5a4438fef5189b1ecf309c803ff1468664ed1123b0d22ceecb21a7bc5cfbf85a7428ed72ad7be04596185432aa68e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\page2.css

Filesize
2KB

MD5
085cf46c4d1c8dea9edd79ee37d6d5bd

SHA1
30cb66994c45261a4aaa6d9ecdf1b1890ed09b45

SHA256
9ca3bd0f0c3ac1533fcda2e20e2fb3c18deb40986b37ae6edff594becb82405d

SHA512
66ea917206a7e771e48e3734004e6b96619c5534cca35c2e59e7c2922bec7dca5fbb6536e8940013871becce7493b0e2b1844cc5f37668396639c6d7c7e321a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\page2.html

Filesize
3KB

MD5
12152ded3604e8baaf82c078f8034d60

SHA1
0867dec241a257e3e9ad9e8d20b9e06e3bce7184

SHA256
abb8953ffc3818e54e86019e1920595d65ba0997f3fd7fd47480a450cd7ee485

SHA512
a38ed7d7ef0be98ef362b4f5345961ac56f2db9e184b8a405dd3b09611796fda2189837a3bc0c27152276225a2fd4c8bfe8324c70df0d67b9cc826212448e79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\page2Lrg.css

Filesize
1KB

MD5
db15b568f9d195635b3fcab87ef6293f

SHA1
6ae0f374531cb3013857880e8469a103492b8393

SHA256
5d7bd6b3acb31788f12475528d51d98778f1dbc940b2d6dc6317704d17d0964d

SHA512
a8d2baf03d85e31847b21ee5c193d11e2f7ccd9ed7630feab3c8e4fe780bc62d1847ff4608654b3201fa6c39175c7d6e650163d9347db40454935856af3f7af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\page3.css

Filesize
1KB

MD5
07784ad77f30fa018949e412b2257aab

SHA1
8595c222a3741bfa83c5a4d982c845c8038062a6

SHA256
226a67f6e05fd889f91253158e583c443cbc7c27d29e8b441925849f820565cf

SHA512
2fe022c30d9280f224ca159edf485ca7ba870bd32b7fb82ee86b3657cdd2e9bdf52525408566ec3ecff80660390f8fac8f04b166623082c706213597f1178cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\page3.html

Filesize
1KB

MD5
b23c25988099403433efb7fb64715676

SHA1
e833527e1c021b311286e6e2d1c2f0530be0a565

SHA256
7f2252432fff22505b6fbcce5077a9f455006f724dfa705fbc0540325a14c28c

SHA512
8f721e25e47fc5508a0ae1d887a556c22b64b9eb4d2a7ad019b0ddbe4c91649ca52c4582e3cf99338f4b779bd50832110054c46e9bf9f2ffc9a4469343f6838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\page3Lrg.css

Filesize
977B

MD5
b3520c555c46a7020d8f27bfe81df0ca

SHA1
59398086abe3987c2a91edacb74eca94bbd63d7d

SHA256
74a9e635dc555a07820a288d0dfe05adea386292757f4cd6933ba3ce6697bef6

SHA512
0b3243cd84b44be79cc7d45a1e18d9840cb393aaf0b82229a0e5a4378d4588c1d65f1ba80530fa10659777fa6ca7b45785fe4fd4aff8dc6047956f93299c5ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\progress.png

Filesize
2KB

MD5
dee08d8cbcdeb8013adf28ecf150aaf3

SHA1
c61cd9b1bd0127244b9d311f493fc514aa5c08d6

SHA256
eb7dbbb4b7f4020a91f5b64084fb3ce08aeac2f72be66959332041ed06b59bf5

SHA512
c7ff9e00e5afd3b14947006127c912a3c0e7e7fbdde558f5575e6499deb27eb39199206497bfa4372ce469a0fac64df03ec165c0565a619774531c7311d3223f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\setup.js

Filesize
13KB

MD5
a95607ce49fa0af8ed7a3f5667c3eb31

SHA1
5e4b5a30e56c42329afdf216625bf35be69a82aa

SHA256
01d6d025c169e9c36600d097749f76f8e877846cd8733b7dd958aaea7c54884c

SHA512
1f1fe95c04964de2f3fd73a7ba1632fecaf1c9ec80f918859eb91702e10333f1ba0342a85d1129ddb48cbc3ab74a5dcf92f8c4c053f683ecdbf34dee0112015b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\title.png

Filesize
25KB

MD5
12ef76069cc40b8ad478d9091915ded6

SHA1
fabad560b6e6839f9e5ae1268695d11ca35f9d74

SHA256
4be568ed2044e1b74bc1d61d13ce71080e5a9717ed481616a6efc1ec4c35dd0c

SHA512
5625082a87aa75266c9680a4f4b31eb7b1df084bba6c7e2e70512f232556f9029af06a0a63b342ffc220bf3797cc09f333437fe26547ea6494913f1c59b2e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\HtmlScreens\toolBar.jpg

Filesize
19KB

MD5
56dc3cb42b46309e642c15167003685d

SHA1
045749de2c1492e5dfc4c44f9eb6c0feefe06b3d

SHA256
bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1

SHA512
5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\IECookieLow.dll

Filesize
5KB

MD5
5a27c8702510d0b6c698163053fde6d1

SHA1
69fdc602a51e52c603f23a80e9b087c262dce940

SHA256
ccba25e2b6462f5f5646ab9c2e1f63a941b1ab7911d3e0a32a29ebb65cbda437

SHA512
ecf38339ff38b601509a1f5aee16cd0ee7c70662940a81f45e18f91581a8b2964129603b47606f762b371245b039d4faa91b30cff125d46d32253a0e88401e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\Setup.exe

Filesize
446KB

MD5
44b16b67542d07705c64de3d117a6cdb

SHA1
b6a8e033d9f699fb06fac624075f1b469dcee333

SHA256
93556b7a2a698d3798e9b774ae678395bd550778b58eab5a746834715fd0bcf2

SHA512
873a1614f54f7fdd8875fa79c530081e5052695b0dad5e252b2c91be0985a85916a39e144a4d98d35cb8bb1ff2ec82ebd4808c56dc29ce1d490bc1585d6bf0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\Setup.exe

Filesize
340KB

MD5
d0c7d702fafdeb70966458770b0b0db1

SHA1
d56a4566ce28a7f6aecc6a4434f5024a87240c43

SHA256
d9163ec0b2017c73a43b4f7472eee319818603c0796ce70b103409567bc08328

SHA512
5b65b2ec4c4c7f57be159811b78893f51338e2206a994c8b8a137630bdd5a78e8206376f810314a407ce2f124e15c046fced584b150bb5b363cbfe605393b6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\SetupStrings.dat

Filesize
63KB

MD5
07bb1523dc51ec1fd5913b0a70ab98ee

SHA1
216f853cb251f32f5c91345404efd48f041ad5bd

SHA256
31fdb44bc58ee37f01712c2e9b5f0f7c29058a6cd7f869df2f0ee6d77a552dc2

SHA512
8ae9b6ca8a6e6f9692161422b5815944a7ef6e74ff51dbfd9a0dee83828b1140ce399fc40765313e6d2657603731bdd1c791b56df07fe42fb2d152b584d922db

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\bab033.tbinst.dat

Filesize
236B

MD5
1ee8c638e49ee7137607722768afc5a2

SHA1
8719d7a498a49b042cd6fc411cac6c44f3c0f43a

SHA256
1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e

SHA512
2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\sign

Filesize
80KB

MD5
73dbc500e121b83ec57bb2563203259a

SHA1
658adac13fc362f5292cbbda19ade1d228ff7901

SHA256
9fb7ed24ed57aebd1314119ad70fee1d74c614bfd3c8fcc85716797803de8878

SHA512
c5fd20a4d90f16c147e02afc82b477054b3bfa8d321017f32f99606febc076bed86b249f372779c3582f8a3de859b8d3998b0bdbc873953d9e5e15b552fafc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\sqlite3.dll

Filesize
356KB

MD5
58ec40709a22a949f39ffd89bb7f51db

SHA1
37c9888b9fc75acf6fe45ae99d8fdec62157eecc

SHA256
a07e76fc80d5a0d88d3484cb37bfa98915ae1bbf4f363d9fbe55322bd71b288e

SHA512
854e6e018de0a2f0b690c31d25025c657234936a4e9fcf0cab4d8d559682eafd6d2c3f0645422fbfcebca0a64ed0128d8d7f0d97ee405b15eb249b89fda7f41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB12F423-BAB0-7891-BDA9-492998BD279A\sqlite3.dll

Filesize
378KB

MD5
1901e0a3acf78ada502b6b9461f16199

SHA1
424af5ada3217ea410fb583d60d0cc45720cc22f

SHA256
96a3b42363a92c74165aeed29ed5546787d665e75fc715e0a40c40eebf9ea7b7

SHA512
a51ed70a5d709f1bfc65e15c939ad85082b2dce252fe1bc5408c4527b5405a277ef30c5bf05690f0cd1f7ea9344a359a9a35e6a28c831e382a55340a098621db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

Filesize
107KB

MD5
234f29237e07a12efdd097dee6ed4a58

SHA1
fb040ad367904d4e96c4d5bd250c8a83399a4f43

SHA256
5fd081a88e59cfa4c3be1d9247d1d560c152bbef271135d754836e7df0c724e9

SHA512
35f85c17d6b013b60f947a2bdcb402369bdc0d53715791fd8eea98bd1eca91b5baacb748b371ce99242c2095840c4ee6d292bd3c6641a5d77517ae8fdae1b90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainInstaller.exe

Filesize
89KB

MD5
0fdb77c0fafb7f940a22a7de66973f7a

SHA1
5d64e72c54d4c087a56b551378866841cd731576

SHA256
d6f2766f25ea9f0aac121c0abea5db03b39404cca9c048de5c79c11b3f9608dd

SHA512
8e213400d14352dfe4cf42012a93d19c024722e193f4886e299e1b9c547334de8be6f0e8d8168c22d04f5279e2fcb49521d2b7bb22294fee8cc3369a20141f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

Filesize
2KB

MD5
9fc3f2a6a9e20828164e5451a938004a

SHA1
aeaebdb8f61f49413a0299b12dc05fce9954d310

SHA256
7e9751ecb98443878656d0af67031f6a01e4d3a152bfc8cbb073565f20bf85cf

SHA512
e2966e84c53fe169e393f1b86d1ab98654123f2cc4b8528ada5fba0f00cb57778be7ba8283acbde0a29e56c900f5b87ce530d68c30e863286bd55ea80e6301c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyBabylonTB.exe

Filesize
17KB

MD5
10b12d6e64e8a79fbcab23e9762643ce

SHA1
2a46dd9ac0715a88ff4796fce9b2fd3c0a14e94d

SHA256
3f7504ec375037851622e827401c9cf1d9be806c4c2aba08e4fed39dcf8a891e

SHA512
ed5b67fcc831fb8fb1330c0a1365b282d0d36f06e1bdb5e53d5a6251645b85ce4c4a92258e6bed1c7f4c93c01f419c74f6553747145d2e06435b6591f8fdcb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\PingMe.exe

Filesize
7KB

MD5
991cd458830ae2008be0c2d8e26c8bd0

SHA1
d519a7ffd8360a47450e60b7d665e666d9df89bc

SHA256
f2ecda9fb1b201d9a120c5906c6b0983205e4858ecea0065499841cf4047eb71

SHA512
e45ce313823e43726418378920c367a4957b2806ee8070d0f4acf63fd1fa893577fbe91fc859c81bd8d6984ca1c0fe9ef0b32200c79106a3f7dcff0b8efdb4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
64KB

MD5
20865448271e3e824d9ad1e28f59b499

SHA1
03daf2a399f34374381d3480edd13fec725af62c

SHA256
081db38f0e9d1a82366dd51e5029be160d96bf3080f7f6e2ab4d744bed6f4dce

SHA512
d16206b8301013cf52c5fbfdb99278668047eeb2ef32fb6aefef3247be35678a47e4de0cb9ac649048ce3667e4c04e84a556a96fb878615f285f404fa6394b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
87KB

MD5
dd2123a21de221bd32e1d828aa9ee428

SHA1
5224e2b339b541a5ba1a28ba045acf17f1f0ea49

SHA256
1675f9f9ef8c1de20f06a72c52b3d4e8fa03fdf563df87577fb95b96daf39c88

SHA512
f73d4db869f04d1bed45e3e3915bcaf4a7653af2b1eddff97e9d0914c98da135e199d28dec9455926afead2d9637567ec8b5e61bedd10c3431be97b5cee29418

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5BEC.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/2464-165-0x000000001BDE0000-0x000000001C2AE000-memory.dmp

Filesize
4.8MB

Download
memory/2464-166-0x00007FFA49B70000-0x00007FFA4A511000-memory.dmp

Filesize
9.6MB

Download
memory/2464-167-0x00007FFA49B70000-0x00007FFA4A511000-memory.dmp

Filesize
9.6MB

Download
memory/2464-170-0x00007FFA49B70000-0x00007FFA4A511000-memory.dmp

Filesize
9.6MB

Download
memory/4384-120-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/5024-163-0x00007FFA49B70000-0x00007FFA4A511000-memory.dmp

Filesize
9.6MB

Download
memory/5024-164-0x00000000019C0000-0x00000000019D0000-memory.dmp

Filesize
64KB

Download
memory/5024-168-0x00007FFA49B70000-0x00007FFA4A511000-memory.dmp

Filesize
9.6MB

Download
memory/5024-171-0x00007FFA49B70000-0x00007FFA4A511000-memory.dmp

Filesize
9.6MB

Download