Overview
overview
10Static
static
10Babylon 1....AT.exe
windows10-1703-x64
10Babylon 1....ew.dll
windows10-1703-x64
1Babylon 1....GI.dll
windows10-1703-x64
1Babylon 1....D1.dll
windows10-1703-x64
1Babylon 1....10.dll
windows10-1703-x64
1Babylon 1....DX.dll
windows10-1703-x64
1Babylon 1....me.dll
windows10-1703-x64
1Babylon 1....er.exe
windows10-1703-x64
10Analysis
-
max time kernel
407s -
max time network
396s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29-06-2024 19:36
Behavioral task
behavioral1
Sample
Babylon 1.6.0.0/Babylon RAT.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Babylon 1.6.0.0/ObjectListView.dll
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Babylon 1.6.0.0/SharpDX.DXGI.dll
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Babylon 1.6.0.0/SharpDX.Direct2D1.dll
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
Babylon 1.6.0.0/SharpDX.Direct3D10.dll
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
Babylon 1.6.0.0/SharpDX.dll
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
Babylon 1.6.0.0/Theme.dll
Resource
win10-20240611-en
Behavioral task
behavioral8
Sample
Babylon 1.6.0.0/server.exe
Resource
win10-20240404-en
General
-
Target
Babylon 1.6.0.0/Babylon RAT.exe
-
Size
6.7MB
-
MD5
aecdce1d7e2a637d1dcacd2b4580487b
-
SHA1
d5cd12f7a18d6777c9ec8458694aa3a74fd23701
-
SHA256
9157a48c53ca7a4543bac5b771886c87ea407bab6bbb053b50bc22709111d572
-
SHA512
8bb5ad64f1b2e75e47c4671396a713018c74c44e84803887c6b4a200ea85f4c020ccfe15211af3899cdcf9d0f46ef994bfd939e462f61062044874f7a64d7a35
-
SSDEEP
98304:KbldsCQTcsBL54TRRTk3w0ZIWoPzSSosDlh7OLifNLxu2UVaCS2e7Csb6j9cgl36:GnPsHqRwvoPzSSosDlhCKzi9/2BO4T
Malware Config
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation Babylon RAT.exe -
Executes dropped EXE 15 IoCs
pid Process 4264 upx.exe 4608 ConvertBackup.exe 1012 ConvertBackup.exe 3404 ConvertBackup.exe 2416 ConvertBackup.exe 4232 ConvertBackup.exe 4660 ConvertBackup.exe 1604 upx.exe 1876 so.exe 820 so.exe 2620 so.exe 4104 so.exe 3820 so.exe 192 so.exe 5040 so.exe -
resource yara_rule behavioral1/files/0x000800000001ac13-27.dat upx behavioral1/memory/4264-28-0x0000000000400000-0x000000000059C000-memory.dmp upx behavioral1/memory/4264-36-0x0000000000400000-0x000000000059C000-memory.dmp upx behavioral1/files/0x000800000001ac14-37.dat upx behavioral1/memory/4608-39-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/4608-42-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/1012-43-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/4608-46-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/3404-48-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/3404-50-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/2416-55-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/4232-58-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/4660-60-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/4608-61-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/1604-86-0x0000000000400000-0x000000000059C000-memory.dmp upx behavioral1/memory/4608-88-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/files/0x00030000000006a9-90.dat upx behavioral1/memory/1876-92-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/820-95-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/2620-99-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/4608-97-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/2620-101-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/4104-103-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/3820-107-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/192-109-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/5040-112-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/1876-114-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/4608-121-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/1876-124-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/4608-126-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/1876-128-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/4608-168-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/1876-190-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/4608-191-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/1876-249-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/4608-278-0x00000000013C0000-0x0000000001489000-memory.dmp upx behavioral1/memory/1876-280-0x00000000010D0000-0x0000000001199000-memory.dmp upx behavioral1/memory/1876-283-0x00000000010D0000-0x0000000001199000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 so.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString so.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06d0c235ccada01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008184d0691bc89b45943f8497c1abf5c7000000000200000000001066000000010000200000005b6e45eb7659cb5fa78feaa5de945e14b46946064187b836d4c5493af2afcb0a000000000e8000000002000020000000b1be073d899658f4b51e3fab90a6a80c5f62b6d57e2daecc5e17fc4a9d4aa5cc2000000061637a77740a3bbad0454b0bd01030bfee0097bddcf20e93a91d0f48796060a74000000090e01a74db35b4ebe100642f170b26b06afb8f4b223ea0afe2dbd79c5a8dfeef5658dca1bd99c822e11002006fc94dcf5ad36290037f3b1a9147c9a8225942e4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115868" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008184d0691bc89b45943f8497c1abf5c70000000002000000000010660000000100002000000048e8eda160521a88c7480b74f66524501f945e2eb0f8292fc66d39a67a529513000000000e80000000020000200000001f4d068cdb6f40003e6c37841600aed13ae691ef7f2387a3d3a4339d6ecb3aac20000000ff0cbc39bd23629b67f17140ae778ddcc89867661740e672f1a08830817fc76f40000000e7e2a9ed054423b0c6f8ecb0724f8d12796f71ec5810b4e1adb501ea9e2c45384b5e2ed1fd4e56e92f7539afabdbba53fa8d2b998afd9d97cae43551e0e6d058 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C79DAE4-364F-11EF-A993-524829B8D7A9} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115868" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0230a235ccada01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "555992302" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "555992302" iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Babylon RAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3" Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a4aa36d68986da01083e0dd78986da0157dc0ad78986da0114000000 Babylon RAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Babylon RAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 Babylon RAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Babylon RAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Babylon RAT.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Babylon RAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Babylon RAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Babylon RAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Babylon RAT.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4920 Babylon RAT.exe 4608 ConvertBackup.exe 1876 so.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeShutdownPrivilege 4608 ConvertBackup.exe Token: SeDebugPrivilege 4608 ConvertBackup.exe Token: SeTcbPrivilege 4608 ConvertBackup.exe Token: SeShutdownPrivilege 1012 ConvertBackup.exe Token: SeDebugPrivilege 1012 ConvertBackup.exe Token: SeTcbPrivilege 1012 ConvertBackup.exe Token: SeShutdownPrivilege 3404 ConvertBackup.exe Token: SeDebugPrivilege 3404 ConvertBackup.exe Token: SeTcbPrivilege 3404 ConvertBackup.exe Token: SeShutdownPrivilege 2416 ConvertBackup.exe Token: SeDebugPrivilege 2416 ConvertBackup.exe Token: SeTcbPrivilege 2416 ConvertBackup.exe Token: SeShutdownPrivilege 4232 ConvertBackup.exe Token: SeDebugPrivilege 4232 ConvertBackup.exe Token: SeTcbPrivilege 4232 ConvertBackup.exe Token: SeShutdownPrivilege 4660 ConvertBackup.exe Token: SeDebugPrivilege 4660 ConvertBackup.exe Token: SeTcbPrivilege 4660 ConvertBackup.exe Token: SeShutdownPrivilege 1876 so.exe Token: SeDebugPrivilege 1876 so.exe Token: SeTcbPrivilege 1876 so.exe Token: SeShutdownPrivilege 820 so.exe Token: SeDebugPrivilege 820 so.exe Token: SeTcbPrivilege 820 so.exe Token: SeShutdownPrivilege 2620 so.exe Token: SeDebugPrivilege 2620 so.exe Token: SeTcbPrivilege 2620 so.exe Token: SeShutdownPrivilege 4104 so.exe Token: SeDebugPrivilege 4104 so.exe Token: SeTcbPrivilege 4104 so.exe Token: SeShutdownPrivilege 3820 so.exe Token: SeDebugPrivilege 3820 so.exe Token: SeTcbPrivilege 3820 so.exe Token: SeShutdownPrivilege 192 so.exe Token: SeDebugPrivilege 192 so.exe Token: SeTcbPrivilege 192 so.exe Token: SeShutdownPrivilege 5040 so.exe Token: SeDebugPrivilege 5040 so.exe Token: SeTcbPrivilege 5040 so.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 4920 Babylon RAT.exe 4920 Babylon RAT.exe 4920 Babylon RAT.exe 1216 iexplore.exe 4920 Babylon RAT.exe 4920 Babylon RAT.exe 1876 so.exe 4920 Babylon RAT.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4920 Babylon RAT.exe 4920 Babylon RAT.exe 4920 Babylon RAT.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4920 Babylon RAT.exe 4608 ConvertBackup.exe 4920 Babylon RAT.exe 4920 Babylon RAT.exe 1876 so.exe 1216 iexplore.exe 1216 iexplore.exe 3356 IEXPLORE.EXE 3356 IEXPLORE.EXE 3356 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4264 4920 Babylon RAT.exe 75 PID 4920 wrote to memory of 4264 4920 Babylon RAT.exe 75 PID 4920 wrote to memory of 4264 4920 Babylon RAT.exe 75 PID 4608 wrote to memory of 1012 4608 ConvertBackup.exe 82 PID 4608 wrote to memory of 1012 4608 ConvertBackup.exe 82 PID 4608 wrote to memory of 1012 4608 ConvertBackup.exe 82 PID 4920 wrote to memory of 1604 4920 Babylon RAT.exe 87 PID 4920 wrote to memory of 1604 4920 Babylon RAT.exe 87 PID 4920 wrote to memory of 1604 4920 Babylon RAT.exe 87 PID 1216 wrote to memory of 3356 1216 iexplore.exe 97 PID 1216 wrote to memory of 3356 1216 iexplore.exe 97 PID 1216 wrote to memory of 3356 1216 iexplore.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\Babylon RAT.exe"C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\Babylon RAT.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe"C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe" "C:\Users\Admin\Desktop\ConvertBackup.exe"2⤵
- Executes dropped EXE
PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe"C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe" "C:\Users\Admin\Downloads\so.exe"2⤵
- Executes dropped EXE
PID:1604
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3836
-
C:\Users\Admin\Desktop\ConvertBackup.exe"C:\Users\Admin\Desktop\ConvertBackup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\Desktop\ConvertBackup.exe"C:\Users\Admin\Desktop\ConvertBackup.exe" 46082⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Users\Admin\Desktop\ConvertBackup.exe"C:\Users\Admin\Desktop\ConvertBackup.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
C:\Users\Admin\Desktop\ConvertBackup.exe"C:\Users\Admin\Desktop\ConvertBackup.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
C:\Users\Admin\Desktop\ConvertBackup.exe"C:\Users\Admin\Desktop\ConvertBackup.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
C:\Users\Admin\Desktop\ConvertBackup.exe"C:\Users\Admin\Desktop\ConvertBackup.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
C:\Users\Admin\Downloads\so.exe"C:\Users\Admin\Downloads\so.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1876
-
C:\Users\Admin\Downloads\so.exe"C:\Users\Admin\Downloads\so.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:820
-
C:\Users\Admin\Downloads\so.exe"C:\Users\Admin\Downloads\so.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
C:\Users\Admin\Downloads\so.exe"C:\Users\Admin\Downloads\so.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
C:\Users\Admin\Downloads\so.exe"C:\Users\Admin\Downloads\so.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
C:\Users\Admin\Downloads\so.exe"C:\Users\Admin\Downloads\so.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:192
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3356
-
-
C:\Users\Admin\Downloads\so.exe"C:\Users\Admin\Downloads\so.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD55f4f6ba1d092e87463c6b144c36d5e0b
SHA1e04501552ad18dd8acee69a83aed20c84fd5d87f
SHA2564eeb694729c800bb341af1c9459c5b9e1868d1318dec8ba2e729d5e09b037a75
SHA51259395385ffd0f89694ab9b26fe0325cad100b416022b1cc99d799668ec414fea84f989d3b561fe44f29fd9c494898f829f6e0c80c58b162897385d5e30c23a7c
-
Filesize
14KB
MD5af170bdfee69643d94e3d5416e0d45ec
SHA12b5b4739572413e00c74ce35ce0584cdecba5352
SHA2566ae109d44ca9410dc443a765b227c395dc39193b01f41bf0fb7c84233f2242e5
SHA51200a6d2491cabc5caba23db9c8c484ed70a467c4322ffb636988a6512ac9fe176705105d1f832517248a7f19eb9c344f7384edbd6c1d7c3d38da798122b108cac
-
Filesize
298KB
MD5e9eacbb7ab4b3f66019e0a2f13a1dba9
SHA1ae30894b29e52bf04afc4a54795d438fb910acff
SHA2560c3dc789d0a46493bd097526b920d913d930d96b1052cb331eec3ac560c89996
SHA512925445d20c93c65a282fc59f773551d824bff1f8e2623fd8ea0c587831a9550c400f121defb3d82c8f0401903fa69e3154dc98e29688d02af1d5d01247914a06
-
Filesize
278B
MD58dd990d12559c3e321c5c681b9a6caa3
SHA177ab59c8b6eabccc6dd79be4934fbf4aeb1a2604
SHA256bf6fb8de6c80f69394dbc4f58cdd114b249bccbb32eac05dca07b0964ab1225c
SHA51204986c0f2a52af7b4469bf05b825dec0401c1825287adbefdee679dc3a3c9c15598035c8b83ce634e08556568c6b3d16a4660d681cfb92d69914bc33cc1218a1
-
Filesize
408B
MD547d41e011b172b326153adac8bfe2e97
SHA1c4da396cbf67832e06ff7e554c0efa1dc5f69168
SHA2563596225a2e465f7338a8fa9c9baf01e1e55b889bb5a6e5e34f38c104ef1006e4
SHA512209872e348f104d1c7c8c711f89f46845960e1eaa687fae423db72ab07050a3f916aa971e4d0be3219df82047bc3a2ac5e68349048a6a55d3af7f9b187d8d6ac
-
Filesize
78B
MD59859b4b77752963f9b1271b7a71187c0
SHA121233c26f23d96a3e13dda9079664d2fc30f9bec
SHA2563ec3260363e5f0483802aba421c0226a5a0aa252efa76a78b85c7d670369d083
SHA5128592ab5d1eac930490c21110c478f2ab4fb5bef67386c92c897537becb98d3c0d1ad2b589f85db5648e9f4a62d93b164f50e1dfaea42e1a27482424165d19803
-
Filesize
198B
MD5d7d9f6e67967e942d8fdf4b9b3c4cae5
SHA1f5ff3db2c9b53427ba480d0f07d7997302a23714
SHA2562fab823e075195188905834edc440cceae6aa9a164fdb4cd590448fde6d140b6
SHA5124e853a5306e1cc93b567ef131d814b1b44a0b85b4a507e1aa072888eb4560e445baed9e3368ed057053cf6b125b320f2f558690637d0dc96bc62b5721cce851d
-
Filesize
328B
MD59f06d8b17aa9c2bd7f824a70cbab544e
SHA1750c62980d41da64c7858825d3ffd98cca3d419f
SHA256eba775cbbd4c2ce7d77d542d785b724f5fa712b683a600caa278ee78bb615e28
SHA512b0337e6b3b63121a9d9aa6695eb07fd5320319a7154f155f081f342e3dc095483b64bfc447f319c9bc0899479e88270714c29242908fb4604c1a476293d6adf2
-
Filesize
733KB
MD5eace92a8ab5f0c2fd69aa465a3ce7ce1
SHA1434c4dcbbb358e498db200b0a1c8ddd7ee7b5663
SHA25630a7c06f7c6bcfb1f268869ea881021af7c6d3524539d60bf965ded71852331b
SHA512868a23c27ed81e264a284b8a00229fb0758e20331a956dff2dd88572cc719773c305aa5fe01a388b3a1b3dafa3b2f5f56aa35b0dde5cdab11028b04e33a1e620
-
Filesize
355KB
MD58587c6d37c1e83a6188ce9ff8054ee59
SHA13a4d115929ef9497aa58f91779db3be6ac310321
SHA2567ccaa097ef1d77a7a2c18aefc6814c451ef16849e6ab871bfb7e83216a7f83e0
SHA5123c78e956d6ae674958f3fea7becf38fd5cac9240cb246d0705a6739a6fa43762c85910b0b66896de6723198d710d9a2f6388ac5de37ee800bda9daf3bdaac864
-
Filesize
355KB
MD51dc0d8c266949017b73037cb9ef1e6f6
SHA181724659d310a14067c8a129726d33bbe4a49a97
SHA2560c63b602366c1a3408b7357f551b62d5f662b00a976212862851b626ce53e6f7
SHA512ae14354f4b6f5afbbab8ff486d91e04d3d942564cbdec88ef5d34258bf5d034e3c5b60719bfcd7e3f03ceab3d3d31fc93dae9ce1f6839867f75dd2b975c2cb35
-
Filesize
733KB
MD5391633b47b185c703dd2bb5b471f377d
SHA173a629e8083b10209213152f838372f5e66cc3c1
SHA256d793c06e4d22cc8fb8b88cbc088688813874f7ce9e1be2db6ed11b124e47220e
SHA51235938e9611579ea0a9d0200b915f6e30b7bfa68de0df8cb56ed0d7470c4dd66308b470f68e3c2a00d5bd9ce22cbd43b9e01124459f6214744f116e56dac4f73b