babylonrat | 761c15ae1628af04e552eab0fc10f2e315ac73aaaf255f050104b3fcf624f976

Analysis

max time kernel
407s
max time network
396s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-06-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Babylon 1.6.0.0/Babylon RAT.exe
Size

6.7MB
MD5

aecdce1d7e2a637d1dcacd2b4580487b
SHA1

d5cd12f7a18d6777c9ec8458694aa3a74fd23701
SHA256

9157a48c53ca7a4543bac5b771886c87ea407bab6bbb053b50bc22709111d572
SHA512

8bb5ad64f1b2e75e47c4671396a713018c74c44e84803887c6b4a200ea85f4c020ccfe15211af3899cdcf9d0f46ef994bfd939e462f61062044874f7a64d7a35
SSDEEP

98304:KbldsCQTcsBL54TRRTk3w0ZIWoPzSSosDlh7OLifNLxu2UVaCS2e7Csb6j9cgl36:GnPsHqRwvoPzSSosDlhCKzi9/2BO4T

Score

10^/10

babylonrat trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Babylon RAT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	Babylon RAT.exe

Executes dropped EXE 15 IoCs

Processes:

upx.exeConvertBackup.exeConvertBackup.exeConvertBackup.exeConvertBackup.exeConvertBackup.exeConvertBackup.exeupx.exeso.exeso.exeso.exeso.exeso.exeso.exeso.exe

pid	process
4264	upx.exe
4608	ConvertBackup.exe
1012	ConvertBackup.exe
3404	ConvertBackup.exe
2416	ConvertBackup.exe
4232	ConvertBackup.exe
4660	ConvertBackup.exe
1604	upx.exe
1876	so.exe
820	so.exe
2620	so.exe
4104	so.exe
3820	so.exe
192	so.exe
5040	so.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe	upx
behavioral1/memory/4264-28-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/memory/4264-36-0x0000000000400000-0x000000000059C000-memory.dmp	upx
C:\Users\Admin\Desktop\ConvertBackup.exe	upx
behavioral1/memory/4608-39-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/4608-42-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/1012-43-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/4608-46-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/3404-48-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/3404-50-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/2416-55-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/4232-58-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/4660-60-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/4608-61-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/1604-86-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/memory/4608-88-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
C:\Users\Admin\Downloads\so.exe	upx
behavioral1/memory/1876-92-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/820-95-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/2620-99-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/4608-97-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/2620-101-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/4104-103-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/3820-107-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/192-109-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/5040-112-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/1876-114-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/4608-121-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/1876-124-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/4608-126-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/1876-128-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/4608-168-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/1876-190-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/4608-191-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/1876-249-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/4608-278-0x00000000013C0000-0x0000000001489000-memory.dmp	upx
behavioral1/memory/1876-280-0x00000000010D0000-0x0000000001199000-memory.dmp	upx
behavioral1/memory/1876-283-0x00000000010D0000-0x0000000001199000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

so.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	so.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	so.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06d0c235ccada01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008184d0691bc89b45943f8497c1abf5c7000000000200000000001066000000010000200000005b6e45eb7659cb5fa78feaa5de945e14b46946064187b836d4c5493af2afcb0a000000000e8000000002000020000000b1be073d899658f4b51e3fab90a6a80c5f62b6d57e2daecc5e17fc4a9d4aa5cc2000000061637a77740a3bbad0454b0bd01030bfee0097bddcf20e93a91d0f48796060a74000000090e01a74db35b4ebe100642f170b26b06afb8f4b223ea0afe2dbd79c5a8dfeef5658dca1bd99c822e11002006fc94dcf5ad36290037f3b1a9147c9a8225942e4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115868"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008184d0691bc89b45943f8497c1abf5c70000000002000000000010660000000100002000000048e8eda160521a88c7480b74f66524501f945e2eb0f8292fc66d39a67a529513000000000e80000000020000200000001f4d068cdb6f40003e6c37841600aed13ae691ef7f2387a3d3a4339d6ecb3aac20000000ff0cbc39bd23629b67f17140ae778ddcc89867661740e672f1a08830817fc76f40000000e7e2a9ed054423b0c6f8ecb0724f8d12796f71ec5810b4e1adb501ea9e2c45384b5e2ed1fd4e56e92f7539afabdbba53fa8d2b998afd9d97cae43551e0e6d058	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C79DAE4-364F-11EF-A993-524829B8D7A9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115868"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0230a235ccada01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "555992302"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "555992302"	iexplore.exe

Modifies registry class 64 IoCs

Processes:

Babylon RAT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a4aa36d68986da01083e0dd78986da0157dc0ad78986da0114000000	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Babylon RAT.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

Babylon RAT.exeConvertBackup.exeso.exe

pid process

4920 Babylon RAT.exe
4608 ConvertBackup.exe
1876 so.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

ConvertBackup.exeConvertBackup.exeConvertBackup.exeConvertBackup.exeConvertBackup.exeConvertBackup.exeso.exeso.exeso.exeso.exeso.exeso.exeso.exe

description	pid	process
Token: SeShutdownPrivilege	4608	ConvertBackup.exe
Token: SeDebugPrivilege	4608	ConvertBackup.exe
Token: SeTcbPrivilege	4608	ConvertBackup.exe
Token: SeShutdownPrivilege	1012	ConvertBackup.exe
Token: SeDebugPrivilege	1012	ConvertBackup.exe
Token: SeTcbPrivilege	1012	ConvertBackup.exe
Token: SeShutdownPrivilege	3404	ConvertBackup.exe
Token: SeDebugPrivilege	3404	ConvertBackup.exe
Token: SeTcbPrivilege	3404	ConvertBackup.exe
Token: SeShutdownPrivilege	2416	ConvertBackup.exe
Token: SeDebugPrivilege	2416	ConvertBackup.exe
Token: SeTcbPrivilege	2416	ConvertBackup.exe
Token: SeShutdownPrivilege	4232	ConvertBackup.exe
Token: SeDebugPrivilege	4232	ConvertBackup.exe
Token: SeTcbPrivilege	4232	ConvertBackup.exe
Token: SeShutdownPrivilege	4660	ConvertBackup.exe
Token: SeDebugPrivilege	4660	ConvertBackup.exe
Token: SeTcbPrivilege	4660	ConvertBackup.exe
Token: SeShutdownPrivilege	1876	so.exe
Token: SeDebugPrivilege	1876	so.exe
Token: SeTcbPrivilege	1876	so.exe
Token: SeShutdownPrivilege	820	so.exe
Token: SeDebugPrivilege	820	so.exe
Token: SeTcbPrivilege	820	so.exe
Token: SeShutdownPrivilege	2620	so.exe
Token: SeDebugPrivilege	2620	so.exe
Token: SeTcbPrivilege	2620	so.exe
Token: SeShutdownPrivilege	4104	so.exe
Token: SeDebugPrivilege	4104	so.exe
Token: SeTcbPrivilege	4104	so.exe
Token: SeShutdownPrivilege	3820	so.exe
Token: SeDebugPrivilege	3820	so.exe
Token: SeTcbPrivilege	3820	so.exe
Token: SeShutdownPrivilege	192	so.exe
Token: SeDebugPrivilege	192	so.exe
Token: SeTcbPrivilege	192	so.exe
Token: SeShutdownPrivilege	5040	so.exe
Token: SeDebugPrivilege	5040	so.exe
Token: SeTcbPrivilege	5040	so.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Babylon RAT.exeiexplore.exeso.exe

pid	process
4920	Babylon RAT.exe
4920	Babylon RAT.exe
4920	Babylon RAT.exe
1216	iexplore.exe
4920	Babylon RAT.exe
4920	Babylon RAT.exe
1876	so.exe
4920	Babylon RAT.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Babylon RAT.exe

pid process

4920 Babylon RAT.exe
4920 Babylon RAT.exe
4920 Babylon RAT.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Babylon RAT.exeConvertBackup.exeso.exeiexplore.exeIEXPLORE.EXE

pid	process
4920	Babylon RAT.exe
4608	ConvertBackup.exe
4920	Babylon RAT.exe
4920	Babylon RAT.exe
1876	so.exe
1216	iexplore.exe
1216	iexplore.exe
3356	IEXPLORE.EXE
3356	IEXPLORE.EXE
3356	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Babylon RAT.exeConvertBackup.exeiexplore.exe

description	pid	process	target process
PID 4920 wrote to memory of 4264	4920	Babylon RAT.exe	upx.exe
PID 4920 wrote to memory of 4264	4920	Babylon RAT.exe	upx.exe
PID 4920 wrote to memory of 4264	4920	Babylon RAT.exe	upx.exe
PID 4608 wrote to memory of 1012	4608	ConvertBackup.exe	ConvertBackup.exe
PID 4608 wrote to memory of 1012	4608	ConvertBackup.exe	ConvertBackup.exe
PID 4608 wrote to memory of 1012	4608	ConvertBackup.exe	ConvertBackup.exe
PID 4920 wrote to memory of 1604	4920	Babylon RAT.exe	upx.exe
PID 4920 wrote to memory of 1604	4920	Babylon RAT.exe	upx.exe
PID 4920 wrote to memory of 1604	4920	Babylon RAT.exe	upx.exe
PID 1216 wrote to memory of 3356	1216	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 3356	1216	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 3356	1216	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\Babylon RAT.exe
"C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\Babylon RAT.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe
  "C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe" "C:\Users\Admin\Desktop\ConvertBackup.exe"
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe
  "C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe" "C:\Users\Admin\Downloads\so.exe"
  2⤵
  - Executes dropped EXE
  PID:1604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3836

C:\Users\Admin\Desktop\ConvertBackup.exe
"C:\Users\Admin\Desktop\ConvertBackup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\Desktop\ConvertBackup.exe
  "C:\Users\Admin\Desktop\ConvertBackup.exe" 4608
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1012

C:\Users\Admin\Desktop\ConvertBackup.exe
"C:\Users\Admin\Desktop\ConvertBackup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Users\Admin\Desktop\ConvertBackup.exe
"C:\Users\Admin\Desktop\ConvertBackup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Users\Admin\Desktop\ConvertBackup.exe
"C:\Users\Admin\Desktop\ConvertBackup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Users\Admin\Desktop\ConvertBackup.exe
"C:\Users\Admin\Desktop\ConvertBackup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Users\Admin\Downloads\so.exe
"C:\Users\Admin\Downloads\so.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Users\Admin\Downloads\so.exe
"C:\Users\Admin\Downloads\so.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Users\Admin\Downloads\so.exe
"C:\Users\Admin\Downloads\so.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Users\Admin\Downloads\so.exe
"C:\Users\Admin\Downloads\so.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Users\Admin\Downloads\so.exe
"C:\Users\Admin\Downloads\so.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Users\Admin\Downloads\so.exe
"C:\Users\Admin\Downloads\so.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3356

C:\Users\Admin\Downloads\so.exe
"C:\Users\Admin\Downloads\so.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
5f4f6ba1d092e87463c6b144c36d5e0b

SHA1
e04501552ad18dd8acee69a83aed20c84fd5d87f

SHA256
4eeb694729c800bb341af1c9459c5b9e1868d1318dec8ba2e729d5e09b037a75

SHA512
59395385ffd0f89694ab9b26fe0325cad100b416022b1cc99d799668ec414fea84f989d3b561fe44f29fd9c494898f829f6e0c80c58b162897385d5e30c23a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
af170bdfee69643d94e3d5416e0d45ec

SHA1
2b5b4739572413e00c74ce35ce0584cdecba5352

SHA256
6ae109d44ca9410dc443a765b227c395dc39193b01f41bf0fb7c84233f2242e5

SHA512
00a6d2491cabc5caba23db9c8c484ed70a467c4322ffb636988a6512ac9fe176705105d1f832517248a7f19eb9c344f7384edbd6c1d7c3d38da798122b108cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Babylon 1.6.0.0\upx.exe

Filesize
298KB

MD5
e9eacbb7ab4b3f66019e0a2f13a1dba9

SHA1
ae30894b29e52bf04afc4a54795d438fb910acff

SHA256
0c3dc789d0a46493bd097526b920d913d930d96b1052cb331eec3ac560c89996

SHA512
925445d20c93c65a282fc59f773551d824bff1f8e2623fd8ea0c587831a9550c400f121defb3d82c8f0401903fa69e3154dc98e29688d02af1d5d01247914a06

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigsEx\2024 06 29 - 07 37 PM

Filesize
278B

MD5
8dd990d12559c3e321c5c681b9a6caa3

SHA1
77ab59c8b6eabccc6dd79be4934fbf4aeb1a2604

SHA256
bf6fb8de6c80f69394dbc4f58cdd114b249bccbb32eac05dca07b0964ab1225c

SHA512
04986c0f2a52af7b4469bf05b825dec0401c1825287adbefdee679dc3a3c9c15598035c8b83ce634e08556568c6b3d16a4660d681cfb92d69914bc33cc1218a1

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigsEx\2024 06 29 - 07 37 PM

Filesize
408B

MD5
47d41e011b172b326153adac8bfe2e97

SHA1
c4da396cbf67832e06ff7e554c0efa1dc5f69168

SHA256
3596225a2e465f7338a8fa9c9baf01e1e55b889bb5a6e5e34f38c104ef1006e4

SHA512
209872e348f104d1c7c8c711f89f46845960e1eaa687fae423db72ab07050a3f916aa971e4d0be3219df82047bc3a2ac5e68349048a6a55d3af7f9b187d8d6ac

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigsEx\2024 06 29 - 07 37 PM

Filesize
78B

MD5
9859b4b77752963f9b1271b7a71187c0

SHA1
21233c26f23d96a3e13dda9079664d2fc30f9bec

SHA256
3ec3260363e5f0483802aba421c0226a5a0aa252efa76a78b85c7d670369d083

SHA512
8592ab5d1eac930490c21110c478f2ab4fb5bef67386c92c897537becb98d3c0d1ad2b589f85db5648e9f4a62d93b164f50e1dfaea42e1a27482424165d19803

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigsEx\2024 06 29 - 07 39 PM

Filesize
198B

MD5
d7d9f6e67967e942d8fdf4b9b3c4cae5

SHA1
f5ff3db2c9b53427ba480d0f07d7997302a23714

SHA256
2fab823e075195188905834edc440cceae6aa9a164fdb4cd590448fde6d140b6

SHA512
4e853a5306e1cc93b567ef131d814b1b44a0b85b4a507e1aa072888eb4560e445baed9e3368ed057053cf6b125b320f2f558690637d0dc96bc62b5721cce851d

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigsEx\2024 06 29 - 07 39 PM

Filesize
328B

MD5
9f06d8b17aa9c2bd7f824a70cbab544e

SHA1
750c62980d41da64c7858825d3ffd98cca3d419f

SHA256
eba775cbbd4c2ce7d77d542d785b724f5fa712b683a600caa278ee78bb615e28

SHA512
b0337e6b3b63121a9d9aa6695eb07fd5320319a7154f155f081f342e3dc095483b64bfc447f319c9bc0899479e88270714c29242908fb4604c1a476293d6adf2

Download Submit
C:\Users\Admin\Desktop\ConvertBackup.exe

Filesize
733KB

MD5
eace92a8ab5f0c2fd69aa465a3ce7ce1

SHA1
434c4dcbbb358e498db200b0a1c8ddd7ee7b5663

SHA256
30a7c06f7c6bcfb1f268869ea881021af7c6d3524539d60bf965ded71852331b

SHA512
868a23c27ed81e264a284b8a00229fb0758e20331a956dff2dd88572cc719773c305aa5fe01a388b3a1b3dafa3b2f5f56aa35b0dde5cdab11028b04e33a1e620

Download Submit
C:\Users\Admin\Desktop\ConvertBackup.exe

Filesize
355KB

MD5
8587c6d37c1e83a6188ce9ff8054ee59

SHA1
3a4d115929ef9497aa58f91779db3be6ac310321

SHA256
7ccaa097ef1d77a7a2c18aefc6814c451ef16849e6ab871bfb7e83216a7f83e0

SHA512
3c78e956d6ae674958f3fea7becf38fd5cac9240cb246d0705a6739a6fa43762c85910b0b66896de6723198d710d9a2f6388ac5de37ee800bda9daf3bdaac864

Download Submit
C:\Users\Admin\Downloads\so.exe

Filesize
355KB

MD5
1dc0d8c266949017b73037cb9ef1e6f6

SHA1
81724659d310a14067c8a129726d33bbe4a49a97

SHA256
0c63b602366c1a3408b7357f551b62d5f662b00a976212862851b626ce53e6f7

SHA512
ae14354f4b6f5afbbab8ff486d91e04d3d942564cbdec88ef5d34258bf5d034e3c5b60719bfcd7e3f03ceab3d3d31fc93dae9ce1f6839867f75dd2b975c2cb35

Download Submit
C:\Users\Admin\Downloads\so.exe

Filesize
733KB

MD5
391633b47b185c703dd2bb5b471f377d

SHA1
73a629e8083b10209213152f838372f5e66cc3c1

SHA256
d793c06e4d22cc8fb8b88cbc088688813874f7ce9e1be2db6ed11b124e47220e

SHA512
35938e9611579ea0a9d0200b915f6e30b7bfa68de0df8cb56ed0d7470c4dd66308b470f68e3c2a00d5bd9ce22cbd43b9e01124459f6214744f116e56dac4f73b

Download Submit
memory/192-109-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/820-95-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/1012-43-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/1604-86-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1876-114-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/1876-128-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/1876-124-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/1876-123-0x000000006E590000-0x000000006E5CA000-memory.dmp

Filesize
232KB

Download
memory/1876-190-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/1876-249-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/1876-280-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/1876-283-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/1876-92-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/2416-55-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/2620-101-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/2620-99-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/3404-50-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/3404-48-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/3820-107-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/4104-103-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download
memory/4232-58-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4264-28-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4264-36-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4608-168-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-125-0x000000006E590000-0x000000006E5CA000-memory.dmp

Filesize
232KB

Download
memory/4608-278-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-46-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-97-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-42-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-88-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-191-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-39-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-61-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-126-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4608-121-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4660-60-0x00000000013C0000-0x0000000001489000-memory.dmp

Filesize
804KB

Download
memory/4920-0-0x000000007316E000-0x000000007316F000-memory.dmp

Filesize
4KB

Download
memory/4920-10-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/4920-12-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/4920-5-0x00000000059A0000-0x00000000059AA000-memory.dmp

Filesize
40KB

Download
memory/4920-4-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/4920-7-0x0000000008EB0000-0x0000000008F1C000-memory.dmp

Filesize
432KB

Download
memory/4920-9-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/4920-8-0x000000000AB60000-0x000000000ABFC000-memory.dmp

Filesize
624KB

Download
memory/4920-1-0x0000000000FE0000-0x00000000016A2000-memory.dmp

Filesize
6.8MB

Download
memory/4920-3-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4920-11-0x000000007316E000-0x000000007316F000-memory.dmp

Filesize
4KB

Download
memory/4920-6-0x0000000008460000-0x000000000847E000-memory.dmp

Filesize
120KB

Download
memory/4920-14-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/4920-13-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/4920-2-0x0000000008800000-0x0000000008CFE000-memory.dmp

Filesize
5.0MB

Download
memory/5040-112-0x00000000010D0000-0x0000000001199000-memory.dmp

Filesize
804KB

Download