fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397

Analysis

max time kernel
1414s
max time network
1803s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unlocker1.9.2.exe
Size

1.0MB
MD5

1e02d6aa4a199448719113ae3926afb2
SHA1

f1eff6451ced129c0e5c0a510955f234a01158a0
SHA256

fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397
SHA512

7d0f1416beb8c141ee992fe594111042309690c00741dff8f9f31b4652ed6a96b57532780e3169391440076d7ace63966fab526a076adcdc7f7ab389b4d0ff98
SSDEEP

24576:eLMeYSiGTpTLDxxwqQcqOj5eyHox6ZGmAuXE7ZBlbT:+PbVvwqQpoLHontDrlbT

Score

8^/10

discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Unlocker1.9.2.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\UnlockerDriver5\ImagePath = "\\??\\C:\\Program Files\\Unlocker\\UnlockerDriver5.sys"	Unlocker1.9.2.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

Processes:

DeltaTB.exeSetup.exeSetup.exeUnlocker.exeUnlocker.exe

pid	Process
1740	DeltaTB.exe
892	Setup.exe
2940	Setup.exe
1324	Unlocker.exe
628	Unlocker.exe

Loads dropped DLL 20 IoCs

Processes:

Unlocker1.9.2.exeDeltaTB.exerundll32.exeSetup.exeregsvr32.exeregsvr32.exechrome.exe

pid	Process
2080	Unlocker1.9.2.exe
2080	Unlocker1.9.2.exe
2080	Unlocker1.9.2.exe
2080	Unlocker1.9.2.exe
1740	DeltaTB.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
892	Setup.exe
892	Setup.exe
2080	Unlocker1.9.2.exe
1060	regsvr32.exe
584	regsvr32.exe
1080
1080
1080
1080
1080
2684	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSetup.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Drops file in Program Files directory 7 IoCs

Processes:

Unlocker1.9.2.exe

description	ioc	Process
File opened for modification	C:\Program Files\Unlocker\Unlocker.url	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\uninst.exe	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\Unlocker.exe	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\UnlockerDriver5.sys	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\UnlockerInject32.exe	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\README.TXT	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\UnlockerCOM.dll	Unlocker1.9.2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IELowutil.exeSetup.exeregsvr32.exeUnlocker1.9.2.exeDeltaTB.exeSetup.exerundll32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IELowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker1.9.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeltaTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

taskmgr.exerundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe

Modifies registry class 15 IoCs

Processes:

regsvr32.exeSetup.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Program Files\\Unlocker\\UnlockerCOM.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Key created	\REGISTRY\MACHINE\software\classes\clsid\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 43404039789c636262604903622146b36a37034b63671767175d370b270b5d137303435d4b234b675d630b532317032773176737b35a06010101fb739b3f010025490ca9	Setup.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

Setup.exetaskmgr.exechrome.exe

pid	Process
892	Setup.exe
892	Setup.exe
892	Setup.exe
892	Setup.exe
892	Setup.exe
892	Setup.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

Unlocker.exeUnlocker.exe

pid	Process
1324	Unlocker.exe
1324	Unlocker.exe
628	Unlocker.exe
628	Unlocker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Setup.exeUnlocker.exetaskmgr.exeUnlocker.exechrome.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	892	Setup.exe
Token: SeTakeOwnershipPrivilege	892	Setup.exe
Token: SeDebugPrivilege	1324	Unlocker.exe
Token: SeLoadDriverPrivilege	1324	Unlocker.exe
Token: SeBackupPrivilege	1324	Unlocker.exe
Token: SeTakeOwnershipPrivilege	1324	Unlocker.exe
Token: SeDebugPrivilege	1788	taskmgr.exe
Token: SeDebugPrivilege	628	Unlocker.exe
Token: SeLoadDriverPrivilege	628	Unlocker.exe
Token: SeBackupPrivilege	628	Unlocker.exe
Token: SeTakeOwnershipPrivilege	628	Unlocker.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	Process
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	Process
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Unlocker1.9.2.exeDeltaTB.exerundll32.exeSetup.exeregsvr32.exetaskmgr.exechrome.exe

description	pid	Process	procid_target
PID 2080 wrote to memory of 1740	2080	Unlocker1.9.2.exe	28
PID 2080 wrote to memory of 1740	2080	Unlocker1.9.2.exe	28
PID 2080 wrote to memory of 1740	2080	Unlocker1.9.2.exe	28
PID 2080 wrote to memory of 1740	2080	Unlocker1.9.2.exe	28
PID 1740 wrote to memory of 892	1740	DeltaTB.exe	29
PID 1740 wrote to memory of 892	1740	DeltaTB.exe	29
PID 1740 wrote to memory of 892	1740	DeltaTB.exe	29
PID 1740 wrote to memory of 892	1740	DeltaTB.exe	29
PID 1740 wrote to memory of 892	1740	DeltaTB.exe	29
PID 1740 wrote to memory of 892	1740	DeltaTB.exe	29
PID 1740 wrote to memory of 892	1740	DeltaTB.exe	29
PID 1632 wrote to memory of 3064	1632	rundll32.exe	31
PID 1632 wrote to memory of 3064	1632	rundll32.exe	31
PID 1632 wrote to memory of 3064	1632	rundll32.exe	31
PID 1632 wrote to memory of 3064	1632	rundll32.exe	31
PID 892 wrote to memory of 2940	892	Setup.exe	32
PID 892 wrote to memory of 2940	892	Setup.exe	32
PID 892 wrote to memory of 2940	892	Setup.exe	32
PID 892 wrote to memory of 2940	892	Setup.exe	32
PID 892 wrote to memory of 2940	892	Setup.exe	32
PID 892 wrote to memory of 2940	892	Setup.exe	32
PID 892 wrote to memory of 2940	892	Setup.exe	32
PID 2080 wrote to memory of 1060	2080	Unlocker1.9.2.exe	33
PID 2080 wrote to memory of 1060	2080	Unlocker1.9.2.exe	33
PID 2080 wrote to memory of 1060	2080	Unlocker1.9.2.exe	33
PID 2080 wrote to memory of 1060	2080	Unlocker1.9.2.exe	33
PID 2080 wrote to memory of 1060	2080	Unlocker1.9.2.exe	33
PID 2080 wrote to memory of 1060	2080	Unlocker1.9.2.exe	33
PID 2080 wrote to memory of 1060	2080	Unlocker1.9.2.exe	33
PID 1060 wrote to memory of 584	1060	regsvr32.exe	34
PID 1060 wrote to memory of 584	1060	regsvr32.exe	34
PID 1060 wrote to memory of 584	1060	regsvr32.exe	34
PID 1060 wrote to memory of 584	1060	regsvr32.exe	34
PID 1060 wrote to memory of 584	1060	regsvr32.exe	34
PID 1060 wrote to memory of 584	1060	regsvr32.exe	34
PID 1060 wrote to memory of 584	1060	regsvr32.exe	34
PID 1788 wrote to memory of 628	1788	taskmgr.exe	41
PID 1788 wrote to memory of 628	1788	taskmgr.exe	41
PID 1788 wrote to memory of 628	1788	taskmgr.exe	41
PID 1784 wrote to memory of 2396	1784	chrome.exe	43
PID 1784 wrote to memory of 2396	1784	chrome.exe	43
PID 1784 wrote to memory of 2396	1784	chrome.exe	43
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45
PID 1784 wrote to memory of 2848	1784	chrome.exe	45

C:\Users\Admin\AppData\Local\Temp\Unlocker1.9.2.exe
"C:\Users\Admin\AppData\Local\Temp\Unlocker1.9.2.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\DeltaTB.exe
  "C:\Users\Admin\AppData\Local\Temp\DeltaTB.exe" /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1B4663~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Program Files (x86)\Internet Explorer\IELowutil.exe
        
        "C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\Latest\Setup.exe
      C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2940
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:584

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1588

C:\Program Files\Unlocker\Unlocker.exe
"C:\Program Files\Unlocker\Unlocker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Program Files\Unlocker\Unlocker.exe
  "C:\Program Files\Unlocker\Unlocker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6059758,0x7fef6059768,0x7fef6059778
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:2
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2240 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:1
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2248 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:1
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1324 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:2
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1380 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3440 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3556 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3640 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2312 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:1
  2⤵
  PID:272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3752 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4084 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4488 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4520 --field-trial-handle=1312,i,6262652060682754373,9884079343987456382,131072 /prefetch:8
  2⤵
  PID:2652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Unlocker\UnlockerCOM.dll

Filesize
19KB

MD5
5fe324d6c1dc481136742ab5fb8f6672

SHA1
02f2d4476006cecd771de3cbe247e432950ae916

SHA256
0a66b19bb38385a8879633dce1272b8acf1b4b264c88e254345ec249335b41b1

SHA512
faa76477503923d1c14a12f00d7d416e5fbb485560ea02ed1e6ef6337f9ad88bc612af241ea61c8f9003253ccf5f66b2c7ce4a508bb2adc761c4f36ac345195d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d18e17bc316aeafc672869ea1723af1

SHA1
f34cc8d30eac450c28bea90dbc8f5dc0dfac897b

SHA256
fdf2e0ae51378af72b7381af461cae48b4ff62a7de7d254b30fc876392987065

SHA512
36569ef9b0a4acead503434ecb1a7f334117124995d3fcf1b41fe6ee68a7d085a4ede79d081a7015448aeeaf2ff455e1a26a7a4fa314d1c2369a9131b2b74a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bf1330216bb9f6563538247033b1bb8

SHA1
d418056e703d8aaed39ca042b01784d4636e03f6

SHA256
46d86990d5fbcb54312711912bfccb443e634dec0d276f4f9080d5e67ed38b14

SHA512
e809f562ef14d6585d8de86c43157bd22155ed0af150980f26e81afd8d6a3b26ddc93f00779b32e6b33cc6b93e272fa01d5ef49f372f463f4e51f7404e16d31f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
171b4a2de8d945b4b425e35296a2c7ea

SHA1
1df664c6e1ba72f2db160003a499c6be0472fb06

SHA256
66e8c97fbdab7fb4a939c6cf1274761fe8d40213b040434dce042400dc8d18b0

SHA512
e14ed6de3b60b570e24f3799d0c2bc0508f196dfcf3300eda35f22a08f9c50fa05e49d0caa1dce99782cf5a74f36ff7bfabd58e0a3cc2566df7f79f4aa6b6b4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca8b1d5cf7354dd55cb248e3d43aa98

SHA1
830742654fce14bf90e410953ebc0a9ffed20cc6

SHA256
e6138b346d099afc089926cd998c8cd4a851ea738ee3ee75badd8fdfdfbd4499

SHA512
fc798b0c1d1b15304e025f2336f16562b8694b3b6d05af7cc2c858136f115fa19dadbc7e1b5e42a5dcb439761bd30d1cf18258b6ed1a67ed2bec53e6f2cbce7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc8631fd79dde9683d7b348b4449021b

SHA1
c3648591a10f1e17c78333eb35a52619030edfeb

SHA256
32db5bc73d10ec57e8813f9391d38e3c91307e3e21e72eeb17257d663f6fb66d

SHA512
5c19dd694688c0746905bcd99b84faaf7e25dc5610a3072517175854447c16bcf5a48614fe35323f921e4fdbf699e3e85f6e143bdbd0ca3c629b30adc72303b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
092d1de1462f7437406e0f8b91e19bcc

SHA1
6808d277abad0269090f56dc212971c265bf4c6c

SHA256
09568e1b2653b0a917874a732a21abdae0acd3175b2161518a7d28e272b03866

SHA512
8ec0100aae741a1b7db1ec6d6bc9b7fa15716f7f5004e28028c25c46ada35d2b0910f4bd020077526d5e261627a7779da6e5cd4d0aa1f1059702e3ad761ba4ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20593def5ac17257985e9a3c55cc3365

SHA1
d4d4e53b33e749a10e1a2207df1106965cd244aa

SHA256
23def385c5a055ebfc35e336465112e16ddf678eef5ff98fb704e911650f1a9b

SHA512
e1a94e216216ef31891f212b1ab82d492923149fc8884319a05b1f860e427f0feadba856880fdaf9ebb83156580ab674a4333ce9e57b87eb1def3d79c0e42dde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb94f88b34af58ade22befae1d543586

SHA1
8d248f5c024283d70c825d09e362f694b39546a1

SHA256
8ccf542d393ece19d08ec91a8b35881cacc62241bedf86b51efe7b77e7734831

SHA512
ad2663cb7ec72ab844906dd6a849b1878a4f9ed4d26ca9a20e1acf788dd1467cdeb47efe3542c5ee637b990d51d2e9b3b0221fd0fd700ddf077cd0e87cff3a9c

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

Filesize
3KB

MD5
5e6230b3b16798e23720958756ac6d9e

SHA1
c7bcb001c48a67d4c9d6e70e92473ebd85b30585

SHA256
d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2

SHA512
6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6dda7bbe-b95a-47fd-ac41-cd5c707ebfaa.tmp

Filesize
6KB

MD5
7bdb355eb523dc3e322d08aec9f0c722

SHA1
275731bb4158f702682a605c4a56ea5cbdd90689

SHA256
2ace9aa2d2c732d01e88c80a8d830323bfb079ab9ef0ed007309cabba5b434e4

SHA512
b5fb58463a62b38c189b9a8b343804feb65901771c705434aeb090766cc4316de119f58b3e52deeda6bc42ca0ebc86fdd204d20f0c80469b614202b892ce7b2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
63bd5ab4ec0c56d61f49f0f9adffe322

SHA1
5e829eac0505d78913521e8e8b044b31ec5f0f6c

SHA256
c5413fae07736ff58c6fe6e8da6fe81741c2d041cfbb569094085a1404f9ff1c

SHA512
7ae8ab0f9230d0069c86896ae71a2a2192cb61e0cb3fdc8c906c4a89965ac2faf0a3a236d9a51aab0a11372267daea2818316d6579cc8cce67e1efc32fc0be87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\be08d951-3de7-4cdc-9b71-a454c438b76c.tmp

Filesize
6KB

MD5
3ce11453658a472af048b46335870ff0

SHA1
2d8e385b9abbebad4fb660c7e68ebed6aefa1993

SHA256
859a9932cdd001855257ee926c1bc4ac7b211ecf4deb44cd6a514b682e3d6b08

SHA512
5a5581ac3056e5ef8a47702b78d46bb6ef14735bcbdce1d6a32796622fb540e3d7a7afecc9f2a8130827db038e1f27dd4ae96a39cbcdfcebadbed314605054e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\e72b0ac3-4916-40bc-8c8f-02ae4d18cf1f.tmp

Filesize
6KB

MD5
6b7fabf137ea3b5d2f7f3e842663345e

SHA1
fd859d59cf7676d3cc1dd6c5d73f3ef2d1011716

SHA256
6d4665767f690af4735de17240068be34a2e1d3c56b0828137fca80e384e9810

SHA512
e332b3f53241540a4d8a314c9f65f89609631ff315499b3480b23fa33d07e7df12af7b6af74cff8a3840c851718314cabacf30cc85b874f7a17b475186f36660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
576ee3505a7327d5f7f74c477755a1f1

SHA1
eda82fec783157e8dd49eec717a5a9a1ba223ac2

SHA256
53ec1a8186e368aad6052784d2a96b857a6e8e2f178ee746b755d49e514a8396

SHA512
c37db00d13bffba6ce4b1c58f5c2e254571bb3c2559d6120dc7447667ff72e6c07bf372bd5a3c28ffb056e040c485e1b5980e0c73f7c1c4c6e78e9456e144e20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\BExternal.dll

Filesize
129KB

MD5
b212865e7e478a28a97268f960079a8d

SHA1
ded201ae02fb9ea3646489afeda49270c4620d9c

SHA256
d6138aef3f7674e2442add75013c86ca8fda3d5ba69737a9b881e7f7bbc730e6

SHA512
d973f9cb45d2035a8546bbdf77fa1b239a3f1e4ba2b17d32195a1cfed13fe06aaf48b91a133cebd7e53481ab5a5e9166329b730587b46a154b193779da6ad737

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\Babylon.dat

Filesize
12KB

MD5
825e5733974586a0a1229a53361ed13e

SHA1
9ec5b8944c6727fda6fdc3c18856884554cf6b31

SHA256
0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

SHA512
ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\HtmlScreens\loading.html

Filesize
644B

MD5
f50fa4673555652289652753183fd1ee

SHA1
f496797f0d34eb866d6328d2fd1492b485f74d0a

SHA256
afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812

SHA512
6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\HtmlScreens\navError.html

Filesize
926B

MD5
0c464e407c81764ebc09eacbe41f0b3e

SHA1
245afe550a05215e5873d8f5f21c22d12aa46b6a

SHA256
770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26

SHA512
71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\HtmlScreens\pBar.gif

Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\SetupStrings.dat

Filesize
89KB

MD5
407846797c5ba247abeb5fa7c0c0ba05

SHA1
44386455eed8e74d75e95e9e81e96a19f0b27884

SHA256
0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

SHA512
7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\bab033.tbinst.dat

Filesize
205B

MD5
90713ab7a74884cd36a5fb4cfcdece8a

SHA1
7bb56d08fd69a98e543b923bd0a9156f92a9c473

SHA256
bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

SHA512
639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\bab148.spreg.dat

Filesize
249B

MD5
a4af0a0c254b38f2f9eecbf0e00b08fe

SHA1
ef730bce77699730dda378dc444b997ce7ceea7a

SHA256
810e0e32d54b9e1557da7ccf1ca9f6354814e90dadc6b4af5e1cbdf87fac925a

SHA512
b74596e55e75413303559c135db393a04d6fd6cbab147a51ac2f46435f52b92b82868de4e67917a7b388d82c672fa36b525b88e2eefe7ec40695f028395dcd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\bab187.wl.dat

Filesize
234B

MD5
6358860cd0c336c1f91f86be701d77c4

SHA1
5dd38b818bf0860b4c5144ba670a759d4345e4ec

SHA256
2ed42e3c958eb21352bae4b00db2fa5be94149abc64eec93e5258b9c4a715457

SHA512
7df3b3e1487d3a65000b6208969f1e695815133c052f369beb36877fe5c6f64d979aefd030a193b04a5e46fb0d97a3cc06837aa381efe6bc24a0c084c768dac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\bab307.sp_pop0.dat

Filesize
178B

MD5
0b7be9c4b72c2c5166bfd61ca5ebbfed

SHA1
aea0aa4e8226c1b4efce92e909da773744baa6d4

SHA256
673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

SHA512
4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\bab456.TB_OldWay.dat

Filesize
174B

MD5
7e72d256e34635d351092955d1f8516b

SHA1
7f240f8f4bd61ae59247d84d0ec85f5bc8729f36

SHA256
39eb1667a67149b5d930e5408896027e3c3fc06282735e61cb8d85f5b38f587c

SHA512
621eb4bf2864db2fa0f861c233ced790124e9060c081948beb7117f8c058a36ecca23ee05ce2d6d42af15533c050f648d276589682d91dfe699ebe871cc9ae8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B4663~1\IEHelper.dll

Filesize
6KB

MD5
a21de5067618d4f2df261416315ed120

SHA1
7759a3318de2abc3755ebb7f50322c6d586b5286

SHA256
6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca

SHA512
6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA0C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDA6D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst4886.tmp\Delta.ini

Filesize
1KB

MD5
46da8bcdb19c869542c2ed3c01c92682

SHA1
98f185eafe15fdcb104cfeebc9bc92f357d814aa

SHA256
d12be0c07a28759dd7ce4ec40496083a716fd7b0058a526d6db25fd805c3417b

SHA512
27d93ccb648ce64aeec5314722fe12e9bf9313416697ae94625bf95af1db646a17ba1ad00cdb018e7cd8d7d6d286833883a922d60214e4e161aeb457b5b12d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst4886.tmp\Delta.ini

Filesize
1KB

MD5
11d5b47fa20b3e9771a80c2b737610b6

SHA1
e0ce3dfb4e49f62033a38e685a6872448a0f489c

SHA256
436059d849b367065d2eedf460f55f68976a90110e14f4fd8564b075ec395e8d

SHA512
32a256cd4f3facede98f0309495f33bf84d84d952af9c7969157b4f8e7081e2b26959afd4bee3026a34774041d3567c5ab0e0a82e273ae11193d8b050c346e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst4886.tmp\ioSpecial.ini

Filesize
696B

MD5
62cc7ebfb85cd3bcfdd37f044daf013c

SHA1
b16aca47499e004c7b32314c6260dc8bb506a88c

SHA256
9443c238004cbd408891ab35975430eab6eeefeff9aa8c641dc591525dfb3121

SHA512
4e1f8c75e0ebdc5fb2f8ff28137cf3d1dd8c4bdf51c9cbe9e10832fe27065336f3c025aa47e5dc44f90cce43e0f403004f65599a4446ad30cd016e5a800c65ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst4886.tmp\ioSpecial.ini

Filesize
558B

MD5
d723522711a360bdea94a92fa7f9d878

SHA1
26a4527e28c0beee7793a5ac4f5d82ccec3ef91f

SHA256
6f52d07eb4f56c2ddb74751d2cc271f81a830c1a520bb2eb9efbb471050f4953

SHA512
fa50744d59e949be0074cad08a397c8d03209ca0f728a639c12c6a9126529f12b4a83cca4d7a50e5a1480bcd7699ff70b59e9c0285a2ece4d81fd39948406795

Download Submit
\??\pipe\crashpad_1784_VUPJLJZVADQKTSTH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Unlocker\Unlocker.exe

Filesize
122KB

MD5
0a77f732624155a215f5ca54df9b2930

SHA1
172bdf71343dd6544cfbe04abbc3dec4535f7d84

SHA256
a0b651038c4301f70e4aea506eb90edc584a5c4ca46880c7dc2ae5eafa6dc506

SHA512
6482c9fc3b5ff9d5798deb9965b4dfab9ba62b889e921011696f29dd96b813194a59f76a52a88fa4962317c6a43a21122c857e4ca80c6c4360c2cee544117352

Download Submit
\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\Latest\setup.exe

Filesize
8KB

MD5
5790a04f78c61c3caea7ddd6f01829d2

SHA1
9d783d964338a5378280dd3c3b72519d11f73ffa

SHA256
726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606

SHA512
9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

Download Submit
\Users\Admin\AppData\Local\Temp\1B4663B2-BAB0-7891-9583-3388FD631DD8\Setup.exe

Filesize
1.8MB

MD5
26f6d1b6756a83de9755a05f7c030d75

SHA1
935f58155f74b051f9123b6022b7d358b52b146f

SHA256
2acab7c986bbf80578c3bd998dd2d853257719ceb74c9d30bb4ea28952403d5b

SHA512
af9603572bddb6244a7ab0484cb3ac9ed7c91b1cea3e3f8c8886478930dbc102925b45ed094eaa2801755644e3bb4a4c0685a423f937f4b02af16feec56e4f6f

Download Submit
\Users\Admin\AppData\Local\Temp\DeltaTB.exe

Filesize
767KB

MD5
eb2764885565b6c01cb32e5f51f213b3

SHA1
cc41cadbbd6ba6ed0bfdd17798b4c9f94d7955e0

SHA256
d7146999ff94b3ae092f3213ddf0217615f1d38798393b66778d11aae2b68eaf

SHA512
ac88795b2e8260ace9eb57d2a3fdc4aadb18e2cb0afd780459f51d25f83b34f7033425dc712655e423eba4e011fd2776f53463042f2c2d9dd427554c04cc840e

Download Submit
\Users\Admin\AppData\Local\Temp\nst4886.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nst4886.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
\Users\Admin\AppData\Local\Temp\nst4886.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/892-510-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/1632-384-0x0000000000830000-0x0000000000832000-memory.dmp

Filesize
8KB

Download
memory/1788-536-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1788-533-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1788-534-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1788-535-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3064-383-0x0000000002A80000-0x0000000002A82000-memory.dmp

Filesize
8KB

Download