14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe
Size

945KB
MD5

66e2a63174869d2eac1b1873e0b78820
SHA1

83df596581fff25d38f419de5bdb96f434b70212
SHA256

14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10
SHA512

ca84ba22e7d53c41fc54e31eb95a1173030c52e8aa89f595086a97d41931756d2f5751e9f177219c0bb00fa6c690a5c06fe9db9a06fa2e7d587fb7eb8ca48a41
SSDEEP

24576:0YK4aYXMHVFhCz/jQHTP//LCcfyWAtBcPW:0YFaYXufsMz3//dAzcPW

Score

7^/10

adware defense_evasion discovery spyware stealer trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x001000000001c794-1189.dat	acprotect
behavioral1/memory/1552-1191-0x0000000000360000-0x0000000000369000-memory.dmp	acprotect

Executes dropped EXE 5 IoCs

pid	Process
948	crpEBD6.exe
2768	Setup.exe
1200	MyBabylonTB.exe
1552	BabylonToolbar4ie.exe
2664	BabylonToolbarsrv.exe

Loads dropped DLL 51 IoCs

pid	Process
2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe
948	crpEBD6.exe
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
2768	Setup.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2768	Setup.exe
2768	Setup.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
2664	BabylonToolbarsrv.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
1552	BabylonToolbar4ie.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper"	BabylonToolbar4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\NoExplorer = "1"	BabylonToolbar4ie.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001000000001c794-1189.dat	upx
behavioral1/memory/1552-1191-0x0000000000360000-0x0000000000369000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\escortShld.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarTlbr.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\uninstall.exe	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarEng.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\bh\BabylonToolbar.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarApp.dll	BabylonToolbar4ie.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MyBabylonTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbar4ie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpEBD6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IELowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbarsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000400000000b3eb-736.dat	nsis_installer_1
behavioral1/files/0x000400000000b3eb-736.dat	nsis_installer_2
behavioral1/files/0x000500000001a4ed-907.dat	nsis_installer_1
behavioral1/files/0x000500000001a4ed-907.dat	nsis_installer_2
behavioral1/files/0x001000000001c863-1195.dat	nsis_installer_1
behavioral1/files/0x001000000001c863-1195.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5E23D891-DAC6-11EF-88C1-C26A93CEF43F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\pdfbooksr.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f000000000200000000001066000000010000200000009aaed3590e9042c21dea5efc8a3628c47e471b3ac49e6099ecd8b0daa6c52502000000000e80000000020000200000008450b8b24576383986916945a8c0447b76d8a566f51bf5a84515034ffdb4fc2e1000000069600580e12dd384a01644e248c01c1a40000000d25aa7581154467818434a1e6cf568c33d44f4380d0bc4b34ef9bc03a1b7ed4d228beb7b23327c25f1e78e2e2a781180ee91e394c16fb39f7732590a4cf68380	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC} = "Babylon Toolbar"	BabylonToolbar4ie.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f000000000200000000001066000000010000200000001839c842d8e32ff904dd9000506096bd373b4ac72899c283ef6baa3d3d8529b1000000000e8000000002000020000000116e9073077bf9026a831287462acf1ada5766b683ab1f526c87ad8fe74df8719000000051f46566f9f67a86d8cdcdef61bdc1b5b768cf90714b552847f8639fc52078564eb2390acd5d21f1b0e9fa627a4f536fdbb5c5ed104e6f37b59e8070aeedc35d56cc129bfa169c8ee3e0065f5319037c8222f02aaf7e8d2d79c3a96f8d23bffed8d201b4c2e680fa5f5d4b3131afc2db83d18627ab07f43322243160c68930289698530e17a284a63d4f5c8ab42e8fda40000000f97b333079d41dcf395f967a2d15834519f18418a1e8f38ac5ff62bff1314f958c7dfb26c9a045a87cee16aa607ee9ffbe9a809cf1ec9d5ef40c28fee52899b2	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppName = "BabylonToolbarsrv.exe"	BabylonToolbar4ie.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f000000000200000000001066000000010000200000004a741961a8283bc89e992834ba2818fab9822c62004919fd359fcb95317e2f7c000000000e80000000020000200000003ed119bdef293c26a5ff003ef75a47ac17056a9900be8b457e6b9e9276622fb710000000a504a28a6953c4823a761bca27f4976d40000000dd9d5b797c8f4b879fb91e67bc8703691ca89645e757cdd4d2d5c7baa8a519ffc5288f247b5285fcf9cb9557b586e34be9cbf182fd5052a094cefe0668cf2152	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f00000000020000000000106600000001000020000000b377f0caa5c2011860e6221082ea8a53fa704aa971d0cedbc158da99d077c3c0000000000e8000000002000020000000a1615d1fc22a4a4c8653385bc6f0d03c42a424e4d044088f2a206081cb8c500d1000000068f3e8846412d1b468319e669c7f75bf40000000b495a9e45c05468bb6b7f4b8e45bdb002d3aefc4c4ffd9fb071a52932cf2fad58fc0d103195d68b131ed557284e0f84ac8202adc06a344cbf104a45f8f17898c	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\pdfbooksr.com\Total = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f000000000200000000001066000000010000200000005eb3ac093a629a2ca2c81959fd88e827cee32d4c1e48e847391bfcd2d0cd9a83000000000e80000000020000200000006dfd67124f858bf8c5a9270cb13e9de9c2494ed6256bac01d36e70bb01fd5fc21000000024cabd9b50bb04dae2b7775a802a82a840000000eb13f9bd5c2d206c7dea30aada448fcf249b2f47fee52644598de1e45acaea97eaa18d7cde18c1c643deda2bbff8331cbb135ad5a7a3f76fe3b0c9225e3a87a9	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443934967"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f00000000020000000000106600000001000020000000833844bceec810c2ae57cbf0fbb7f38ac7102e5b4948cdf14dba42192e0c5320000000000e80000000020000200000004b5d9f326962ada298ca517999bcc7915836267e7bbb50b216a42873b103cdd210000000e21b7d27aa0ea2b68b1ecc36cf1652fc40000000f17c7fa9307daa2b438737c61211bb88b14317a49c4c8608777984b14aeae817fbc34498490a0df89eaed8d0226fb50378d58b339de0782d688a6c07812bca34	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://www.my-online-search.com/?q={searchTerms}&babsrc=SP_ofln&mntrId=57A5C26A93CEF43F&cat=delta&dlb=0&affID=121441"	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f00000000020000000000106600000001000020000000848d225559ea245a70d7a1a7580116e23471981d06688fc9cc3992cd41fc3c08000000000e80000000020000200000007ca0c23ce4c174c18a81cf49be115e8e7b033a6ba3ed4ec8458d8ce1bab22f4920000000344983a10d1696885dccd0c2df9d046cb051aebbc0e4c48e2b913b5bb147fbcf40000000cb69af1bf6f565c1854374abccf60229ee22af29f48fb29f8ed297c0cc95eda5009486e9c0afdd0e11d5ffe16b1dee3d19faf04b562202b962cb3474026ff8ce	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30bc2c40d36edb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f00000000020000000000106600000001000020000000632285f58287c282800d113c4e5c55e08f64ae0e4124214fdb9613fa94c259a9000000000e80000000020000200000002dbe4ecc81ffd60e9e973aad0d4564bb0fd81f51ac0f84313c2ef298f7eed5b210000000eab6126a076d7bcbae0bcb35e761f88e400000001de98817760dc8465a4c23843df5e77b81c70fdd6fe3813ae17ad7e9f68ad64e9a44b28c1cee26eba9a9bb95950005a8f57282e1726f85ce04a6e8b8ff34b5c5	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}	BabylonToolbar4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\Policy = "3"	BabylonToolbar4ie.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f0000000002000000000010660000000100002000000088b7496e66d3e6c990fcf809d0562b2f0bde3c4e1f1262ff904726c9802cae9c000000000e8000000002000020000000058b3780dd538588e06d79b24ae6d54ba37120f48f65495826bebb91502f5b1910000000f53067fdd5f76c9101afcd26b2115547400000001d3a912009c6753b4ae421ae2e1c6ed673b6985041c0a68bc89e9b6a7e44f5d5bae118a425af7f32aa28468b445dfa6dfd10aad04235a8a926f7f89eafb8ca93	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f000000000200000000001066000000010000200000005b9c91c248d37142db9f4c9390ce7bd563e6d5a375b02fc06e6ce63e8b5f3577000000000e80000000020000200000004c73fdb5c5c22a8ed27de8fbc80aa0eea294c51e51e93e79cdf2f52e993e55bf100000005602d5e72b85fbc16ea2d2a0c1dab52d4000000048fa0132eabc3b24336330a2f363429a083da31fe7903d0c36c6dfdea5df30420c1eb3ee317d7a2ee0d107d495462827d61a2fcedaa15c1671b3491065720614	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\ww155.pdfbooksr.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\pdfbooksr.com\Total = "18"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppPath = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10"	BabylonToolbar4ie.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f0000000002000000000010660000000100002000000061cfe325d3845989a52ec72535789aa2602f5b31ad1ab409d4da63e893c1ebc3000000000e8000000002000020000000fff2a2040097f23dd9f1005607b007b99fb770262216562e6b667eb3ffd76b0f1000000089fb190d2e9387f6aca40f5c2399ef4040000000917d2158b2c111752b1ba6138595f845bbf4fb1990c15c2e1a4ae4925b553d24c5ed3da97f27ea8264e537541c4c35c506601173a54b1d27e4dcdc7bf433d507	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\ww155.pdfbooksr.com\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f2e1cd1fe62448b14ed44de771556f0000000002000000000010660000000100002000000053e9e60d8496fc57acd1868a38f292098a1703bf4aa1f616247a4625cda99ef5000000000e80000000020000200000009f41d7152d4cb3a07927ad844a0d62be69f3b95367fe0804f30c8ebd5949f25210000000ab8778a3c2a11ea663bee023d12dda4840000000349cf45f1f188ca72e3b5a0711f9425041baf57de8402039ec32ca6d2eabbdcc290dc16b000ddd3d500de1feda8a538a1dbed3ece1f96c80aa1804fa31e5cc0a	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\pdfbooksr.com	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\	BabylonToolbar4ie.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\ww155.pdfbooksr.com\ = "18"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=57A5C26A93CEF43F&cat=delta&dlb=0&affID=121441"	Setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ = "Ixtrnlmain"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ = "IescrtSrvc"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\VersionIndependentProgID\ = "b"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\VersionIndependentProgID\ = "Babylon.dskBnd"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\Version = "1.0"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc\ = "escrtSrvc Object"	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\autoRvrt = "false"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{35C1605E-438B-4D64-AAB1-8885F097A9B1}"	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\Programmable	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\InprocServer32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib\Version = "1.0"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b\CurVer	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\ = "escorTlbr 1.0 Type Library"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\ = "bbylntlbrCmn 1.0 Type Library"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\dsFFX = "Search the web (Babylon)"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\VersionIndependentProgID\ = "esrv.BabylonESrvc"	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\ProxyStubClsid32	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ProxyStubClsid32	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ProxyStubClsid32	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ProgID\ = "esrv.BabylonESrvc.1"	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ = "escrtAx Object"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\InprocServer32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10\\BabylonToolbarEng.dll"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CurVer\ = "Babylon.dskBnd.1"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\InprocServer32\ThreadingModel = "apartment"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\1.0\HELPDIR	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore\CurVer\ = "bbylnApp.appCore.1"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\TypeLib\Version = "1.0"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ProxyStubClsid32	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ = "IescrtSrvc"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CLSID	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\Programmable	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\ds_url = "http://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=57a5a763000000000000c26a93cef43f&tlver=1.8.11.10&affID=121441&r=690"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data\kw_url = "http://www.my-online-search.com/?babsrc=KW_ofln&mntrId=57A5C26A93CEF43F&cat=delta&dlb=0&affID=121441&q="	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b\CLSID	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ProgID\ = "b"	BabylonToolbar4ie.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2768	Setup.exe
2768	Setup.exe
2768	Setup.exe
2768	Setup.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
1200	MyBabylonTB.exe
2768	Setup.exe
2768	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2768	Setup.exe
Token: SeTakeOwnershipPrivilege	2768	Setup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe
1120	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1120	iexplore.exe
1120	iexplore.exe
2380	IEXPLORE.EXE
2380	IEXPLORE.EXE
2380	IEXPLORE.EXE
2380	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 948	2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe	32
PID 2136 wrote to memory of 948	2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe	32
PID 2136 wrote to memory of 948	2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe	32
PID 2136 wrote to memory of 948	2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe	32
PID 948 wrote to memory of 2768	948	crpEBD6.exe	33
PID 948 wrote to memory of 2768	948	crpEBD6.exe	33
PID 948 wrote to memory of 2768	948	crpEBD6.exe	33
PID 948 wrote to memory of 2768	948	crpEBD6.exe	33
PID 948 wrote to memory of 2768	948	crpEBD6.exe	33
PID 948 wrote to memory of 2768	948	crpEBD6.exe	33
PID 948 wrote to memory of 2768	948	crpEBD6.exe	33
PID 2972 wrote to memory of 2852	2972	rundll32.exe	35
PID 2972 wrote to memory of 2852	2972	rundll32.exe	35
PID 2972 wrote to memory of 2852	2972	rundll32.exe	35
PID 2972 wrote to memory of 2852	2972	rundll32.exe	35
PID 2136 wrote to memory of 1120	2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe	36
PID 2136 wrote to memory of 1120	2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe	36
PID 2136 wrote to memory of 1120	2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe	36
PID 2136 wrote to memory of 1120	2136	14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe	36
PID 1120 wrote to memory of 2380	1120	iexplore.exe	37
PID 1120 wrote to memory of 2380	1120	iexplore.exe	37
PID 1120 wrote to memory of 2380	1120	iexplore.exe	37
PID 1120 wrote to memory of 2380	1120	iexplore.exe	37
PID 2768 wrote to memory of 2044	2768	Setup.exe	40
PID 2768 wrote to memory of 2044	2768	Setup.exe	40
PID 2768 wrote to memory of 2044	2768	Setup.exe	40
PID 2768 wrote to memory of 2044	2768	Setup.exe	40
PID 2768 wrote to memory of 2044	2768	Setup.exe	40
PID 2768 wrote to memory of 2044	2768	Setup.exe	40
PID 2768 wrote to memory of 2044	2768	Setup.exe	40
PID 2768 wrote to memory of 1200	2768	Setup.exe	43
PID 2768 wrote to memory of 1200	2768	Setup.exe	43
PID 2768 wrote to memory of 1200	2768	Setup.exe	43
PID 2768 wrote to memory of 1200	2768	Setup.exe	43
PID 1200 wrote to memory of 1552	1200	MyBabylonTB.exe	44
PID 1200 wrote to memory of 1552	1200	MyBabylonTB.exe	44
PID 1200 wrote to memory of 1552	1200	MyBabylonTB.exe	44
PID 1200 wrote to memory of 1552	1200	MyBabylonTB.exe	44
PID 1552 wrote to memory of 2664	1552	BabylonToolbar4ie.exe	45
PID 1552 wrote to memory of 2664	1552	BabylonToolbar4ie.exe	45
PID 1552 wrote to memory of 2664	1552	BabylonToolbar4ie.exe	45
PID 1552 wrote to memory of 2664	1552	BabylonToolbar4ie.exe	45

C:\Users\Admin\AppData\Local\Temp\14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe
"C:\Users\Admin\AppData\Local\Temp\14b6b2ef72a4e0e4a28330aa401567ea89f39e029016267a83ae8850cbd5cb10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\crpEBD6.exe
  /aflt=babsst /babTrack="affID=121441" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121441" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\A5357F~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Program Files (x86)\Internet Explorer\IELowutil.exe
        
        "C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\A5357F~1\IEHelper.dll,RunAccelerator
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\MyBabylonTB.exe
      C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\MyBabylonTB.exe /lng=en / / /babTrack="affID=121441" /instlRef=sst /aflt=babsst /srcExt=ss /noFFX
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe" /lng=en / / /babTrack="affID=121441" /instlRef=sst /aflt=babsst /srcExt=ss /noFFX
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe
        
        "C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe" /RegServer
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.pdfbooksr.com/Dialogues%20in%20Public%20Art.zip
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\uninstall.exe

Filesize
195KB

MD5
d5cafd1094c003ed8b5ee0769d40468b

SHA1
36accbcc1114475aae0195d193f9d0a0d978cf6c

SHA256
938703cd98e89398e129ccbea6ae0546d8aa5eb90bbaf96c2ecf18f88852941e

SHA512
0395cf4e48ef1f49793eac95cb25089c4a7c24546af65080d8feecdda7532a461a13596cad928550926a90ca971ed7a9bd1cfb651ee1d1d18133e01912228d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
132c3f83f4e1c22b513388a23382940c

SHA1
7390153258fc40ee906d2187b2e880f8d4543978

SHA256
a75e5bb77b969d284853d46272421b4ef802bdc90df4d27d1f2d8a4d82652726

SHA512
09190cdc48722ebaedb5671c8f60804c4e85dcf790ec717b106f8bc1b100a3e44199fefbd059953ca60336c5a5b175295f95e2c9481ff87607e3bd6af4939d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fb0074fd3adb46ea1165505d4e7b289

SHA1
738b188201444c97656279e27708aef20d5a2b5b

SHA256
b947a761f8c89c90e99acb1d705c33ebb73a8f97e678f10f4b25ee0d8f8d452d

SHA512
4c94e09dfc9d28deb340429857423d92e295b44b8817d654f690172ca1b9a62d895e8d99f373706e3b5950aa8c6519e7a358aa720bf50f449fa3f47421500dde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efa0a1242deddac1203ebe8c6b110b02

SHA1
b2d18c023daa6c52a10a083f4dc3201e23eda92d

SHA256
e41d5541de7e3620e58bb1b479e8f569e1543473de81e8e6a7c0f1a84b6d701f

SHA512
ca96c4bd97ac09475cac8b9260335f7406318311c9eb4d16636c9c95c248d29f897073fee60bbbfdc8ab63b344c17333f6488181d6633af9a78bbd39e164dda3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edb1f4bb3834c6c77bbc8fcfe3119c76

SHA1
8c01caeaf103010756f0d86f1ebfb121314685b0

SHA256
220ef23d797efe1772c1261801ce0d99eccc3c6aa8f5ceb8437efd3f047b3815

SHA512
bae408a2dd1988783a73c2c0066ea2f0f0c5cf3d354df69d6b05d3e6b14a6605df5cd33804facfee36389de023c957ca11d39ecfa17c076bec87223ab6e6b3e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b0600ecfafa73a0fe53d3aea5ec7a06

SHA1
0610042fdbf1a214d29fd9cea45732321a554764

SHA256
23938cd3fcd9a533c0988f1de3bfdcf01ac40827094d59658ecd48f6265a328d

SHA512
3f24abb476552567f53c01e6a74e60d6a5200d23b4e438e954f1222a7ac21d9c4651e52706a7ca38f915766584b90a9b732a53194dbe9badc7ae82573c8063d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b8ccd21c2a536453563ede69f2816f6

SHA1
b526bd7cc40e6c8e2ac5aa0af196ea5c22e81969

SHA256
7b8f3df9c7449a4b4bf8a2350a966d8d1896638eca53edb425537aedfe987a2f

SHA512
7ede6e9df198f2c57f07662047f5ba2569c3c48b3b236dbf1bbb54a346e3c4ba37720a48a36119fe4bab964087c1484899483d16e892a23bf3047693fae494c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b8bede4c4eff8f74aeadc58140aabfc

SHA1
803896f48eea579769c9cbe02666d7165c755076

SHA256
e89f9f9f6fce5c413dca6396c0e28e8c22d8a317dd4ee3f6c129e125472269b0

SHA512
93925b63bbb9f7131061b77577586dcf55951c6210b2812ce3a29f02c2c1087f79f9466917064b3362a7e108725de9b8a59e22a0f74631472afd077cb9448a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19935f83382ecf6906abebe6faa6b9d2

SHA1
554c46b62c00ff93e8344e52ec7e370ccca13ad6

SHA256
d7daaca952d7a7c332993df1d3777c3bda8c97b9b6ed2665184273785b39101d

SHA512
3991c6bddf7e22e43277549fcae2213de2ae4b1e4e242e60e59d43a66f1e5faaf9594aa355a90d1114629dfe6d6a8afd2896463066b6f44f0a72da1e32ebad02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf3d0e985b165ed2a231c9615abea357

SHA1
9766d63aabede8730c73b11c44f6d9014492a6cb

SHA256
67339174c36f354b5272733623ace562f66883150583aba1022d811eccb4eb75

SHA512
9170c6c8dce4487eb6af6bca3d5d237445c57ca429d6537a2c8327a6885dabfbb729db05ea59ba8fc868d0118be46d0b1afc1d2d2576c117e50bb974998e9ac6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
916b8452104ce3fde9f9f6728ba043af

SHA1
de7741e4b15b1d7cdbd542b5d393f0a04c7d2f43

SHA256
f1fd9e4d545f3788021f82154a30a956cd46e0bce0adc8e9d58388eeecebc863

SHA512
ad4cdcf482de4359c96f8c4334724fcb33bb52a97c3c0d22a1b3d2bfe18fde55211b5f6cf8315f7f94ec494b64fe2c0c6849e0b09d217aa03d9cebcfde53a673

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7193f11da4aa9f7429079da75deae606

SHA1
c8724a94e851f97bff7987f7c84888fed94d678f

SHA256
d807e5bb8eba0f5659279ac38db23bb6440454e291b1de6c720a66000abd8261

SHA512
51189a2033b1b17844f08493da619fe9997b81c0202efbc5cc21bade32a9808e305c116677acc0c6944a6f3b529c9ca6ea55bb72f4974bfee697db59a860822e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69693786f0851a8cfd05613116d317f6

SHA1
ce0b5fea27ee7d187cba817b37b997ce7cea3af4

SHA256
8d244791a3159f64d6073af9eac320218285665aeddecf7fd4936f37dc7f8c95

SHA512
dd25de3a1e9b45ae0806edd15ed2fb647ef2f8189938d9a515aeb27e2ef67b58cd7716c951456111ecbf7b4a52be4976c736fa9b01aa468dd973931b404be1cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef8c43636725785336c1b29f0249da00

SHA1
bf7222d5867cbfe9e41d8b31691960911fc043e5

SHA256
eb4c536bdd6416a65e598e09207b1cda6a3652e1138e2bc8c94f6c309a0d22b1

SHA512
416aac2b796a96e67e230514ee246bbafded9fd3702d27af9536f6f69345ef48e9aa1fc2996d8a2c1be8de0b715278c759076859cda8ac43df04c65b22509578

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83077d7f630aab98c570554e8fb6865b

SHA1
ea1a591fc3d41eb2bdba00a758d6b44a616ef8c9

SHA256
60ecde3d2f4278e160b3c2c7d6c60bb881aaac0430e14a71475eac26e89d825d

SHA512
96a4b3329623176ae66b5178ca8a877abe9e54e070ce3d03af4360b73352227220287b8eff9c5c599ee6502b334e9a1cfdb83ad85b46c2e3bc40aa40a5d944d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c45ba84621e283fda43459c3da267df6

SHA1
196d6506aa4f655563490457ab11f184191816f6

SHA256
a6c5d2322d3073a9420c835ffce9830ae34cbe3a0578e5277ecc8d95950c8ee8

SHA512
64bb784dc72f44331e02c22a2b16d55e679ce7750e6966ffb870597ac8d9b1b362d66bcc03fcfaac39495c8cd3a1148e1cdac864b79f714fc041bf418d0dec0b

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\Setup-tbdef.zpb

Filesize
1.4MB

MD5
85499627e8e83a35ba23cb860067b468

SHA1
758d2902f93e28b92c1f422b3d5e16d03835c3cb

SHA256
8b1b99fd1eb29d888fef74a3733d60e3c0b5af2405beea8fe2223fffae79f4d0

SHA512
bd2b00be1b78a37b6b8d6462c358045ddba18d46021c820dbc73c5f62309b0c08d5144d3a65666384a9ba646d6e942791b949b220969a27d307352db08dbc052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\8360YJZL\ww155.pdfbooksr[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\BUSolForMontiera.inf

Filesize
199B

MD5
bc3e8cc74871863fc921511e2e6cc88a

SHA1
653cab5ba2107004f9525849ff5625d64b83e4c3

SHA256
c9e2a3953cc5ea87716f2a9a16078adb2f9c60318c6f1cfc877885126cc0dd17

SHA512
85f4130758ea38e4ae823e6fbae7448fa780bd295bd177afb4395ddd118c019d1533238e963e5277be453a1cd7681667c4ab06b10004ab8ed890d6e0b9e0529d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\Babylon.dat

Filesize
12KB

MD5
825e5733974586a0a1229a53361ed13e

SHA1
9ec5b8944c6727fda6fdc3c18856884554cf6b31

SHA256
0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

SHA512
ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\MyBabylonTB.exe

Filesize
1.6MB

MD5
7c82cc9aca3eb71e463ff607cd607e3b

SHA1
5ffcc47376a89ec39fba8516694fb37c3b7d2bda

SHA256
9c1b8b8b3372737fe355bb6f4f96fc9b04bcdda5f3bfbe9617d22cbc35a400ea

SHA512
7ef9e92153607646f9eb9dec4fd087e9523df523d4f06eff994698d79ddc4e8e1f681fde13e1eb888e5a85457db558b10ffaf190c17bdc98688a59a90efc4670

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\SetupStrings.dat

Filesize
89KB

MD5
407846797c5ba247abeb5fa7c0c0ba05

SHA1
44386455eed8e74d75e95e9e81e96a19f0b27884

SHA256
0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

SHA512
7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\TBConfig.inf

Filesize
23B

MD5
e6d6dbe1e36a9ccc040369ab905e0d4a

SHA1
f7b40129e12f9f8ec3dae49d281ea1b8171642c5

SHA256
24d0d8de57d4bb9d88c6079d19b0efb51c18c8006ddb805fcc6cb7c302f94a12

SHA512
caa6c8ba543b92a49e41b736d560a3dd62651885f3c0c30ebb309e57bc77ec0dd1ccc20ebc6d4ff04d17083f112f3b6427356ff585ed40de6d08b51e6771dbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\bab033.tbinst.dat

Filesize
205B

MD5
90713ab7a74884cd36a5fb4cfcdece8a

SHA1
7bb56d08fd69a98e543b923bd0a9156f92a9c473

SHA256
bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

SHA512
639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\bab148.spreg.dat

Filesize
249B

MD5
a4af0a0c254b38f2f9eecbf0e00b08fe

SHA1
ef730bce77699730dda378dc444b997ce7ceea7a

SHA256
810e0e32d54b9e1557da7ccf1ca9f6354814e90dadc6b4af5e1cbdf87fac925a

SHA512
b74596e55e75413303559c135db393a04d6fd6cbab147a51ac2f46435f52b92b82868de4e67917a7b388d82c672fa36b525b88e2eefe7ec40695f028395dcd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\bab187.wl.dat

Filesize
234B

MD5
6358860cd0c336c1f91f86be701d77c4

SHA1
5dd38b818bf0860b4c5144ba670a759d4345e4ec

SHA256
2ed42e3c958eb21352bae4b00db2fa5be94149abc64eec93e5258b9c4a715457

SHA512
7df3b3e1487d3a65000b6208969f1e695815133c052f369beb36877fe5c6f64d979aefd030a193b04a5e46fb0d97a3cc06837aa381efe6bc24a0c084c768dac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\bab307.sp_pop0.dat

Filesize
178B

MD5
0b7be9c4b72c2c5166bfd61ca5ebbfed

SHA1
aea0aa4e8226c1b4efce92e909da773744baa6d4

SHA256
673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

SHA512
4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\bab456.TB_OldWay.dat

Filesize
174B

MD5
7e72d256e34635d351092955d1f8516b

SHA1
7f240f8f4bd61ae59247d84d0ec85f5bc8729f36

SHA256
39eb1667a67149b5d930e5408896027e3c3fc06282735e61cb8d85f5b38f587c

SHA512
621eb4bf2864db2fa0f861c233ced790124e9060c081948beb7117f8c058a36ecca23ee05ce2d6d42af15533c050f648d276589682d91dfe699ebe871cc9ae8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5357F~1\IEHelper.dll

Filesize
6KB

MD5
a21de5067618d4f2df261416315ed120

SHA1
7759a3318de2abc3755ebb7f50322c6d586b5286

SHA256
6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca

SHA512
6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3AC1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3AE3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuF3B3.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuF3B3.tmp\Processes.dll

Filesize
56KB

MD5
cc0bd4f5a79107633084471dbd4af796

SHA1
09dfcf182b1493161dec8044a5234c35ee24c43a

SHA256
3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c

SHA512
67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuF3B3.tmp\mt.dll

Filesize
7KB

MD5
4fae8b7d6c73ca9e5fc4fe8d96c14583

SHA1
10865e388f36174297ec4ecdafd6265b331bfdcd

SHA256
069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f

SHA512
73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KR7ULG8F.txt

Filesize
297B

MD5
022296d6b9288540463aa156cb30d9ac

SHA1
3a0ead37c30e9d8f8c6739e10dc0b50dd58e664c

SHA256
80603d348fb6066ed918c01c468a246eb2f36df02e5d5863840880b55a2e4cdc

SHA512
7e36e9a6a11ddbf7d12fa24431407bba40b5e686baf4c651c2dea99cd65a0208eb2787cff922ad645fd9511e3a652730096006d1083ac8444aa9392746116f4a

Download Submit
\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarApp.dll

Filesize
307KB

MD5
a3d75a31cf0dbe0f3a6d70ac3b06775f

SHA1
9810662290f2fe96bf0883ccc9e210fa7318d486

SHA256
49a42460f5ba5706919d8cd31c2fd77a698473830459375ecb007527d0ab5d09

SHA512
88aca7198e3e2c7e2fc5f0245d0b23c548cfcb4d143b46f1ab8c7ce3cc50f96670a67dafd4affc1a3b727f8be880383e7880c98d9ac3b475b3a15991e5a4ad8b

Download Submit
\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarEng.dll

Filesize
566KB

MD5
3aa58b7922fe6ea9a1d596d271cb9060

SHA1
9326a20660e8039e9ad8bb4c384f2b00007201e2

SHA256
8bb023161e8163eba6ebfd1e76567ee5674d67c32c0fbf233e36791777476bff

SHA512
c3ac17d6425890b1c52949ace7848109b09a52139d4059b7d777992c22a7b1b8ca18f42d79e5b8a973e57a20652d4ab73a2e456b05843de5d37eea4c97b7394d

Download Submit
\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarTlbr.dll

Filesize
312KB

MD5
da4797ec88cc756c55e04c1f335c01bf

SHA1
488dd0ca62ea5b0f3294c9c09e0e5b0123e2baa7

SHA256
04941cbdd74aaaac3ce9ae4a001eaaeccde37a1acd8bd026af0d68d2405a3b31

SHA512
5263d87563025034f98a25076048fb75de1c198ac4b32cb584e65e411cc79a58d6d6eeeaf3745cb05e8cce374809609a8c9f9bc14880358581dcacf3e6190fc6

Download Submit
\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe

Filesize
374KB

MD5
84035e957a892e12ab74aa9cd4160f7f

SHA1
19ff35e966b79b29d05553cc70b51047dfee3bc5

SHA256
0a3331f3f867a38f7474ab7c620c4e82fd37109c006588de5c588bf7e4a4fe05

SHA512
a5e37bef316240ab50175336d4ee39047aac907f103fe045d9e14705b2bca8da71af0066541ebb43483c6241029c743046637f5d2cef4422e72891d3d09845be

Download Submit
\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\bh\BabylonToolbar.dll

Filesize
242KB

MD5
d2dfa8819b1714d444f0b100c403d3ed

SHA1
bdd79367762dc63966342223df21884b45805530

SHA256
3b5c3ba7c3061b1bbab546c1733f09cd4e240e1b07c028c80de73643502015fe

SHA512
ecd16ced6f2db7b06a67b8eb99e9cc39b91b12bb45e5f84e72776924f7fb69c17a403caff9e60efe0ede7eca6d3e6dbba7504cb10a4784b269387ebf2fb8c5d4

Download Submit
\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\BUSolForMontiera.dll

Filesize
105KB

MD5
64bea1da4d76085d0a47ed21450401cf

SHA1
296d8b511c0f7b8b7d0791c522db553f9461ba35

SHA256
80924cda632e20e1ead804b67fe64ce87c2b6dacbe73b9a2ee1904d402b2ea9d

SHA512
f4644bcd3dff71648209caa2d7489b0cc87050271cbddf875439cb4eba3e3fa400acc29703cff231f6a1c6f2097697f2f4387ca265682d8e4185a1242dfeb2d8

Download Submit
\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\Setup.exe

Filesize
1.8MB

MD5
26f6d1b6756a83de9755a05f7c030d75

SHA1
935f58155f74b051f9123b6022b7d358b52b146f

SHA256
2acab7c986bbf80578c3bd998dd2d853257719ceb74c9d30bb4ea28952403d5b

SHA512
af9603572bddb6244a7ab0484cb3ac9ed7c91b1cea3e3f8c8886478930dbc102925b45ed094eaa2801755644e3bb4a4c0685a423f937f4b02af16feec56e4f6f

Download Submit
\Users\Admin\AppData\Local\Temp\A5357F0D-BAB0-7891-978F-3C8CF05A7C6C\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe

Filesize
1.2MB

MD5
5b34d794ec99c2b883d7c1affae96055

SHA1
54b894d8f473b3beb1037af57d4490fbbf623a66

SHA256
d8c7c0fdc6f24d58850b0838f27521d501e67d5c2eb712d9643c17a8e24112b6

SHA512
21eab533dddd3ae02d34ed695ae231202636407b50cf16df741bcdf617780ff51ff95d532b98dfb2d1430fd8c6a54b59265d873951bd960b0af2c68b1a1c9f45

Download Submit
\Users\Admin\AppData\Local\Temp\crpEBD6.exe

Filesize
767KB

MD5
eb2764885565b6c01cb32e5f51f213b3

SHA1
cc41cadbbd6ba6ed0bfdd17798b4c9f94d7955e0

SHA256
d7146999ff94b3ae092f3213ddf0217615f1d38798393b66778d11aae2b68eaf

SHA512
ac88795b2e8260ace9eb57d2a3fdc4aadb18e2cb0afd780459f51d25f83b34f7033425dc712655e423eba4e011fd2776f53463042f2c2d9dd427554c04cc840e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF4CB.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsuF3B3.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsuF3B3.tmp\Time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
\Users\Admin\AppData\Local\Temp\nsuF3B3.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsuF3B3.tmp\chrmPref.dll

Filesize
208KB

MD5
241d60c30189b740c9086e34ff259e66

SHA1
7be0132de11c34018b6326d1de20fe9f20dea790

SHA256
8b3d8f239f11b53bc28f645546696441446e9a593be59cbf604fcc28a7e6d474

SHA512
ad342cea73ba3f7e7afc57828abc7320c0c5e39e20f5b06637c565a2b4579f05d81540e02b094776abbb17b021712a0f28e5f62637d8cea04b832e79252dd5fc

Download Submit
\Users\Admin\AppData\Local\Temp\nsuF3B3.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
memory/1200-1455-0x0000000002DF0000-0x0000000002E02000-memory.dmp

Filesize
72KB

Download
memory/1552-1191-0x0000000000360000-0x0000000000369000-memory.dmp

Filesize
36KB

Download
memory/2852-41-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download