b9b8c850493be6e607e8889371bcb565ac25fada7d27cca10230e50b253b3cd6

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
Size

933KB
MD5

fc281301d3036bd01fc4ab1a48dc1730
SHA1

9e6b52a0b45ad7bd4d55a98c20b1e15d121a5650
SHA256

1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197
SHA512

fffb60febbca27c3a7a2a6f850bdcb2e6cdc5b170149970e1a9ef00c6f710eb42dc969c6fceda0e0b5e8ad1195a7c217df939cdb398fbfc68d325bc33c058256
SSDEEP

12288:RN1905Lqnnl2Zg0gnW0X7X4sonr1Wqb1bqUXo529tVHP9pwgUVDT33rzzNedKEYl:H8qnnvGRWI0Gnl3UVP3zYG

Score

7^/10

adware defense_evasion discovery spyware stealer trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral8/files/0x0007000000023d59-934.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	MyBabylonTB.exe

Executes dropped EXE 6 IoCs

pid	Process
2320	crpDA25.exe
1840	Setup.exe
3504	MyBabylonTB.exe
2204	BabylonToolbar4ie.exe
3796	BabylonToolbar4ffx.exe
1664	BabylonToolbarsrv.exe

Loads dropped DLL 64 IoCs

pid	Process
1184	rundll32.exe
1840	Setup.exe
2756	rundll32.exe
1840	Setup.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
2204	BabylonToolbar4ie.exe
2204	BabylonToolbar4ie.exe
2204	BabylonToolbar4ie.exe
3796	BabylonToolbar4ffx.exe
2204	BabylonToolbar4ie.exe
3796	BabylonToolbar4ffx.exe
2204	BabylonToolbar4ie.exe
3796	BabylonToolbar4ffx.exe
3796	BabylonToolbar4ffx.exe
2204	BabylonToolbar4ie.exe
3796	BabylonToolbar4ffx.exe
2204	BabylonToolbar4ie.exe
3796	BabylonToolbar4ffx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper"	BabylonToolbar4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\NoExplorer = "1"	BabylonToolbar4ie.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/files/0x0007000000023d59-934.dat	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\uninstall.exe	BabylonToolbar4ie.exe
File created	C:\Program Files\Mozilla Firefox\extensions\[email protected]\defaults\preferences\babylon.js	Setup.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarEng.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\bh\BabylonToolbar.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarApp.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\escortShld.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarTlbr.dll	BabylonToolbar4ie.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpDA25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbar4ffx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbarsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MyBabylonTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbar4ie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral8/files/0x0007000000023cd6-190.dat	nsis_installer_1
behavioral8/files/0x0007000000023cd6-190.dat	nsis_installer_2
behavioral8/files/0x0008000000023cef-453.dat	nsis_installer_1
behavioral8/files/0x0008000000023cef-453.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppName = "BabylonToolbarsrv.exe"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\Policy = "3"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=121441&babsrc=SP_ss&mntrId=4b39194a0000000000006616490a4cc6"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=121441\|trkInfo=\|visitorID="	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC} = "Babylon Toolbar"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppPath = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10"	BabylonToolbar4ie.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=121441&babsrc=HP_ss&mntrId=4b39194a0000000000006616490a4cc6"	Setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\VersionIndependentProgID\ = "bbylntlbr.bbylntlbrHlpr"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ProxyStubClsid32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc\CLSID	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\VersionIndependentProgID	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\InprocServer32\ThreadingModel = "apartment"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10\\BabylonToolbarApp.dll"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\1.0\0\win32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10\\BabylonToolbarsrv.exe"	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\LocalServer32\ = "\"C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10\\BabylonToolbarsrv.exe\""	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\TypeLib	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ = "IxpEmphszr"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\excTlbr = "false"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\dpk = "c25e1ed157a09bdf29decde26d2da45b"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc.1	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\tlbrSrchUrl = "http://search.babylon.com/?babsrc=TB_def&mntrId=4b39194a0000000000006616490a4cc6&q="	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\postUninstall = "http://www.babylon.com/redirects/redir.cgi?type=mtbuninst&instlRef="	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CLSID\ = "{2EECD738-5844-4a99-B4B6-146BF802613B}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\VersionIndependentProgID\ = "escort.escortIEPane"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\InprocServer32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10\\bh\\BabylonToolbar.dll"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ProxyStubClsid32	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10\\BabylonToolbarTlbr.dll"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	MyBabylonTB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ = "Babylon Toolbar"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc\CLSID\ = "{291BCCC1-6890-484a-89D3-318C928DAC1B}"	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ = "escrtAx Object"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\0	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ = "IXmlCnfg"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\VersionIndependentProgID\ = "bbylnApp.appCore"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1\CLSID\ = "{98889811-442D-49dd-99D7-DC866BE87DBC}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\1.0\HELPDIR	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\Version = "1.0"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc\CurVer\ = "esrv.BabylonESrvc.1"	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}	MyBabylonTB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc\ = "escrtSrvc Object"	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\VersionIndependentProgID	BabylonToolbar4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\instlDay = "20119"	BabylonToolbar4ie.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\CLSID\ = "{2EECD738-5844-4a99-B4B6-146BF802613B}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ProxyStubClsid32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}"	BabylonToolbar4ie.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2692	msedge.exe
2692	msedge.exe
864	msedge.exe
864	msedge.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1876	identity_helper.exe
1876	identity_helper.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
3504	MyBabylonTB.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
1840	Setup.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1840	Setup.exe
Token: SeTakeOwnershipPrivilege	1840	Setup.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1432	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 2320	1432	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	86
PID 1432 wrote to memory of 2320	1432	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	86
PID 1432 wrote to memory of 2320	1432	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	86
PID 2320 wrote to memory of 1840	2320	crpDA25.exe	87
PID 2320 wrote to memory of 1840	2320	crpDA25.exe	87
PID 2320 wrote to memory of 1840	2320	crpDA25.exe	87
PID 1432 wrote to memory of 864	1432	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	90
PID 1432 wrote to memory of 864	1432	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	90
PID 864 wrote to memory of 992	864	msedge.exe	91
PID 864 wrote to memory of 992	864	msedge.exe	91
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 1708	864	msedge.exe	92
PID 864 wrote to memory of 2692	864	msedge.exe	93
PID 864 wrote to memory of 2692	864	msedge.exe	93
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94
PID 864 wrote to memory of 1800	864	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
"C:\Users\Admin\AppData\Local\Temp\1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Local\Temp\crpDA25.exe
  /aflt=babsst /babTrack="affID=121441" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121441" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\39D99F~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:1184
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\39D99F~1\IEHelper.dll,RunAccelerator
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\MyBabylonTB.exe
      C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\MyBabylonTB.exe /lng=en /babTrack="affID=121441" /instlRef=sst /aflt=babsst /srcExt=ss
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe" /lng=en /babTrack="affID=121441" /instlRef=sst /aflt=babsst /srcExt=ss
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2204
      - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe
        
        "C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe" /RegServer
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe
        
        C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe /lng=en /babTrack="affID=121441" /instlRef=sst /aflt=babsst /srcExt=ss
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3796
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\39D99F~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
      4⤵
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pdfbooksr.com/Fred%20Astaire%20A%20Bio-Bibliography%20(Bio-Bibliographies%20in%20the%20Perf.zip
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec7a546f8,0x7ffec7a54708,0x7ffec7a54718
    3⤵
    PID:992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:1708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
    3⤵
    PID:1800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:1788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
    3⤵
    PID:4248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:3736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
    3⤵
    PID:1996
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
    3⤵
    PID:3448
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:1060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
    3⤵
    PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
    3⤵
    PID:2272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3515448481772045800,5995470922960307848,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1344 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarApp.dll

Filesize
307KB

MD5
a3d75a31cf0dbe0f3a6d70ac3b06775f

SHA1
9810662290f2fe96bf0883ccc9e210fa7318d486

SHA256
49a42460f5ba5706919d8cd31c2fd77a698473830459375ecb007527d0ab5d09

SHA512
88aca7198e3e2c7e2fc5f0245d0b23c548cfcb4d143b46f1ab8c7ce3cc50f96670a67dafd4affc1a3b727f8be880383e7880c98d9ac3b475b3a15991e5a4ad8b

Download Submit
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarEng.dll

Filesize
566KB

MD5
3aa58b7922fe6ea9a1d596d271cb9060

SHA1
9326a20660e8039e9ad8bb4c384f2b00007201e2

SHA256
8bb023161e8163eba6ebfd1e76567ee5674d67c32c0fbf233e36791777476bff

SHA512
c3ac17d6425890b1c52949ace7848109b09a52139d4059b7d777992c22a7b1b8ca18f42d79e5b8a973e57a20652d4ab73a2e456b05843de5d37eea4c97b7394d

Download Submit
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarTlbr.dll

Filesize
312KB

MD5
da4797ec88cc756c55e04c1f335c01bf

SHA1
488dd0ca62ea5b0f3294c9c09e0e5b0123e2baa7

SHA256
04941cbdd74aaaac3ce9ae4a001eaaeccde37a1acd8bd026af0d68d2405a3b31

SHA512
5263d87563025034f98a25076048fb75de1c198ac4b32cb584e65e411cc79a58d6d6eeeaf3745cb05e8cce374809609a8c9f9bc14880358581dcacf3e6190fc6

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\Setup-tbdef.zpb

Filesize
1.4MB

MD5
85499627e8e83a35ba23cb860067b468

SHA1
758d2902f93e28b92c1f422b3d5e16d03835c3cb

SHA256
8b1b99fd1eb29d888fef74a3733d60e3c0b5af2405beea8fe2223fffae79f4d0

SHA512
bd2b00be1b78a37b6b8d6462c358045ddba18d46021c820dbc73c5f62309b0c08d5144d3a65666384a9ba646d6e942791b949b220969a27d307352db08dbc052

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\Preferences

Filesize
8KB

MD5
cf0d3048446317fb6c76bb83e746ac03

SHA1
58c9ca948e2544331fbf80592e0b3fc033d51527

SHA256
3f9acff24d91729ad2d4cdc09eb694f3a447921b5ba199d785a17cf7f47163ac

SHA512
1fb1cc4addac597ef058c618c438c282bc5b268f24b5b467aa50461684370f3322d3a3eadb02947a6cad378b32062aebda764590fdcfb52de68c0eb0bd3199a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
50236cd957789ed0d1b6564c7f0ecfae

SHA1
4c9e4dac57ab9ffb5bc55154d6ff89f1e6c1d5f4

SHA256
5820467c07d06249a1462b7c9deeb0801a8a6475ea19637397b9bbbc95f90fcd

SHA512
1cbf4be5224fecf811bf81361d6d282810de016194b17e2002d510287d384048272215b813838912eebcdddb1f657ade0aa3c122871c9d636b6a8fa8e74535d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0504c0d0b9c007a767de8a404f2ec484

SHA1
73b1066ce283079341bc94a3e5c65535f0523145

SHA256
3469f4679beea250ce59f3fa4721e48f81587735f44e0fa2b70638b78dbf8a2d

SHA512
c6c0c6edbaab3b92832c4140916e99ca6725b79e5d3a43ad59ebd94a567458ef79923e2236b43344ecb6fd75442d0c7779b024edbd1bf9035a2a86ba7e5ce606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
dd8597ac46fa4abdb345f4306855b4c7

SHA1
ca8ded8fad18beb8d582668d2be5698161300c2f

SHA256
bda75939ad707b27087ebc30c99e033f8cb52d00fd5f43c5d2ab08e2ac936dcf

SHA512
1c7121d5a928adfb3e635eb07f607cfbdf13e3245618b6f6ada85c766dc8b6e6086fcfb3f8a6e246a2586473427933b27ec4482da533da8ee2b3dbb30238dfdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
29cbfa0b9522f057d45cb63e4220acb8

SHA1
e6e451636bc023ca1ac8b1a0d3c927cec0fafe64

SHA256
e5bda8aa6e5f7e304692a2967d6396029568a5449f72a09ddcf37666ac0aac33

SHA512
28a80865ed18bd879619dcc5579298921ae7612f386765e542f988d8d18af6a0a00abc908511992ad2752e80aa09333aec6075ec7f9200c36b10f2f79074efba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
081f5c11a0a984fdae4e4e5c14db5b66

SHA1
3420a597eaf92bc0148a8a7f6131715132bde8ac

SHA256
46c396201db36d6299c66cbff67463c83a26fa6ea00ad5fb5a606afd3bae335e

SHA512
84e5cb7caad39544e17cfbd547599026926f04b5a4b0a1b56b4ff8095272d534c467e260cbd88b6d6ebf225ca783e872609947b6e0a2dfd4164bfb5c834d8624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6592a41ff8541be9767beb782688eb62

SHA1
3ddb1593e4fea492c4635564a23f7ef492e0f173

SHA256
0d052addb657947d37f41e44c6166d78810dfef9cfbc85d6984047cde349255c

SHA512
9f3bd851c071ab17ea70c049a43eac605443b2c84d186f230d79d8def1759f9c7145e37090ba1a8a402ac0fddfb144ee3a3e9c0391e6aa3fdd993590c998b518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
357dc5e4c0db99df67c7321a6270f3c4

SHA1
ad5286c5d28f3608ca40c0134745fccb403e276d

SHA256
35f0bf5046e8cd80c5f8e94d99127d6441e58e63f033d5f286dc59990028fe6d

SHA512
6c36724593b13953697c99949c7e826740593f6757c0fecdf0f8f000179a41c14ba7c50ca1623783fcb847938508954baa31ec4b094f2b17415a47e8dd44a720

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\BUSolForMontiera.dll

Filesize
105KB

MD5
64bea1da4d76085d0a47ed21450401cf

SHA1
296d8b511c0f7b8b7d0791c522db553f9461ba35

SHA256
80924cda632e20e1ead804b67fe64ce87c2b6dacbe73b9a2ee1904d402b2ea9d

SHA512
f4644bcd3dff71648209caa2d7489b0cc87050271cbddf875439cb4eba3e3fa400acc29703cff231f6a1c6f2097697f2f4387ca265682d8e4185a1242dfeb2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\BUSolForMontiera.inf

Filesize
199B

MD5
bc3e8cc74871863fc921511e2e6cc88a

SHA1
653cab5ba2107004f9525849ff5625d64b83e4c3

SHA256
c9e2a3953cc5ea87716f2a9a16078adb2f9c60318c6f1cfc877885126cc0dd17

SHA512
85f4130758ea38e4ae823e6fbae7448fa780bd295bd177afb4395ddd118c019d1533238e963e5277be453a1cd7681667c4ab06b10004ab8ed890d6e0b9e0529d

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\Babylon.dat

Filesize
12KB

MD5
825e5733974586a0a1229a53361ed13e

SHA1
9ec5b8944c6727fda6fdc3c18856884554cf6b31

SHA256
0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

SHA512
ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\MyBabylonTB.exe

Filesize
1.6MB

MD5
7c82cc9aca3eb71e463ff607cd607e3b

SHA1
5ffcc47376a89ec39fba8516694fb37c3b7d2bda

SHA256
9c1b8b8b3372737fe355bb6f4f96fc9b04bcdda5f3bfbe9617d22cbc35a400ea

SHA512
7ef9e92153607646f9eb9dec4fd087e9523df523d4f06eff994698d79ddc4e8e1f681fde13e1eb888e5a85457db558b10ffaf190c17bdc98688a59a90efc4670

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\Setup.exe

Filesize
1.8MB

MD5
74af846f2ad4aec60779623fc8bbcd83

SHA1
9f2fbfe260c9111f88e8edc6dfc068d08c1491c5

SHA256
f795ffc4c850a6a214aac740258c6560a72a5a5c1759bb9cd231df2e1a271edf

SHA512
157e612a02e0a6ca87f5d8b572950cc85c8980641bc1f973b20836c1e91d0df0a132a58191a99efdba0b5c4923bc412083b833a12a1ef3554ade745c07a2605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\SetupStrings.dat

Filesize
89KB

MD5
407846797c5ba247abeb5fa7c0c0ba05

SHA1
44386455eed8e74d75e95e9e81e96a19f0b27884

SHA256
0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

SHA512
7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\TBConfig.inf

Filesize
23B

MD5
e6d6dbe1e36a9ccc040369ab905e0d4a

SHA1
f7b40129e12f9f8ec3dae49d281ea1b8171642c5

SHA256
24d0d8de57d4bb9d88c6079d19b0efb51c18c8006ddb805fcc6cb7c302f94a12

SHA512
caa6c8ba543b92a49e41b736d560a3dd62651885f3c0c30ebb309e57bc77ec0dd1ccc20ebc6d4ff04d17083f112f3b6427356ff585ed40de6d08b51e6771dbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\bab033.tbinst.dat

Filesize
205B

MD5
90713ab7a74884cd36a5fb4cfcdece8a

SHA1
7bb56d08fd69a98e543b923bd0a9156f92a9c473

SHA256
bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

SHA512
639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\bab307.sp_pop0.dat

Filesize
178B

MD5
0b7be9c4b72c2c5166bfd61ca5ebbfed

SHA1
aea0aa4e8226c1b4efce92e909da773744baa6d4

SHA256
673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

SHA512
4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\bab327.ff_2.dat

Filesize
179B

MD5
acc576624b76c140ce6e78885d279efe

SHA1
f5816e66ab9da86bdff210f96399078c36a4af54

SHA256
78dc1600b62ca4aac2ce5c94f7b1973800349ac56804aba4b17c410e0fff4c17

SHA512
449cdfa0a93191ae9d109c689f09ed444ccf53a4b087a9e5005527561c1598233d05396d1b118db6fe6d6dc45c6dc9909238200f8fa8d4a4dbf903deca19201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\nscEED6.tmp

Filesize
114B

MD5
4221b6382c6cb300ac6aea49eea6b066

SHA1
ed59d159efa4a96efb988ce7478347cf15b60253

SHA256
b760a077039e396d2f49d83eb7b2fc6422c97e10d737640cc00f894c3181a7f8

SHA512
f52d36a7cb705ea0bbfb516bd36dfd614d5e68c73995a958dc15fe405507b7921bae6d8ca84e2cc80cc743aad308b5cb7e84cda216a7468f908085d681e226eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\nswEEB4.tmp

Filesize
364B

MD5
c9050d020c0b459f0eb6ab1b89c6cad4

SHA1
7a1b72e7c784006bed198bc5cd23fe1b21732bdf

SHA256
1af1bb393e689dcbe7e99f135cd41ea441dc7aa0adbf0b1492d31d6f27767e9f

SHA512
5bd05d78e4637b10663797ef8e7c400c85274d4e1aa991438638d2cb2de580cb26632d73e29370d67376f64c2eec225ef9bece082634912b76869559c6433409

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99FDD-BAB0-7891-AB85-D5FE33396A3E\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\39D99F~1\IEHelper.dll

Filesize
6KB

MD5
9cb62aa0c5c554f2557d29d1601c8347

SHA1
f2fb5115b7d03e90f6e9d4b1f6e882385aa00f5f

SHA256
a65ba80d23494077575f505c20c9f9516aa21b9bded2b7032b6d5e7bc1737fa5

SHA512
0a325a02c323d52c9f374bc22e5182f5f49f485a689b6ca561196222ff18127f84ea7a48ac438277b9dcd1237c983f03eab54606eacbb1f79aadb0a0f84f0cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe

Filesize
1.2MB

MD5
5b34d794ec99c2b883d7c1affae96055

SHA1
54b894d8f473b3beb1037af57d4490fbbf623a66

SHA256
d8c7c0fdc6f24d58850b0838f27521d501e67d5c2eb712d9643c17a8e24112b6

SHA512
21eab533dddd3ae02d34ed695ae231202636407b50cf16df741bcdf617780ff51ff95d532b98dfb2d1430fd8c6a54b59265d873951bd960b0af2c68b1a1c9f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nseF3C6.tmp

Filesize
1KB

MD5
1a136ddcf8376476c7ce0c4dc2d37b4f

SHA1
e8d657c2e0a57eb828e7c1ef5cfef87cefebe2ea

SHA256
0782289bbfc3f403dc48354f40fed8b4e9a753b3b89eb7f7d4a6e4c415f102c3

SHA512
a1e2827b81f6e4d0c8ee3eb2a145427b44991df8f45c9c28f551c6279b3226c8e760d037bab01521ad63e7d792579a24785cee15b06c75b3657eb7239f19781c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nseF415.tmp

Filesize
1KB

MD5
851203b33cccc1b879a85ca5fdc773a2

SHA1
251854beaaaa3e82335877eeb62569775d20a5e1

SHA256
358d29990a95dae0a3b130450ecdac0db03db03a09e0edb953dd7aa2114b514c

SHA512
e4c6e81c51b8eba8b0de4455d473a48aad5e6f5e454f4b8f19e842ad925a8896962a42ac2e8cd1bbd686cff4dfc8acf563f8b4a3095825b4ef80cbce6b5883f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nseF464.tmp

Filesize
1KB

MD5
f371c7ee34011aa5dfdd23d31a4a2e9b

SHA1
90b2bc33003cabefbb519f652cb517fc1543c7aa

SHA256
5f7897c00c65ffde27ed3dce0ce4250da6c7af6ee2b944302eed09b5e73d176e

SHA512
00cb84bbda855ae7e7a9430820ff5a844dd4399045d386e912101b505718447b243c4a67baea8a125584c63809ebf26397c74f61304e935280ad72a400a3625b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nseF54F.tmp

Filesize
169B

MD5
aa7146096c0845579768f90d28796aff

SHA1
141d990a6712ce0a851f30a42a981d584bf366fa

SHA256
90c1e96183cdf31b0008a36646233b2f474408c4be3ec889a3f8b28db901c551

SHA512
f41bdc67249f30f60f7200ccfa0f287ab688ef8b2dcf8d5f758744e8e51edb9b5ce2f186cbb09faf91cb52e82d95c0b70bad5c478768fefc55f82dab0f108386

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsfF5F5.tmp

Filesize
849B

MD5
4affb227ade28ffc82f4da932a94ca0b

SHA1
5be48992407d6fda88ebf7aabc63f8e6007b741f

SHA256
51debdbc5e9bc0b546cb0ac1d88927910eeb048135d82056cc9971f9454d2862

SHA512
5319653d8d839fd52b1dc7a55fb595013ff1524a980c9167533babd20653fb599767b252072308026219fc5132313a418027a5acef2a14d0603edfa887be8c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsiF12B.tmp

Filesize
1KB

MD5
1a62163e8078d652eecddbd978b52911

SHA1
901be4bf861a04089f8078bfb374308a820133cc

SHA256
511d1a662efa1434b9337439a657fb05e65340a03decf7d8eccf0864f19e26c4

SHA512
06f3b51a7b9190dd163f25f94172da4abccce09cd6c7b7980c3448dd63e4e35af92905f57033e57bdb4ad8f4ae9f949cf96c59caac3eebb4ded2a7b1a4cc4352

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsiF20A.tmp

Filesize
1KB

MD5
14bca1c44ef76bc422589fd70ff0bac1

SHA1
9744c569294f1358ee4649a1cc377c05685ee188

SHA256
5a486dbc280d319d203b287d8373c1926f118baacc2025140eb327fd7bfc3d85

SHA512
c1ae89ce36423dd6500f818dbc83aff669eaf64802c63890401634cf02c39fe412beac9e36ba6310f81537ee019ffefcd7adccb70e5db669138f72b7c4d32b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nskF571.tmp

Filesize
389B

MD5
0acc7c22349311de464e38b5948bd7bd

SHA1
6f0be773b88ba3ff450d4b6e2c150862b66a3394

SHA256
04c878783318192783f5fb9345354274df6ca9550343bf32506eb5e0612052fa

SHA512
fecd0812d98fb4287c150e2ec8a1b4d1148ca9554414b9c1b48c1296e635920418b8bbe0ede5abf8796e3b65ace7843ae4439535fe2d6d5cbb39c100598ca801

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nskF615.tmp

Filesize
905B

MD5
b89a2e8059dcfdc270f827dfc5c820aa

SHA1
1fd56ebdb61d2fb30a1ac5544143d5a4b75ed44a

SHA256
466ecc38a8ef5b19cd6a844cdbfcbb7bc46a2f01ea43c9a36e32c6cde0e7ae9f

SHA512
00b21e0538fa9d6f43edc1a5299729cc29f429a4ddc951ebfc4843e1dd0a88966972f685b25e865b79861d291527bc86d508749171c9d070cafe161b3aa65484

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nslF7F4.tmp

Filesize
1KB

MD5
8a1ede0cf66155c847dda05284503498

SHA1
7933d0c228e424622340b00e613fc42974c2e99a

SHA256
103f9009c307569e39299d3269884a560cb3a54807f5244f5b97026d67969934

SHA512
2f49ac7b6f481920299b7a599353f2e6e533aee6f49b371dbfcd5cfc2eaac119691e5090586e120373b910e79cd00b7eda6920dc96634f5a885a471977e94be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsnEFFB.tmp

Filesize
419B

MD5
e36113def65e7fcbdd2459e926b9a828

SHA1
d61134f5732a66e25626265a7eb90ae3174c8a24

SHA256
cbc88630294bae69c2de0d376d24c1f9af627f9a748b35569db9fcee4e653100

SHA512
0e337c33bccc42f636059c197806a895b38603537e85a3caf651ba1ff24b1755f9840516aa64f4dcd1a96453824a7ef114eea7690daa592c2d7a415a502880f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsnF0EC.tmp

Filesize
974B

MD5
44980ac399f2a28ffe7c18923fd936b9

SHA1
c1dcf34a305c536c4d9743ec30a218055fa25f22

SHA256
bf9aa720e7384d25c099131b5ae08e64cd818671ec9f39e0e20f9c4f7c000dbf

SHA512
2a23e5fde373c7eae9b3cb4d21640e9e804118c1c2d92dbc09493e8b5a852a5a3311150eab9ffd06cf61a4390addba46c3aba98c7d9e49e9e2bf91ee5dd14b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nspF5E4.tmp

Filesize
784B

MD5
e1295d50f5dfcb4740e194a814d8d6ff

SHA1
97ac09f46843fc68702ea32f08d789ed6bde389f

SHA256
05ec0e114f020ecbe704c62a327384dc04c064db91526a0d93f182d933fc31a3

SHA512
4603ce7d47d8aa02761ae71fcd1714abe912938f4f443bb43b3cc8df4fd40aba795c09f526121bcdf3c7349f8852420b931da750b51a934d11297388a047fb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsqF774.tmp

Filesize
1KB

MD5
134c25589c9e7102f23f139f9df14ac4

SHA1
9fdecebfee501565868eef1af984dbe88e74a11e

SHA256
87461bcba18f990f7b226880bf09966e7108af3ea00dd9d6e96c2479aaf7995a

SHA512
dde67433627f177c036a26686e3aa6d4b9d4223e08a35ce5a94a039a8859c2f7ffa5566316a44e8c3fb718a18293d1a0e366841b911dd21763f5834f775e68fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nssF01C.tmp

Filesize
639B

MD5
707b82172c2ab2558af05d6f96e9f199

SHA1
8cbc7b35ef2505d315913d8dc49505d6058472ba

SHA256
fde7385cb4144007996087ccd58329389be1c6af3416f6a3426828f0b6f5e31d

SHA512
dbab1c75de14b896e8f67451f629d47a9971d7d17074a7ae7d39720935b09ce46101fcbe89066bbca6fcdd16d4b954ff3708db8c459253106b2575167e9b39ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nssF15B.tmp

Filesize
1KB

MD5
94c75cc18877d14e74020a653438c064

SHA1
016ea69a4f994cd2684d1262018e57ef119d088c

SHA256
f2a3739a0e36a35f855734e37e696896ebc79d5ee53db5fc663cddefb481e07c

SHA512
997db485d4b2c16e288cf92b65aa339e38b20c6ab280732c99aad628a808f2c47ce8508114bc51873a00d9b234ccd14e7df69c1d82131a0df2747c6d9b655c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsuF560.tmp

Filesize
309B

MD5
bd755855e914b7773cb04b57715d6f65

SHA1
6beb83c62b5f5e83c0977972be5a36008c477319

SHA256
267ec4e7a25a9e9d9bd9dea6c0ccb0c3b53c18cd6e122b1a0326018fdfcfd5b4

SHA512
8bd7ef623afa88a524d803528b0cb759e3d5f41b57e09a2e0d4480c82471df43853c9e9f0b6f0f9c50fed30ce4a77f6a06f7ef184b51166bf25544872e7872ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsvF794.tmp

Filesize
1KB

MD5
bc867d1c836a8c59223f2ef385e9e25f

SHA1
c5a081a710ee99d1b12244663d68fd634a928474

SHA256
534c3d5bddbc6ba3f074dd6f7b24049a845279dfee7ce29c9e5f6655bd19fe39

SHA512
3c367937718a810ed57df98b44f10c8e6d6888df87e876494f453476c6324e96a10c766da3f405bb4008e9d97e1174826bfc999ef483a23b5151ee226791874f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsxF03C.tmp

Filesize
728B

MD5
2191def8cca1f23014458a1c9f9d7552

SHA1
39f03aa9f39b4748060e06bdae56c8a9328eaa92

SHA256
a719fbf95f9fce2e1d888441a4c3cd97759d9606bd196faac80f4468f4ed620a

SHA512
51bdb414a8b12268b155683ddca86c1595058f185a9f7503477725a1f498609065c3af9fea793e32e658710973faa90b975ad11e3b69094a7f8e6cd7c1b0afba

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsyF1CB.tmp

Filesize
1KB

MD5
b031f924959269250068159a0a1a5e54

SHA1
3c573175b36b60bf008668e145a50d06a03b8a38

SHA256
13544d5e9da7262bda21e06b63b8081678d767118e39868083649d678f2f68b3

SHA512
507815dfa9143b33ec455918cdd702a589484a1f2dc61ecea5f8a63f83dfadc8ed189ce9bd3c463ec9bd52a891ce0f5df9ca4bf6472226d1bdac3ecdddb644f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsyF357.tmp

Filesize
1KB

MD5
4ca9a2b64a900004aaccf18744a2fce8

SHA1
2154f7496615a0f2ce25b30e774456e0af86e4b3

SHA256
13048c3d8713d901a4a15283a7dfca106be69429d357c06963e8c369c7bc960b

SHA512
71fd9a3dd9a271695f7a846b13a2eff0204bcb58ca0c7302bc6f540c30165375fa65e6f0c83370b639d3fbcd340b6d2ee2f602b3a685ee3c92e63e5333aa40dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\crpDA25.exe

Filesize
754KB

MD5
5ac98c84160a9400db448d153c959bb6

SHA1
829d808c091045f45c513a6e4ab17055a52a9320

SHA256
e4f1009192f163aacafc3ac23f3fbce358122040a5dbf99b86c9f4cac9809ecc

SHA512
36f4e7f4c0f2bd647d23714b08d322ff8383e52ede16f5719f09e710e133669586af0ae7c3af2ab98a066724b2f1dffc114437d7d8820e98614b86470ade2376

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshEE06.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshEE06.tmp\Processes.dll

Filesize
56KB

MD5
cc0bd4f5a79107633084471dbd4af796

SHA1
09dfcf182b1493161dec8044a5234c35ee24c43a

SHA256
3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c

SHA512
67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshEE06.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshEE06.tmp\Time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshEE06.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshEE06.tmp\chrmPref.dll

Filesize
208KB

MD5
241d60c30189b740c9086e34ff259e66

SHA1
7be0132de11c34018b6326d1de20fe9f20dea790

SHA256
8b3d8f239f11b53bc28f645546696441446e9a593be59cbf604fcc28a7e6d474

SHA512
ad342cea73ba3f7e7afc57828abc7320c0c5e39e20f5b06637c565a2b4579f05d81540e02b094776abbb17b021712a0f28e5f62637d8cea04b832e79252dd5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshEE06.tmp\mt.dll

Filesize
7KB

MD5
4fae8b7d6c73ca9e5fc4fe8d96c14583

SHA1
10865e388f36174297ec4ecdafd6265b331bfdcd

SHA256
069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f

SHA512
73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshEE06.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxEF9C.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\09dkiwft.Admin\user.js

Filesize
906B

MD5
32396d74d636e009c4bf049da93051fc

SHA1
d796b18b03038258bcb9d0a9b463d6161c6f2fe2

SHA256
775ba8a6d3069378faaf4323e047ff837c02b2bad60c6cc2955fc128afd9d96c

SHA512
81b2f222e32093c2b8a3f4f2c43211ee8e16e6cf8aaf99dde80567e75593fc0264d3e9cb04972fafd723adb5223eacbef1a6e2dc68c1b9aa2a53e3676ff6bbfc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\09dkiwft.Admin\user.js

Filesize
1KB

MD5
72da9c641ba7a0779336e5c90baee1a6

SHA1
1e2193b33e52e80886481418b339f973f1e5aa36

SHA256
ab4c39e015652236c9be24522888f5e753e0474bc5a9f1d245d3c99c04dafa4f

SHA512
62c68567ed1ba25b793edc360b813b178532a22236ec9f0c5a59802d8b313dcaeed3a580f77d9aa8c5656a0b4ba421576d4052e2e3cdfd81ca397cd783102364

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\09dkiwft.Admin\user.js

Filesize
1KB

MD5
06e4f73cd7fe4c1634f28513921039fc

SHA1
3fdd9772bacb2668114c14727bba84ebfe963418

SHA256
7306f124d98cc89a4a52484d833caebd3d6a97538528f4eb79931c656accc6e1

SHA512
7b1f5174ce07323ca6375fae7f38e2e6ec76ef1c090c122a4bc3f14d1c4ca5f300c9556a2b89cbf852c7b40bd49fb34238ded0f2b368418cc711c986119b62d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\09dkiwft.Admin\user.js

Filesize
846B

MD5
88d49182660e98f8ba7588bece96a721

SHA1
9f1bb31a2904931024e44a6214ba619244f461e9

SHA256
92f6d37f1e35a365752345883351376f819734efb2bab1c5507a92e59ce7d8cb

SHA512
bb06c9316e947c0cf85ab80a65d48842c1c603569aeee18c1f145d513c50912ecc5e6df54279855f8778cbb90748551cf72117de726b2628ee367984cce98f21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\09dkiwft.Admin\user.js

Filesize
1KB

MD5
6854f3266532cd47777e17a1086b8bd9

SHA1
4ff0a7eaf78f10d550c93f4770b03bfb06b9bc55

SHA256
5d63baa50733b07af1692e5977ea605c709df27d799e1fbf70ba32002870412d

SHA512
3f51b48cf20148237fc4b5d8185097f9aaaee66f7a7e9d7ad4a184521e733947db40863fbb5fc55db916b29b3fa6f8186db1ccddd1cb911b8367b3d5faee449f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\09dkiwft.Admin\user.js

Filesize
1KB

MD5
c07947bd473b669e870144db617fe77e

SHA1
1b9c4496f62817ab4871095f6d36ccfece0df847

SHA256
a1ff9739307c7488b3c41da2d47dd49b5dbf707f016ae2df4f789b46745f769d

SHA512
b4b99c34ccd0c99349b20a6427d969201ca91d96f846b1c932133b6f984d360ad7d498a70d95311b0a4632b106403044a50f2b92af37ce8e896ddf1912f54676

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mls0zwi.default-release\user.js

Filesize
537B

MD5
00608679c75ea874e60dda90654c70c3

SHA1
2910845973462c2f858ed8aa5626443509fd0e6a

SHA256
d787cc15e58f06f9703edfea96cfa0f46553bbd0d966cc87f2c63fc5ece8a775

SHA512
af11b9761e653bc5239438eddaec4751fa27ac2f9a80a79a7adf46edfb38de8bc32741589fe6d645a00b23071b21b8abfd71ab3370075c0b59439d61ad767cb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mls0zwi.default-release\user.js

Filesize
724B

MD5
b2f2fb94f166ecd23cf43f48c825f748

SHA1
e9a27763b40a577fd1e1504d161bb476f6a71ef5

SHA256
58a8f1ebae6092a60befe866d60b8f95e47c1dcb05deb2cfe13930214cd01ed2

SHA512
1590aee9584b6c623dfc01122c42b1ea64447e698bb5316a01066b25a6a79cdbeffdf0ee70a7ced5d1e5c122315d07d3efc5d5d35022d0896d36b0f9e74f69c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mls0zwi.default-release\user.js

Filesize
1018B

MD5
b8ce94b3a760c544008a11d2998d5833

SHA1
d90155d0d35d2bd0842ce7a25bc916cc8a16278e

SHA256
0c6b3b92b5211ae30c0ba1e2a12e1e89877fd9055495093748b2afc5bb5fc077

SHA512
bba942a2df642f78ffc8eac67b1365e9ecd0eea4161ecaae1c2803c54649d72fccc02bea9968abab7782ef08a6e1d53a6549fd1266ac9c35a9e435c600a7307e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mls0zwi.default-release\user.js

Filesize
1KB

MD5
fce3271a22aefdb81cac8ce483012201

SHA1
fe1ce99bbba9d2f422b3d42046fe7a9c57a6428f

SHA256
0296abf80ae0cf0a7ba5ec92100e450ae93f985c5189b44601a30319fcfbc0a9

SHA512
8dc25541e45a66ccbef0f4dd51ebab485823a5621dc6bb2d80aef1b70a73b21823c939316c75f245523ea0b3ab1279e26f4187973a75c18ce9e275ffa77f655c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mls0zwi.default-release\user.js

Filesize
1KB

MD5
9e12f56c5baafd37fe9946fcbba76a9c

SHA1
9c16af24457bb36799e8bbeb179b7a1e1f231743

SHA256
3dca6dec2713009d0297f35ed84c809cb24288d9d20ef590bfbea29b5c7c027a

SHA512
1236d5d575730afe9b5950c2ee63f3765869311d540b70fdd94ef234dfdaf6e5d72b8db76940d7df1e750f18075821b4ac8df9d841e17a5162216434745c5a69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mls0zwi.default-release\user.js

Filesize
1KB

MD5
4809e85d77e408ff1a3744ed8692c8de

SHA1
06b2528e978d8afbab2ffc65ba397d18d5e6c599

SHA256
0dc26f1af823998da5e672747e82ccce944e31830a89bb2b63227211156accdf

SHA512
4ce5cbeb8a35a73d91dab14ce7a70d8f900530e9e5421cf27f5757c1919b57c50728eefc8b4cbc7ddd471198c88aa4d89c4881070ce5cd4ce6044a87805e4d85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mls0zwi.default-release\user.js

Filesize
1KB

MD5
504fdedadf9e32198e1ee94ca5275a8e

SHA1
a78129d837df9bda145fa5a224cb7f946a8693e7

SHA256
d64caa9ca84abfbdff0a0079f061b0ceee3ce65e471e8b27cd9bdebe4da405b7

SHA512
7717a16dbc5155f1f32c2a1b47e35ea7e1c6a263e69e25c32de49926e9749e2f6f77b2115545e15c9bbde23c42dc498f9bc2eea4710926e3710c358de9ccd089

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mls0zwi.default-release\user.js

Filesize
1KB

MD5
7f29ea3c6c104ecd1eac83127fa9567d

SHA1
8afde57ab45be49a55afb5bfa653c47230c8e8b8

SHA256
59708025c73b87d16d6563e3d9870fddfc360aa52fc6af5638ddfc9a6e62c3f4

SHA512
baa11a471d12bf46602e8f719aa62a9c3c8af18f0cfac8818062cc7f09f370dabb305b9d09eab12a90b2d3a5b1ab27148fa084e8fcba8d61275d6e6fd45be175

Download Submit
memory/1840-161-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/1840-102-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/2204-987-0x0000000002080000-0x0000000002089000-memory.dmp

Filesize
36KB

Download
memory/2204-988-0x0000000002080000-0x0000000002089000-memory.dmp

Filesize
36KB

Download
memory/3504-4719-0x0000000002C70000-0x0000000002C82000-memory.dmp

Filesize
72KB

Download