b9b8c850493be6e607e8889371bcb565ac25fada7d27cca10230e50b253b3cd6

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
Size

933KB
MD5

fc281301d3036bd01fc4ab1a48dc1730
SHA1

9e6b52a0b45ad7bd4d55a98c20b1e15d121a5650
SHA256

1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197
SHA512

fffb60febbca27c3a7a2a6f850bdcb2e6cdc5b170149970e1a9ef00c6f710eb42dc969c6fceda0e0b5e8ad1195a7c217df939cdb398fbfc68d325bc33c058256
SSDEEP

12288:RN1905Lqnnl2Zg0gnW0X7X4sonr1Wqb1bqUXo529tVHP9pwgUVDT33rzzNedKEYl:H8qnnvGRWI0Gnl3UVP3zYG

Score

7^/10

adware defense_evasion discovery spyware stealer trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral8/files/0x0008000000023d1a-953.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MyBabylonTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 6 IoCs

pid	Process
1416	crpCFE4.exe
2584	Setup.exe
5096	MyBabylonTB.exe
3248	BabylonToolbar4ie.exe
3704	BabylonToolbar4ffx.exe
3928	BabylonToolbarsrv.exe

Loads dropped DLL 64 IoCs

pid	Process
3860	rundll32.exe
2584	Setup.exe
2756	rundll32.exe
2584	Setup.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
3248	BabylonToolbar4ie.exe
3248	BabylonToolbar4ie.exe
3248	BabylonToolbar4ie.exe
3704	BabylonToolbar4ffx.exe
3704	BabylonToolbar4ffx.exe
3704	BabylonToolbar4ffx.exe
3248	BabylonToolbar4ie.exe
3248	BabylonToolbar4ie.exe
3704	BabylonToolbar4ffx.exe
3248	BabylonToolbar4ie.exe
3704	BabylonToolbar4ffx.exe
3704	BabylonToolbar4ffx.exe
3248	BabylonToolbar4ie.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper"	BabylonToolbar4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\NoExplorer = "1"	BabylonToolbar4ie.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/files/0x0008000000023d1a-953.dat	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\uninstall.exe	BabylonToolbar4ie.exe
File created	C:\Program Files\Mozilla Firefox\extensions\[email protected]\defaults\preferences\babylon.js	Setup.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarEng.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\bh\BabylonToolbar.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarApp.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\escortShld.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarTlbr.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe	BabylonToolbar4ie.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbar4ie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbar4ffx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpCFE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MyBabylonTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbarsrv.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral8/files/0x0007000000023ca3-187.dat	nsis_installer_1
behavioral8/files/0x0007000000023ca3-187.dat	nsis_installer_2
behavioral8/files/0x0007000000023cb1-450.dat	nsis_installer_1
behavioral8/files/0x0007000000023cb1-450.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=121441&babsrc=SP_ss&mntrId=1d8eccd3000000000000cafd856c81b1"	Setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppName = "BabylonToolbarsrv.exe"	BabylonToolbar4ie.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppPath = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=121441\|trkInfo=\|visitorID="	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC} = "Babylon Toolbar"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}	BabylonToolbar4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\Policy = "3"	BabylonToolbar4ie.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=121441&babsrc=HP_ss&mntrId=1d8eccd3000000000000cafd856c81b1"	Setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\trace = "0"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\TypeLib	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}\ProxyStubClsid32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\InprocServer32\ThreadingModel = "apartment"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\ = "IappCore"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\b\ = "escrtAx Object"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ProgID	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\dpk = "c173a451af11150ef6ddbd145a4d5ff0"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc\CurVer\ = "esrv.BabylonESrvc.1"	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\Programmable	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\ = "IEscortFctry"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ = "escrtSrvc Object"	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ = "escrtAx Object"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ = "escorTlbr"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ProxyStubClsid32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\newTab = "false"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\ = "CescrtHlpr Object"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\AppID = "{35C1605E-438B-4D64-AAB1-8885F097A9B1}"	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\Data	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ProxyStubClsid32	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1\ = "appCore Object"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ProgID	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ = "Ixtrnlmain"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\TypeLib	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\Programmable	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\VersionIndependentProgID\ = "bbylnApp.appCore"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\TypeLib\Version = "1.0"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\ = "IappCore"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\ProxyStubClsid32	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\Programmable	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ProxyStubClsid32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10"	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CLSID\ = "{2EECD738-5844-4a99-B4B6-146BF802613B}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\CurVer	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ = "IEvntCntr"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ = "IescrtSrvc"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\dsFFX = "Search the web (Babylon)"	BabylonToolbar4ie.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2852	msedge.exe
2852	msedge.exe
1996	msedge.exe
1996	msedge.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
4516	identity_helper.exe
4516	identity_helper.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
5096	MyBabylonTB.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
2584	Setup.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2584	Setup.exe
Token: SeTakeOwnershipPrivilege	2584	Setup.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2600	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1416	2600	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	83
PID 2600 wrote to memory of 1416	2600	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	83
PID 2600 wrote to memory of 1416	2600	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	83
PID 1416 wrote to memory of 2584	1416	crpCFE4.exe	84
PID 1416 wrote to memory of 2584	1416	crpCFE4.exe	84
PID 1416 wrote to memory of 2584	1416	crpCFE4.exe	84
PID 2600 wrote to memory of 1996	2600	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	91
PID 2600 wrote to memory of 1996	2600	1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe	91
PID 1996 wrote to memory of 4036	1996	msedge.exe	92
PID 1996 wrote to memory of 4036	1996	msedge.exe	92
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 4728	1996	msedge.exe	93
PID 1996 wrote to memory of 2852	1996	msedge.exe	94
PID 1996 wrote to memory of 2852	1996	msedge.exe	94
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95
PID 1996 wrote to memory of 576	1996	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
"C:\Users\Admin\AppData\Local\Temp\1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\crpCFE4.exe
  /aflt=babsst /babTrack="affID=121441" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121441" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\3A7335~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:3860
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\3A7335~1\IEHelper.dll,RunAccelerator
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\MyBabylonTB.exe
      C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\MyBabylonTB.exe /lng=en /babTrack="affID=121441" /instlRef=sst /aflt=babsst /srcExt=ss
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe" /lng=en /babTrack="affID=121441" /instlRef=sst /aflt=babsst /srcExt=ss
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:3248
      - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe
        
        "C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe" /RegServer
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
    - - C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe
        
        C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe /lng=en /babTrack="affID=121441" /instlRef=sst /aflt=babsst /srcExt=ss
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3704
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\3A7335~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
      4⤵
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pdfbooksr.com/Fred%20Astaire%20A%20Bio-Bibliography%20(Bio-Bibliographies%20in%20the%20Perf.zip
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1bd246f8,0x7ffe1bd24708,0x7ffe1bd24718
    3⤵
    PID:4036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
    3⤵
    PID:576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:5092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:2592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    PID:1624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
    3⤵
    PID:3704
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
    3⤵
    PID:3400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
    3⤵
    PID:828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
    3⤵
    PID:1028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,10936054487767838001,13650419392464528972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3084 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarApp.dll

Filesize
307KB

MD5
a3d75a31cf0dbe0f3a6d70ac3b06775f

SHA1
9810662290f2fe96bf0883ccc9e210fa7318d486

SHA256
49a42460f5ba5706919d8cd31c2fd77a698473830459375ecb007527d0ab5d09

SHA512
88aca7198e3e2c7e2fc5f0245d0b23c548cfcb4d143b46f1ab8c7ce3cc50f96670a67dafd4affc1a3b727f8be880383e7880c98d9ac3b475b3a15991e5a4ad8b

Download Submit
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarEng.dll

Filesize
566KB

MD5
3aa58b7922fe6ea9a1d596d271cb9060

SHA1
9326a20660e8039e9ad8bb4c384f2b00007201e2

SHA256
8bb023161e8163eba6ebfd1e76567ee5674d67c32c0fbf233e36791777476bff

SHA512
c3ac17d6425890b1c52949ace7848109b09a52139d4059b7d777992c22a7b1b8ca18f42d79e5b8a973e57a20652d4ab73a2e456b05843de5d37eea4c97b7394d

Download Submit
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarTlbr.dll

Filesize
312KB

MD5
da4797ec88cc756c55e04c1f335c01bf

SHA1
488dd0ca62ea5b0f3294c9c09e0e5b0123e2baa7

SHA256
04941cbdd74aaaac3ce9ae4a001eaaeccde37a1acd8bd026af0d68d2405a3b31

SHA512
5263d87563025034f98a25076048fb75de1c198ac4b32cb584e65e411cc79a58d6d6eeeaf3745cb05e8cce374809609a8c9f9bc14880358581dcacf3e6190fc6

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\Setup-tbdef.zpb

Filesize
1.4MB

MD5
85499627e8e83a35ba23cb860067b468

SHA1
758d2902f93e28b92c1f422b3d5e16d03835c3cb

SHA256
8b1b99fd1eb29d888fef74a3733d60e3c0b5af2405beea8fe2223fffae79f4d0

SHA512
bd2b00be1b78a37b6b8d6462c358045ddba18d46021c820dbc73c5f62309b0c08d5144d3a65666384a9ba646d6e942791b949b220969a27d307352db08dbc052

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\Preferences

Filesize
8KB

MD5
aca6d3d5648b96ac38d026304484bb23

SHA1
bf9059d093357539e1493ace7d3eef724ad4a48e

SHA256
89ff9f554941c14843bbdfc718b996b868fe6042eff480e1ccc2e736aadc2347

SHA512
26e032981daccf15b82136ebb0651b29e0abcd46c2a578c001e113780efacdaa91b6d18d8a13f1410ed89db41d8a5154721cd82e66a915e71d4b1fc9fd5d70b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4e3b3d7533298d9075a3e33842d76500

SHA1
17420f42fa9462b12323ed720e7101ce6db0f0eb

SHA256
dc8f4bc5d6d8a33c4560f135e41df86d0b8664fca910b68dd3f5a941da11ac5c

SHA512
39576cde2ba98933046d4d06bd472b1ea6ca1741a3dedccf602c9ea7036c56ebdcc344f10fee55b80c2313f1f268813c08d3ac916be4c3b2b32b47562b3871e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e941c6cf2d3b2e0d92c695386571c460

SHA1
f8f06c0f5dbe9415100dd1d728b72cb360cac6d1

SHA256
f27378b27ff37dc451683a4dcd3ab661eccbe4d382affa4c73bf087942ffae84

SHA512
14bf86eb23899c877bd5a4fa4f39ef2fab864d5f76aa9d76d6d6b8fba50e304f277130e2978e5cc5165d6294a2979a538b4060a87b0e7ab1c3efd5291a74e5dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4e436e2700be7fbfcddd355c90c6bd4

SHA1
3a0053f12e0fe603578c82a609929f51210d77d2

SHA256
1787c40c33a6dd2ab0857f2a7f5a2332c7d7ed318031e826477895d5a5fdba89

SHA512
d328300c70f25c08b1d3576385e36a764961c00ce897c725819c0c4c5380fdff27e14485f94fe7eea79952bf03efa7df16baa4006af13e5a0c5d55b0bd16c4f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9fc35be934dc547a126ddacace9b0ba2

SHA1
516f3c61da2fed74b14b844b37a3a3831555522f

SHA256
2a09d33b0e431b9de585a9754e26a07d3923824db638ee93d7b1c03ca2aa99ec

SHA512
fd4a13639e41b1c16f385b7ac67ec17caec64be342a5391cf8eed8ec57a72f0be383ef200d7afab3a9e3cae4d0cba4acff26cb79ff1ae04cc82d30f9e23bcfe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0dde1d8ff37a082ccf17e8b3e0de34cf

SHA1
c13331a5c4800d2642d9453da6af071519bf9c17

SHA256
284d087f2591d5bfa9c5706388f246a68059b6d209292bac419bb8369aaf0346

SHA512
ccd3e62b8d619500f1279aa3af319bbf4b082b5105e9b646611e5cb73a97b3c1a3c20e2eced32bdcdaf64df6de06369a2b3305c978b250d9515c0d63842570ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\BUSolForMontiera.dll

Filesize
105KB

MD5
64bea1da4d76085d0a47ed21450401cf

SHA1
296d8b511c0f7b8b7d0791c522db553f9461ba35

SHA256
80924cda632e20e1ead804b67fe64ce87c2b6dacbe73b9a2ee1904d402b2ea9d

SHA512
f4644bcd3dff71648209caa2d7489b0cc87050271cbddf875439cb4eba3e3fa400acc29703cff231f6a1c6f2097697f2f4387ca265682d8e4185a1242dfeb2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\BUSolForMontiera.inf

Filesize
199B

MD5
bc3e8cc74871863fc921511e2e6cc88a

SHA1
653cab5ba2107004f9525849ff5625d64b83e4c3

SHA256
c9e2a3953cc5ea87716f2a9a16078adb2f9c60318c6f1cfc877885126cc0dd17

SHA512
85f4130758ea38e4ae823e6fbae7448fa780bd295bd177afb4395ddd118c019d1533238e963e5277be453a1cd7681667c4ab06b10004ab8ed890d6e0b9e0529d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\Babylon.dat

Filesize
12KB

MD5
825e5733974586a0a1229a53361ed13e

SHA1
9ec5b8944c6727fda6fdc3c18856884554cf6b31

SHA256
0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

SHA512
ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\IEHelper.dll

Filesize
6KB

MD5
9cb62aa0c5c554f2557d29d1601c8347

SHA1
f2fb5115b7d03e90f6e9d4b1f6e882385aa00f5f

SHA256
a65ba80d23494077575f505c20c9f9516aa21b9bded2b7032b6d5e7bc1737fa5

SHA512
0a325a02c323d52c9f374bc22e5182f5f49f485a689b6ca561196222ff18127f84ea7a48ac438277b9dcd1237c983f03eab54606eacbb1f79aadb0a0f84f0cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\MyBabylonTB.exe

Filesize
1.6MB

MD5
7c82cc9aca3eb71e463ff607cd607e3b

SHA1
5ffcc47376a89ec39fba8516694fb37c3b7d2bda

SHA256
9c1b8b8b3372737fe355bb6f4f96fc9b04bcdda5f3bfbe9617d22cbc35a400ea

SHA512
7ef9e92153607646f9eb9dec4fd087e9523df523d4f06eff994698d79ddc4e8e1f681fde13e1eb888e5a85457db558b10ffaf190c17bdc98688a59a90efc4670

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\Setup.exe

Filesize
1.8MB

MD5
74af846f2ad4aec60779623fc8bbcd83

SHA1
9f2fbfe260c9111f88e8edc6dfc068d08c1491c5

SHA256
f795ffc4c850a6a214aac740258c6560a72a5a5c1759bb9cd231df2e1a271edf

SHA512
157e612a02e0a6ca87f5d8b572950cc85c8980641bc1f973b20836c1e91d0df0a132a58191a99efdba0b5c4923bc412083b833a12a1ef3554ade745c07a2605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\SetupStrings.dat

Filesize
89KB

MD5
407846797c5ba247abeb5fa7c0c0ba05

SHA1
44386455eed8e74d75e95e9e81e96a19f0b27884

SHA256
0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

SHA512
7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\TBConfig.inf

Filesize
23B

MD5
e6d6dbe1e36a9ccc040369ab905e0d4a

SHA1
f7b40129e12f9f8ec3dae49d281ea1b8171642c5

SHA256
24d0d8de57d4bb9d88c6079d19b0efb51c18c8006ddb805fcc6cb7c302f94a12

SHA512
caa6c8ba543b92a49e41b736d560a3dd62651885f3c0c30ebb309e57bc77ec0dd1ccc20ebc6d4ff04d17083f112f3b6427356ff585ed40de6d08b51e6771dbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\bab033.tbinst.dat

Filesize
205B

MD5
90713ab7a74884cd36a5fb4cfcdece8a

SHA1
7bb56d08fd69a98e543b923bd0a9156f92a9c473

SHA256
bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

SHA512
639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\bab307.sp_pop0.dat

Filesize
178B

MD5
0b7be9c4b72c2c5166bfd61ca5ebbfed

SHA1
aea0aa4e8226c1b4efce92e909da773744baa6d4

SHA256
673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

SHA512
4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\bab327.ff_2.dat

Filesize
179B

MD5
acc576624b76c140ce6e78885d279efe

SHA1
f5816e66ab9da86bdff210f96399078c36a4af54

SHA256
78dc1600b62ca4aac2ce5c94f7b1973800349ac56804aba4b17c410e0fff4c17

SHA512
449cdfa0a93191ae9d109c689f09ed444ccf53a4b087a9e5005527561c1598233d05396d1b118db6fe6d6dc45c6dc9909238200f8fa8d4a4dbf903deca19201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\nsdE493.tmp

Filesize
364B

MD5
c9050d020c0b459f0eb6ab1b89c6cad4

SHA1
7a1b72e7c784006bed198bc5cd23fe1b21732bdf

SHA256
1af1bb393e689dcbe7e99f135cd41ea441dc7aa0adbf0b1492d31d6f27767e9f

SHA512
5bd05d78e4637b10663797ef8e7c400c85274d4e1aa991438638d2cb2de580cb26632d73e29370d67376f64c2eec225ef9bece082634912b76869559c6433409

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\nsiE4B4.tmp

Filesize
114B

MD5
4221b6382c6cb300ac6aea49eea6b066

SHA1
ed59d159efa4a96efb988ce7478347cf15b60253

SHA256
b760a077039e396d2f49d83eb7b2fc6422c97e10d737640cc00f894c3181a7f8

SHA512
f52d36a7cb705ea0bbfb516bd36dfd614d5e68c73995a958dc15fe405507b7921bae6d8ca84e2cc80cc743aad308b5cb7e84cda216a7468f908085d681e226eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\nssE4A3.tmp

Filesize
59B

MD5
f6abf26891434f5c1da533557c20b125

SHA1
183844392b249b47a9d141dfa411e929607fa3ab

SHA256
18f3c4fb52e43871fcc2b2263c8c15ac2f0b0bee6a82c16076a56c2646eee8bd

SHA512
2014574467a054d8163d264a9cb0f8ed85b0ec9957995295eed5abad4ab3fd47c1d4a7632b03f5d531797c7f3b539c0b64cedd1d4a76c88fa09966787b0a307e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7335B1-BAB0-7891-BEA3-D25F5C6F8178\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe

Filesize
1.2MB

MD5
5b34d794ec99c2b883d7c1affae96055

SHA1
54b894d8f473b3beb1037af57d4490fbbf623a66

SHA256
d8c7c0fdc6f24d58850b0838f27521d501e67d5c2eb712d9643c17a8e24112b6

SHA512
21eab533dddd3ae02d34ed695ae231202636407b50cf16df741bcdf617780ff51ff95d532b98dfb2d1430fd8c6a54b59265d873951bd960b0af2c68b1a1c9f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsaEBE2.tmp

Filesize
849B

MD5
3e393f87274d934ab1d46c0dab402ce2

SHA1
03712d827d3aca84ef3206bc38df9f80f4eed2eb

SHA256
4054b8e6918bf3407ac7049e91c38c4648f72359bd0a3181fc6dd38e631bc1bf

SHA512
1ed88d59e0986ccb852046945152863a559161e1e658687395a019c52f880fe61e623b256f77da181392586397dfb4fb4aa1d539ae4ca4242a31f08faf437e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsbEC83.tmp

Filesize
1KB

MD5
2eb6134032e8817d7b85529f33bdc790

SHA1
24ecc92be0c5319a4e2eb7a66695c6d16322defc

SHA256
9438dab0c54d86e9930485c47bc0cdfe56890da6883a27934cc7baae97c93022

SHA512
6ea7afacf759a9bc71f057ff5899d4af73981410dc8088f1d29dd08eabfc321fbd25ef7d1e4fd76a327ceab071455814264f2f17a490de051399e3f28bd42a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsbED24.tmp

Filesize
1KB

MD5
f132770e28bd4a5501f46ebf7d92e47c

SHA1
12a8baf330e46c39d3ef8029d870e63a96d99208

SHA256
e1cd392b80a9811a63094fe6baad665c5059e29d79106a5805848c660fcfc9c8

SHA512
e7b87383b69438e00ea863bf3ebfd7792f74901a3ae7aa72bc7d0c10ffe1ff6842437d967556f79b164fc1c77248967937f34cd1751280b49c574f2c15742c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nseE70B.tmp

Filesize
1KB

MD5
7c829dbab4eab4896fd919c4b01681dc

SHA1
90e07bd69707619b8bb6b1c0ec61317972ab2c3b

SHA256
7230adbb29e7a9ec7602645a552665ffb6f5fda22cf8f2112813e97e287d3714

SHA512
a1e9fc95cd50cb9835b29475666cd4d0801652dae80b3cd1eacda1f3b09ae9a51850089a1495edb62d29729e5ba8b77b573d15e519bc47ec0d435b0182571103

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nseE75B.tmp

Filesize
1KB

MD5
2f8e0413f01491bfe2106934e131ff36

SHA1
f12b659006aec7029b1238efdff7896b560a73c6

SHA256
495c293786e394704435e8319c8176fef7c7350c9f5ff595f51b58c594ba7c13

SHA512
1fb5a1748599a7a4415cde044ccb2d81ea2ac43b7885a34b39247bf7b98772557ba6e7f627df4f788c81ec01d4cb21efddc022de2ee39f49aa8ded12d2cf32fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsfEB5E.tmp

Filesize
389B

MD5
ab7b694920d1be252b5fbb3e965e0dad

SHA1
cebfdda786fdb297c73bd472116496cbb3cfeae3

SHA256
d4e6c8f70f9d1761d8df61c720e69aa7ad0424e030637c95f2a5d2ea73b9721f

SHA512
70d9a373ce98180c5fe02637df292c86afc04b06e8e2f17e66b769763391238a555dd7d1f069c99ee5d8a8e50e5520148d9373544f29ec5e3ec9ab391ed314c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsgEC53.tmp

Filesize
1018B

MD5
a472f941ad7e977c54f2a3111cbb3572

SHA1
5c27e67a1e48faf48070bc88e3852f1c19c2c0b9

SHA256
fac7843237ca44fb8b407dc4a351ca009505e5b42425ec1f635a3c496f7d0754

SHA512
7923361f2839904b8460bf6051754921b58ce61b8669d637ea7b7fbb14c50e918d271324e68322a4bfdf17e142a19f8a01a06f312d506852fa836d0272e58add

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsiE59A.tmp

Filesize
419B

MD5
e36113def65e7fcbdd2459e926b9a828

SHA1
d61134f5732a66e25626265a7eb90ae3174c8a24

SHA256
cbc88630294bae69c2de0d376d24c1f9af627f9a748b35569db9fcee4e653100

SHA512
0e337c33bccc42f636059c197806a895b38603537e85a3caf651ba1ff24b1755f9840516aa64f4dcd1a96453824a7ef114eea7690daa592c2d7a415a502880f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nslEB81.tmp

Filesize
596B

MD5
5e098a64fe29d8e17c6a4d90b8aff9e2

SHA1
08469a16d33acc3bfc7e31ddeaed92db4004b54c

SHA256
83d02912cb089d8d4bd1fad6d492e090809eda87bcc27e4d472120f99ceea0b8

SHA512
cf7fa1e02987ef5e7e872d7e6efc53dee96dc4443b001b2ecf6de2de04eef8c7f3ddbf35dd5bd88d9c0d30e76431c001ffe6e714c6b8f818ee64602541ceb996

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsoE5BC.tmp

Filesize
639B

MD5
415ee6036c833a1f34ae1030f0f4caf8

SHA1
abb6a96c8a9a94e955c4a758f5f236cfa26eb51d

SHA256
b9747a793abe735c2234dc831a1f5834196c79903641bd6de74f969db9a79fec

SHA512
2b132bca3e28290ab17e77aa81f24a93af7a2cdcfc0e928f1846d9e71922807bd88f083a813454f5d03f82204ef1052c836b247fb254fb44e7ab68d2fb54977e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsoE7E9.tmp

Filesize
1KB

MD5
c48965c16dfa4566d7d537ee1212ffcd

SHA1
1989bce32feeffc586ff02432253180ef58bc6dc

SHA256
b35e910a4883b80cf1e3cfd45e28ade3de459b00d5804dcf96386cbf0b5a4dea

SHA512
4696c353a737c2e77e387153a16ee4f298d966271a56b86459cbe917b19695719f92d90a5ca44855eaac5ec68e7f016284fad0beb5d755c77344b5c729cde35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nspEA61.tmp

Filesize
1KB

MD5
28a5bda5a7825acbf3d23dedada6a1b3

SHA1
69b7522cbe3501129585c280cadd6c3bf21f8227

SHA256
70f87d557fdabc12d702d80131db51bca825a847fad131241ebbaa2033ee7f45

SHA512
33c76e8aa643734221205a809e5939731319f77151917039b5ad55bde2380d8aea4d774043024d9776019363c8da1ef698facf5eacd6c043b61161c71eee1d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsqEC42.tmp

Filesize
962B

MD5
7b70545d17046421392c0f29ebcceb99

SHA1
7a3e42891a77e6f8413671b9dd0be269fdc1ded8

SHA256
7bf6a43e330eb3b92574fe5a9d53630157957a8a10ba2628e3a54c52df4829cd

SHA512
7367a0d6cc328a001f424166b15a36e01650e6cff1e8b0012857f0da4fcf047effb7f9a6c07dd9b7f1f79f92e25e89d78b9f8caad76c068f117edec6a5e1b5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nstE5DC.tmp

Filesize
728B

MD5
1bcdac12776fda9586d01e586215b0fe

SHA1
6b2494b69fdc553dbf840b3f0bed6d68c378db27

SHA256
e10eabaf6ed9d6cf12f89374c43ba662b813f2ab195b955dac01739082ac2a09

SHA512
ffb95963afa483dfffc15cf69537d60549873a0124a7d3196877d3bb710c27b89e8230de24cd98d9c4c579d0bdc72897dabc68a1394dad279d61a716bd82e886

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nstE67C.tmp

Filesize
974B

MD5
564c52e30b0a168e2ed8e8a7f47bc174

SHA1
191153f7abfd7a29bf51720b22090fefbbe89f90

SHA256
310fe9747b565d9a91e19072e3c6016a1a2f9b1fe1e5b82812b5ac6cba1f6b3f

SHA512
ca84ff70ac6c16e66a648ce763b2c3b6817a39e5385b54857f5cb0aeab1ed811c24cee4c39c5afadfaf5a97f4d8b7be152d027299ce058bec1dc6304da8ed28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsuE945.tmp

Filesize
1KB

MD5
437657a2433f4564133696f229cdf0c9

SHA1
afe0b813e225a564ea603ae3df909a15f236b76f

SHA256
2d48fa43c2e3e682263864b2f30f190611d5243c33b0914b812469b596a5730b

SHA512
090a3a121c281b9882a13f15583d7e19acd2996c30ee5686cfede2459b0c27430698e6740a98f62de41c9a8be3c2d4b40fdaffb81777903f8bd17f387eb0aa1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsvEB6F.tmp

Filesize
478B

MD5
143a80c2b7408bdd90273b080d524ee5

SHA1
80485bb57458c1851677441fd6d3b329621d9928

SHA256
3302535f74b9a8bf42804b68595afc96cff8ca49e54c66b6380f519514658e4a

SHA512
132c0d3a16e3f7d735334f369f0e8858072993749b0bd36d2542652f5750ef3b2e9e22c7c984d69991875be4c6b5bfccaeced2074c72fa5eebee9876da9c214b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsvEB70.tmp

Filesize
537B

MD5
085ca7cacdafac1f65724948482f4aba

SHA1
552d5d8d658f3bedc7269ade0f3e7d741b22d472

SHA256
ee533019e5506dd0cb99fcf03531c1485897c4dd44736b30d71c6b01b229b2eb

SHA512
3d101b4fabb80350c18a49e4bf8ef56614401d7c9f82e7825fe13981866bcf9cdceb002b4be196461472c76a9d929252b39117a89b79635d62ccb3904056a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsyE5FC.tmp

Filesize
787B

MD5
eca433aaa0ecc068e0c11f0716f9eae3

SHA1
92c892d7505bd144d22f287e483c7e60acd86ed2

SHA256
bfcd39ab131f604b038401b76ee3a4e90d4f9ff6bab06822a72a0963d768b970

SHA512
37e062cde3f21b13e7e18d70952424c6a3f8dd94b452b70f57010eb2731432c409ce2a9ff0c3224e6484486885aa2ca0d384174cb0341714eae2ab76e1f69f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsyE5FD.tmp

Filesize
846B

MD5
eca9a157b5aa4e7179dcaa7436ba9213

SHA1
02e9919cc71b713ed008acba815edba9cf527bc5

SHA256
4ff60feb9a4edca28ae11dd614f8218d42ca69a786d9ba4405afb4232b8802bc

SHA512
a729aac62f989662772d427d74fb5c2e924c2e31253a5e8fbb7e6c8551fa354d44f45e52279a00342392025d6af8469d031a9b2f2c7b3864014dad7cc358be27

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nszE73B.tmp

Filesize
1KB

MD5
021ce34fb508578950ad363e0565ca8a

SHA1
e701fc3db4ce731c7aff01653b7c816ebfacf695

SHA256
d28dc8bd09f484a5d2f4c10646d29dd642a99cb063bdbf9e81ec3009f600f5e8

SHA512
ede1f7e4aa45f790f8ad356ee0f0a81a201e81f7d88851ac210d11ea65577ecf8a6bfa4eae96593f43f1bd6597e8b258f69fae821f09e251aaf4aaf42998a972

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nszE78B.tmp

Filesize
1KB

MD5
e07ef3424dc951515befbe6e796f5063

SHA1
0100ed0bdc8e9482f868f694a2986e0e681f63f6

SHA256
8cd888dcd41ee75666aa8a9b96a00f3a99edc693a377fa9f6de27eb954bf9c3b

SHA512
154e09f2dd42c584656832d4d984f0763b46df47a4119efe0a25f38cc6a80a6f7e8e7ed0d1079ef50c7fa24cb36d9dde4c70d9b491fbe70626fd2e4f86815086

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nszE829.tmp

Filesize
1KB

MD5
3b735adeb837bd5c4a42a622940bda1f

SHA1
a4f5575ca88949cca0fabdc12cd98b335501e0d0

SHA256
fa3e7953ff6f26fa3475e388d81ce6b42f93a6691b32e4ccc9694b8ce9479bfe

SHA512
ac0bb9fc46af938ea7d3a6123598f78b1577de4061f387d2fe1f021ab548736a8aa2e0d901f67af30f4a75aee01dad3b59c258be8199c8ae23baf113fdf8a075

Download Submit
C:\Users\Admin\AppData\Local\Temp\crpCFE4.exe

Filesize
754KB

MD5
5ac98c84160a9400db448d153c959bb6

SHA1
829d808c091045f45c513a6e4ab17055a52a9320

SHA256
e4f1009192f163aacafc3ac23f3fbce358122040a5dbf99b86c9f4cac9809ecc

SHA512
36f4e7f4c0f2bd647d23714b08d322ff8383e52ede16f5719f09e710e133669586af0ae7c3af2ab98a066724b2f1dffc114437d7d8820e98614b86470ade2376

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE3C5.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE3C5.tmp\Processes.dll

Filesize
56KB

MD5
cc0bd4f5a79107633084471dbd4af796

SHA1
09dfcf182b1493161dec8044a5234c35ee24c43a

SHA256
3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c

SHA512
67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE3C5.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE3C5.tmp\Time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE3C5.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE3C5.tmp\chrmPref.dll

Filesize
208KB

MD5
241d60c30189b740c9086e34ff259e66

SHA1
7be0132de11c34018b6326d1de20fe9f20dea790

SHA256
8b3d8f239f11b53bc28f645546696441446e9a593be59cbf604fcc28a7e6d474

SHA512
ad342cea73ba3f7e7afc57828abc7320c0c5e39e20f5b06637c565a2b4579f05d81540e02b094776abbb17b021712a0f28e5f62637d8cea04b832e79252dd5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE3C5.tmp\mt.dll

Filesize
7KB

MD5
4fae8b7d6c73ca9e5fc4fe8d96c14583

SHA1
10865e388f36174297ec4ecdafd6265b331bfdcd

SHA256
069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f

SHA512
73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE3C5.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE53C.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

Filesize
906B

MD5
ef1023b3fb7e67415477e8b4464659e6

SHA1
053e0337563ce3a8f3a732278d0ae752f8c9e4af

SHA256
e744df1245ccb3e0aeb0a10c30db2012da2ca3b546f14ac1038ddb947c6cae00

SHA512
cbc4829d7938c1db055c03caf49f0ef7a3636463a3fc3e58d8ac3e0c058f82cf6f4fb570dbf269794f92247e05424f65c50f3ad2bd16e088885d52d23c0a6546

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

Filesize
1KB

MD5
2e4b732f59918d09d271f63c519b0c82

SHA1
397eaf04f8a7afa0388252c3dc95d5c1117261ee

SHA256
dcec1c257a4e326d0d705a72aa92755ef17f4cd36b97e18de88564f730f5ba0d

SHA512
a07e96213e4041c639b8b119f4851b1763f78495e409bee40fac19e3cf903bddbdd07abb737102326c43d1b8e39b3e265d827037206c0d7c98f539d3bb73b834

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

Filesize
1KB

MD5
ade2ce93161105cd395f37d8de502311

SHA1
d173ef06f53b1d383a3460c37b9111c195dd5c12

SHA256
1ddd6b7c8498f52d93c3f5e6e9933e96c2421e9e2d0e66bdc53efa8f8829f95d

SHA512
be9888412e6779947b4dd2dd7dcc55d302b7cdea05a95cab8bcc46bfc2f1d3278d29fdf700e2d5e21652eec32220c1a85ac070c9d00b6514117b4e02d7f8978c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

Filesize
1KB

MD5
a2456be18aabd3112577a106741d3cbb

SHA1
3ad2fcd948833299df751240c7bd7b3097d2b220

SHA256
1a8314b1c020135a94470a0f7891452974d58beda370749803f139454806bb93

SHA512
df621870576a69e876ff7bfa77b3c59fdbbf75d993f9855528d53a20e4d3d6070e563ad18f24fc6ab2c4887a84c0953bdd2d29d854b10ad3255051b614726e29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

Filesize
1KB

MD5
50bd3267f540f3dedd2215352bb8911a

SHA1
0a99cb95c5c3b356b6b7f2f9bbea1e2fc5b304f8

SHA256
17841616cf41e5d2043491f631b7e964b74d747e783845a265d0e61a3fddb72a

SHA512
ba83666e629457a3688534faa70e1f3734ee34258710b12daa3067ddc2e5145b6cea505a535427d160a601ff6f3797feff2b1aa50ac93860973f9ca2eb3c8dc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

Filesize
1KB

MD5
d5315271b0700e05249ee621d2bed037

SHA1
bd7a6a9808a1d2007ae0ec9de97f8e1081ef25d2

SHA256
85a0118c9b34e829816d9193ee043f07c73f97ce50515818467b8b8370301b0b

SHA512
de95ee8809236f75deeac6abe523e4a5b6a284a43716288ae53557bece6a0fc6b7b9396a1a58a191874177342843b33a3cd360949c10ff1ab8ae4473148bf86a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

Filesize
656B

MD5
48ba97d29cf01f86983a0f09bbacd376

SHA1
ee61c65b13d71a8149c11a0bbd56a12bdbf7b7e1

SHA256
0d2bb446d14ee1941e94ff5a40e2e3aae11c0c07a2b7e0c9c0717ccbf451fb1f

SHA512
367559698d61ce150b941473672e84af21737196884c0dc1ceb16ba08e3c5bb5e4b886768627d3c868c7e9143a4d67e97904562e72bb9e59cf62489286f36bce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

Filesize
784B

MD5
4c8a66ececd36d9074edea591dae1bf7

SHA1
fff7ad4a27e4d6a603b0e931a4dbcf9427beffd9

SHA256
ff870afd9c23b26ca3d4b8eb91ad8c28f23eeb3bf9c3b09cf9ccd151899522ce

SHA512
74dca14d73860b24eaad8e7426cb95dad7229bb4347dbd27e0b4bf7c0d4b3476255a0da09693296c8dd06bd10cb6e99157b38b23171a9b63ebff78c219ca7615

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

Filesize
1KB

MD5
389c5c0fa95516ac1fc666cb61704a79

SHA1
7e69b49e54258f336cedb5498eb134d66948ab08

SHA256
642ccad1e54042e28777eaf43a1c5bbabff2d81ade8d0c7469768f7703e4b80e

SHA512
0e55a7d8953367ea2cfe54f9be7675148540fabe4c49c6e0babb0ccf830a4ffe9f9c53b944d99f2930735a5bab15c4c3bf7281a5761c7835b8875522754d4a43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

Filesize
1KB

MD5
da401990c3200029081cf0da4848ea78

SHA1
17db3b789e78087cf552f1e61495e1c4c6d60b24

SHA256
414dd5b1b0292e6fd7e51d293d4d682e5f29bacf0032094233ed1866af802f8c

SHA512
ffab172453db8d68d1e4c715eb859f7cbba3c23d7c8cb696229ab0b93d1ef131501f91ecdb2b905f0cb8b984d14959df98b046342d85fe633bec7f0cc83975ba

Download Submit
memory/2584-103-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/2584-162-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/3248-960-0x00000000022B0000-0x00000000022B9000-memory.dmp

Filesize
36KB

Download
memory/3248-959-0x00000000022B0000-0x00000000022B9000-memory.dmp

Filesize
36KB

Download
memory/5096-4716-0x0000000003630000-0x0000000003642000-memory.dmp

Filesize
72KB

Download