7c1652e0ad9e10c6a6e17a52da82c1438c5a59df243f9bf11bf0beebde276e31

Analysis

max time kernel
146s
max time network
98s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe
Size

1.3MB
MD5

98e14428601655a3fb48ef0ccb6af10e
SHA1

feecd3292aca1e154e0520eda4998930b2df47ad
SHA256

7c1652e0ad9e10c6a6e17a52da82c1438c5a59df243f9bf11bf0beebde276e31
SHA512

d463051ac002288cc80585bfcd321397ff6cbd51e64206604bc60418490f7252caff265fa566aaf254236df3d240205705138a3221148da7c916cf2198d5aaa2
SSDEEP

24576:zgFvyVFyuvGRWI0Gnl3UVP3zY8HEwpzxz0DLacT06K:zQqVFyKa3eP3zVHEwpdz0DucT5K

Score

7^/10

adware defense_evasion discovery spyware stealer trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000400000001cb93-1513.dat	acprotect

Executes dropped EXE 6 IoCs

pid	Process
2484	crp191D.exe
2896	Setup.exe
2356	MyBabylonTB.exe
568	BabylonToolbar4ie.exe
3052	BabylonToolbar4ffx.exe
1688	BabylonToolbarsrv.exe

Loads dropped DLL 64 IoCs

pid	Process
2220	JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe
2484	crp191D.exe
2712	rundll32.exe
2712	rundll32.exe
2712	rundll32.exe
2712	rundll32.exe
2896	Setup.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2896	Setup.exe
2896	Setup.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
3052	BabylonToolbar4ffx.exe
3052	BabylonToolbar4ffx.exe
3052	BabylonToolbar4ffx.exe
568	BabylonToolbar4ie.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ = "Babylon toolbar helper"	BabylonToolbar4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\NoExplorer = "1"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	BabylonToolbar4ie.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001cb93-1513.dat	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\uninstall.exe	BabylonToolbar4ie.exe
File created	C:\Program Files\Mozilla Firefox\extensions\[email protected]\defaults\preferences\babylon.js	Setup.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarEng.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\bh\BabylonToolbar.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarApp.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\escortShld.dll	BabylonToolbar4ie.exe
File created	C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarTlbr.dll	BabylonToolbar4ie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbar4ffx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbarsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crp191D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IELowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MyBabylonTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BabylonToolbar4ie.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a3fd-93.dat	nsis_installer_1
behavioral1/files/0x000500000001a3fd-93.dat	nsis_installer_2
behavioral1/files/0x000900000001cb57-1512.dat	nsis_installer_1
behavioral1/files/0x000900000001cb57-1512.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f00000000020000000000106600000001000020000000ab4439593bdaf82ad73a814871f4fbfc680dce4d0d33ee62307191d9b36fd083000000000e8000000002000020000000f44322dcce8b9feff25fc1a804097acdd4f90a3e61bbb390ef9f7386dc84ab3610000000c1bf579d454c668ddc3d0f4907294bbe400000009024971323317bf904d0541694475eb8989e862416e53d8ce9e6c8b2a44bd5d81b3e6167636a968e4b324119556d098bd08f62a6b0b3d1751dbb3a42c90eb9a3	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f00000000020000000000106600000001000020000000efee294eb699ae5ba77c4dec87757611d25a521f275ea3900a2b5dd4a0d8d29d000000000e800000000200002000000017825d910e52207756e0eea1171ea45cc78590d3bb5e44ccca6688caaa79d1681000000019a60ed44d734e6ed28ff3684e618ad540000000cbf9410e7feb68b6897c40980b9f9d50555e57efe12a6c16c4c020a1ee16f370dc91374050b7e8bbf98846ddd486ace6f2383a13ab19f708b71b4d7a4162ebd6	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f000000000200000000001066000000010000200000007ad43145a21c1962c8283adae47d7791cb06e6df8a7e470d8466711b66e14efb000000000e800000000200002000000035157f359749a647f19f896d467070a0c0448afed0b5d51b1c87ffdcd4b6c170100000009bd93f91fe63208aad279a3b4ae6f234400000009d3901a5636658a070a27dd02aea68842f98f0d3e9181b639597ca0eeeca3e7ebd51640f636079f43b2c5107ad6b49ff45d787f129a10753b42349f02d5c9e3f	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f000000000200000000001066000000010000200000000dec5e72e5c5964f2cef1bfb8584ce2b62c96ec2b5fbf58e73eb01966d601be8000000000e800000000200002000000000ba8ed7fdb83bc9eff41b44b0209310c735db2ba7ff906112ee37c79cf0e50c100000004337959cfee223fb0c4b89b3d04445e1400000008d3603a43018dd2263c09e2410836229abbed0edea26dc00b6c981ffa5457fa5d0b938043ee41ff28ebadf12d808c531d101d380998a7651e6e22e3c8a8bd553	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f00000000020000000000106600000001000020000000cf88d254845c271771b9c589b4b65790005d8cccdd584dc9e9f0fbf52696f4e1000000000e8000000002000020000000706a58da4feb80ec12dd36857f956b5fac73511c2673480dcab539798e01acab100000007452a69c4173e5237d72a4963945e272400000000e0690f335d412ce5474a99a8ed52b1d73a0a24acd663c6122c86cdca5d994eff51ef718f3273d16a4277442d1da2c0a0fa9af2cff28bbd78bb6a909c690160d	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f000000000200000000001066000000010000200000005742df76de2cf46e156012d30d3b6b0e1ced43dcceba7dcc85ee576c94d941dc000000000e800000000200002000000016bdc0062476b1899ea8bf75177d627cf6e545709f1424a26e35d269ecdab6cf100000001cd5ce9550d8556d28a079fc5cd72eca40000000d29d6bf3f0d8d95cdef8db8d96b22884c8163b2ebe82c1c4be64eec06eac27c2309558a52fd51d730ecbc7af589cb62683dff4f41c0f76844bf71f37fa6a8fe4	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f00000000020000000000106600000001000020000000603acf1b80242fcee5c116c1856e8c74c7f0037ff538c12bc53cd37a5036040a000000000e8000000002000020000000e39525e2ad6d87627ed9007ca957a2c07fd765c226756961103e8eec75554fc910000000c314f68b5d3cc436cdfa68662d90fb3c40000000d15892bb7cee440ce53521c373b53df45530d5358c557c3516a045f5f9658492811c22c6460d1ca1e7a6cdba20ae2e36b0e839f776aaf1748cf97120f18709d3	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC} = "Babylon Toolbar"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppName = "BabylonToolbarsrv.exe"	BabylonToolbar4ie.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f000000000200000000001066000000010000200000003e0d25df78ded8621337307718cacfc7e2bdd025cc936465a6036d99edb3b3de000000000e800000000200002000000003875b54ce566d0acb33592eacecf5e2962afdc00ab93ae121defcb5fb04318f100000000c200453f0296faf91d7cabbe630e11240000000b374e26ba0c44db9d99dba63fe1d1a6a9134b4171a3042bca5fa6c02ccac3c89ace19e706dc33b8eb6bf26de74e3f008f07725836b3d5c57bf82f24906b12d10	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f000000000200000000001066000000010000200000002d8bc8fce3f805590230fd04af90d4fb6ba6de3a81cdea2ecfa110f0b7ac8e41000000000e80000000020000200000009fd1e8ed7d7efc918d6733260072e7746df08a51023993b55c83d46bb332f4f51000000076db48a4817a458a95dae9a45f24241c4000000027a6f039546fd0c65d96f4519aeb241a534e22382497b6115d759cfc1da4b08b2ff0610c95ff228e06a00e8d5c2c694bb04dbfccf544e008d3b01e438affc13b	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\AppPath = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10"	BabylonToolbar4ie.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f00000000020000000000106600000001000020000000e00eadf20467dd999a42e93df71995920a1cb3fe20f42d7e2cb08be55b12cfcd000000000e8000000002000020000000756ef878d7e0b4ae6362b792d08812e27b2903a3895841f12e91e02ab08637c61000000021cce1cdb04ec898233ca2f65714478e400000003aa1b44eaaaa8a8d6e0c7b14589c519cc60dd3945c8545e4bdf39047eaa34694344d47fe7151bcb8ffa2ea282643ca3a0514a10b1ed84acad7733db7af002db0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f0000000002000000000010660000000100002000000078bccb43bbde16ae3c6534a725624f0dae0b0cd366317cc5cd9d7127eb5d32de000000000e8000000002000020000000c2713a3bea611dc832d1450cfa40cd126d6bbc92a02ca4e942d406ae3945e8f2100000004e7c1347e2b77eb954653e390e5c8e4e40000000af4d1119513beccff190a658d301320eafb567712bcfd531b237c7c6c1551cf15347a36b1faf4dcdea59c54eec31e9990e0d2b6576bb07c0f4754d4f2896169f	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/?q={searchTerms}&affID=121631&babsrc=SP_ss&mntrId=514c3716000000000000f2088c279af6"	Setup.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\	BabylonToolbar4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\Policy = "3"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID="	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f00000000020000000000106600000001000020000000238acb5ab9058d5fe88eee893c9af8bdfdc05b31a90145e7a4e20fd535f39c0e000000000e800000000200002000000090871e7f6cacf690bc260b8869fc1a101c8a4e1f9993c14291306ebf473ccacb1000000011493d534c4f393bd0f0e340d363de5d400000002be13eb78d9cc0422a36a612b48bf575a8f3dc550138c1df98edb1afdcde18d9439ea3fb2a7f63da33e72dc903fc695a163b84434f4939fde0479133de8f3aa3	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1f1256cbb44a64db2f9c627b5bf9a1f00000000020000000000106600000001000020000000a128f75864eda50d2dab49bb417f8bc7132ea5039be89eda911e1d78392dac05000000000e8000000002000020000000227767d93354b7f916a69a1b9a70d9d3422e4d95db8465555079e6a2025a1258100000000d8cd086fb4beeb93411b156bd6aaa8540000000f8a1213a7f793a52d0fc23b2ad826e2ccb32c60f016861ee2a7d6e1d1aaaf3604cd1a43201cff5b116a0ed17755767b478997477f60a2185baf03f2533b205a5	rundll32.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/?affID=121631&babsrc=HP_ss&mntrId=514c3716000000000000f2088c279af6"	Setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\VersionIndependentProgID	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\Programmable	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ProxyStubClsid32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\postUninstall = "http://www.babylon.com/redirects/redir.cgi?type=mtbuninst&instlRef="	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\TypeLib	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ = "IEvntCntr"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}\TypeLib	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ = "IXtrnlBsc"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\ProxyStubClsid32	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ProxyStubClsid32	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\smplGrp = "none"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\CLSID\ = "{98889811-442D-49dd-99D7-DC866BE87DBC}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\TypeLib\Version = "1.0"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1\CLSID\ = "{98889811-442D-49dd-99D7-DC866BE87DBC}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\BabylonToolbar\\BabylonToolbar\\1.8.11.10"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ = "IRegmapDisp"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\TypeLib\Version = "1.0"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\InprocServer32\ThreadingModel = "apartment"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ = "appCore Object"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ = "IXmlCnfg"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ = "IescrtSrvc"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\aflt = "babsst"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\1.0\0	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ = "IwebAtrbts"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\ = "IEscortFctry"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}\ = "IGglRlz"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\b\CLSID\ = "{B8276A94-891D-453C-9FF3-715C042A2575}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\instl\data\admin = "false"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Babylon.dskBnd\ = "CDskBnd Object"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ = "escrtSrvc Object"	BabylonToolbarsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ = "escort"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ProgID\ = "escort.escortIEPane.1"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\TypeLib\ = "{6E8BF012-2C85-4834-B10A-1B31AF173D70}"	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ProxyStubClsid32	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ProgID	BabylonToolbarsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\TypeLib	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\TypeLib	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\TypeLib	BabylonToolbar4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BabylonToolbar4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\TypeLib	BabylonToolbar4ie.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2896	Setup.exe
2896	Setup.exe
2896	Setup.exe
2896	Setup.exe
2896	Setup.exe
2896	Setup.exe
2896	Setup.exe
2896	Setup.exe
2896	Setup.exe
2896	Setup.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2356	MyBabylonTB.exe
2896	Setup.exe
2896	Setup.exe
2896	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2220	JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2896	Setup.exe
Token: SeTakeOwnershipPrivilege	2896	Setup.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2484	2220	JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe	30
PID 2220 wrote to memory of 2484	2220	JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe	30
PID 2220 wrote to memory of 2484	2220	JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe	30
PID 2220 wrote to memory of 2484	2220	JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe	30
PID 2484 wrote to memory of 2896	2484	crp191D.exe	31
PID 2484 wrote to memory of 2896	2484	crp191D.exe	31
PID 2484 wrote to memory of 2896	2484	crp191D.exe	31
PID 2484 wrote to memory of 2896	2484	crp191D.exe	31
PID 2484 wrote to memory of 2896	2484	crp191D.exe	31
PID 2484 wrote to memory of 2896	2484	crp191D.exe	31
PID 2484 wrote to memory of 2896	2484	crp191D.exe	31
PID 2712 wrote to memory of 2788	2712	rundll32.exe	33
PID 2712 wrote to memory of 2788	2712	rundll32.exe	33
PID 2712 wrote to memory of 2788	2712	rundll32.exe	33
PID 2712 wrote to memory of 2788	2712	rundll32.exe	33
PID 2896 wrote to memory of 2508	2896	Setup.exe	36
PID 2896 wrote to memory of 2508	2896	Setup.exe	36
PID 2896 wrote to memory of 2508	2896	Setup.exe	36
PID 2896 wrote to memory of 2508	2896	Setup.exe	36
PID 2896 wrote to memory of 2508	2896	Setup.exe	36
PID 2896 wrote to memory of 2508	2896	Setup.exe	36
PID 2896 wrote to memory of 2508	2896	Setup.exe	36
PID 2896 wrote to memory of 2356	2896	Setup.exe	37
PID 2896 wrote to memory of 2356	2896	Setup.exe	37
PID 2896 wrote to memory of 2356	2896	Setup.exe	37
PID 2896 wrote to memory of 2356	2896	Setup.exe	37
PID 2356 wrote to memory of 568	2356	MyBabylonTB.exe	38
PID 2356 wrote to memory of 568	2356	MyBabylonTB.exe	38
PID 2356 wrote to memory of 568	2356	MyBabylonTB.exe	38
PID 2356 wrote to memory of 568	2356	MyBabylonTB.exe	38
PID 2356 wrote to memory of 3052	2356	MyBabylonTB.exe	39
PID 2356 wrote to memory of 3052	2356	MyBabylonTB.exe	39
PID 2356 wrote to memory of 3052	2356	MyBabylonTB.exe	39
PID 2356 wrote to memory of 3052	2356	MyBabylonTB.exe	39
PID 568 wrote to memory of 1688	568	BabylonToolbar4ie.exe	40
PID 568 wrote to memory of 1688	568	BabylonToolbar4ie.exe	40
PID 568 wrote to memory of 1688	568	BabylonToolbar4ie.exe	40
PID 568 wrote to memory of 1688	568	BabylonToolbar4ie.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98e14428601655a3fb48ef0ccb6af10e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\crp191D.exe
  /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\65E436~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Program Files (x86)\Internet Explorer\IELowutil.exe
        
        "C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\65E436~1\IEHelper.dll,RunAccelerator
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\MyBabylonTB.exe
      C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\MyBabylonTB.exe /lng=en /babTrack="affID=121631" /instlRef=sst /aflt=babsst /srcExt=ss
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ie.exe" /lng=en /babTrack="affID=121631" /instlRef=sst /aflt=babsst /srcExt=ss
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
      - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe
        
        "C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbarsrv.exe" /RegServer
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe
        
        C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\BabylonToolbar4ffx.exe /lng=en /babTrack="affID=121631" /instlRef=sst /aflt=babsst /srcExt=ss
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3052
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\65E436~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.11.10\uninstall.exe

Filesize
195KB

MD5
d5cafd1094c003ed8b5ee0769d40468b

SHA1
36accbcc1114475aae0195d193f9d0a0d978cf6c

SHA256
938703cd98e89398e129ccbea6ae0546d8aa5eb90bbaf96c2ecf18f88852941e

SHA512
0395cf4e48ef1f49793eac95cb25089c4a7c24546af65080d8feecdda7532a461a13596cad928550926a90ca971ed7a9bd1cfb651ee1d1d18133e01912228d7a

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\Setup-tbdef.zpb

Filesize
1.4MB

MD5
85499627e8e83a35ba23cb860067b468

SHA1
758d2902f93e28b92c1f422b3d5e16d03835c3cb

SHA256
8b1b99fd1eb29d888fef74a3733d60e3c0b5af2405beea8fe2223fffae79f4d0

SHA512
bd2b00be1b78a37b6b8d6462c358045ddba18d46021c820dbc73c5f62309b0c08d5144d3a65666384a9ba646d6e942791b949b220969a27d307352db08dbc052

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\Preferences

Filesize
4KB

MD5
4552585599a7311e456643e0c9a9bca5

SHA1
3a88f354289a02cdd116556f661ee2d893dc6151

SHA256
059b242bbebb14d967512325df0d1001e886455770e550f1b4883504b5e353ac

SHA512
705fbe33d340430aec2fd6b8d4e051731a6380a095599c64c6ebf05e4e1af175d32f3b20ca78fcdd67a3d44f701eb7cb191b55873d36174c1d062cabbc9b66e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\BUSolForMontiera.inf

Filesize
199B

MD5
bc3e8cc74871863fc921511e2e6cc88a

SHA1
653cab5ba2107004f9525849ff5625d64b83e4c3

SHA256
c9e2a3953cc5ea87716f2a9a16078adb2f9c60318c6f1cfc877885126cc0dd17

SHA512
85f4130758ea38e4ae823e6fbae7448fa780bd295bd177afb4395ddd118c019d1533238e963e5277be453a1cd7681667c4ab06b10004ab8ed890d6e0b9e0529d

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\Babylon.dat

Filesize
12KB

MD5
825e5733974586a0a1229a53361ed13e

SHA1
9ec5b8944c6727fda6fdc3c18856884554cf6b31

SHA256
0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

SHA512
ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\SetupStrings.dat

Filesize
89KB

MD5
407846797c5ba247abeb5fa7c0c0ba05

SHA1
44386455eed8e74d75e95e9e81e96a19f0b27884

SHA256
0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

SHA512
7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\TBConfig.inf

Filesize
23B

MD5
e6d6dbe1e36a9ccc040369ab905e0d4a

SHA1
f7b40129e12f9f8ec3dae49d281ea1b8171642c5

SHA256
24d0d8de57d4bb9d88c6079d19b0efb51c18c8006ddb805fcc6cb7c302f94a12

SHA512
caa6c8ba543b92a49e41b736d560a3dd62651885f3c0c30ebb309e57bc77ec0dd1ccc20ebc6d4ff04d17083f112f3b6427356ff585ed40de6d08b51e6771dbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\bab033.tbinst.dat

Filesize
205B

MD5
90713ab7a74884cd36a5fb4cfcdece8a

SHA1
7bb56d08fd69a98e543b923bd0a9156f92a9c473

SHA256
bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

SHA512
639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\bab307.sp_pop0.dat

Filesize
178B

MD5
0b7be9c4b72c2c5166bfd61ca5ebbfed

SHA1
aea0aa4e8226c1b4efce92e909da773744baa6d4

SHA256
673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

SHA512
4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\bab327.ff_2.dat

Filesize
179B

MD5
acc576624b76c140ce6e78885d279efe

SHA1
f5816e66ab9da86bdff210f96399078c36a4af54

SHA256
78dc1600b62ca4aac2ce5c94f7b1973800349ac56804aba4b17c410e0fff4c17

SHA512
449cdfa0a93191ae9d109c689f09ed444ccf53a4b087a9e5005527561c1598233d05396d1b118db6fe6d6dc45c6dc9909238200f8fa8d4a4dbf903deca19201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\nsp581.tmp

Filesize
364B

MD5
c9050d020c0b459f0eb6ab1b89c6cad4

SHA1
7a1b72e7c784006bed198bc5cd23fe1b21732bdf

SHA256
1af1bb393e689dcbe7e99f135cd41ea441dc7aa0adbf0b1492d31d6f27767e9f

SHA512
5bd05d78e4637b10663797ef8e7c400c85274d4e1aa991438638d2cb2de580cb26632d73e29370d67376f64c2eec225ef9bece082634912b76869559c6433409

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E436~1\IEHelper.dll

Filesize
6KB

MD5
9cb62aa0c5c554f2557d29d1601c8347

SHA1
f2fb5115b7d03e90f6e9d4b1f6e882385aa00f5f

SHA256
a65ba80d23494077575f505c20c9f9516aa21b9bded2b7032b6d5e7bc1737fa5

SHA512
0a325a02c323d52c9f374bc22e5182f5f49f485a689b6ca561196222ff18127f84ea7a48ac438277b9dcd1237c983f03eab54606eacbb1f79aadb0a0f84f0cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nse84C.tmp

Filesize
419B

MD5
e36113def65e7fcbdd2459e926b9a828

SHA1
d61134f5732a66e25626265a7eb90ae3174c8a24

SHA256
cbc88630294bae69c2de0d376d24c1f9af627f9a748b35569db9fcee4e653100

SHA512
0e337c33bccc42f636059c197806a895b38603537e85a3caf651ba1ff24b1755f9840516aa64f4dcd1a96453824a7ef114eea7690daa592c2d7a415a502880f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nse89C.tmp

Filesize
639B

MD5
a546f05f12804ae3f4f72d31f81cf72a

SHA1
3738700061922ed1d95fda25c80e5b2457690b9c

SHA256
e40b260cb9690c15938d39596e09fb57140bb9f4795c800f5c07b7c2889f8ce5

SHA512
a24edc41fff4d08dc49d928459e5c52486f0d86639e9a0f84adddd3869e05a9910e3b99dde5cae3946ae5950a9d76071ab354f53e8227552bdea76909d2dc18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsk11FE.tmp

Filesize
963B

MD5
690183f4fc7c58e4a4f99e251480c03d

SHA1
a8747ff7e618f38180ddd89e3b961f1c54a7c299

SHA256
e79a1eed2dce419b97b84da5675ee40e354a1480b02b4d7486944204d3d2796d

SHA512
2d21a7ca679169b2545c4a1cb31a2b6a983eb27de2c520b94e2841dfb8b66f4a5bcbc31e5f57f01cdaa9bac93a4be071e13bfdb91b6080f4544482c1d0979ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsk124D.tmp

Filesize
1019B

MD5
5dccbd25276a10d5fb1aeda0bc7be089

SHA1
19b1327f38572a883ca28613a619eb18917eaa32

SHA256
1ae86f7b48c58c1e34acea133cf5fd1123f8ce5402f4ae1b6bf079f7ff9ed4b3

SHA512
d8c4df5d3cfe98933b209f47fb3b45ee916f01ba69a0db04da4b7c490739bde106dd925696090bd9a8aaf158ae95765b074bd0601c0d0f953400f8b998723a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsk129C.tmp

Filesize
1KB

MD5
03d5ece5313203102e4646c0e27f5133

SHA1
e3e2aa59bfeefd9ded9b1ad81daae8051a677251

SHA256
efbb1cf4f471bda6bc0d74a52e5893f4c37e6113668b29fc929bdbe15c1262c9

SHA512
042c4ff292dd29c976e066d2f63934f86b9f30c1622f85f2715af140626d441a0da7473e20608a9e2c51988077349712078a472098c9b32988408096e3557da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nskA49.tmp

Filesize
1KB

MD5
7a194f8e6fe4d9da41c0d8381a205190

SHA1
446f61de8e4307772fd61d63dac13ad7ae7f46c1

SHA256
467ca1204eafee8a30fc2ba1254a3d53df1793a53115516ef46ccefbb1fceab2

SHA512
37c0ab256db5a4642466d0bf431b3355cab1ae85a5bcc7134617593f756fb8d4be50affcf76d45d64dd1cca96243b2ddbfc772e64d784dcfcec5736f33b7a2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsp1044.tmp

Filesize
656B

MD5
86d90306ff49b30a29a8c8fe76583168

SHA1
1b0c3f4f6eb48e446911dcce737d4a7a656f5fd7

SHA256
b5f836ad85dcc16a20927efda1c96dd5069d0482228c32342d5e9df70a342fd9

SHA512
92b33df5cc7393612444e54989265adc4e95ec7228881b4c592ea7595b4dfdd8e4121cb9a54611ee22d524f2ce7f73c871bd4332545189cc9702fd125dfe389b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsp12BC.tmp

Filesize
1KB

MD5
495aeeab34edb971a5e68ef8905804f8

SHA1
95813851fc126ec722d64f3ca0d9f91e3452d88c

SHA256
21059a5470997b26f1adbb933912f62defc8b326a1c57387d15c4beb3edb06d5

SHA512
d7b1ef34aa1e2447732068835a7ce6f6ac319acc44e1eb23fe6787c11da6aad41ca951ce5b8ac98a12fa53946c20bd2f713b81c142bf6f4b8cc15d9c1adf3fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nspFA4.tmp

Filesize
389B

MD5
5008e3b61758a5abfb9efb0a0e09a907

SHA1
4788572d9f9d0d33904f972aa091179e9e862359

SHA256
cacc30dc42c13d92d22ac0f600837155f83d0aa6a94103e7c2536be87ac5cdef

SHA512
ea64c9fb9ab81477425508ad4a85a1cbcf78722f11f7c289e0c40201415d488dfe5819a07f8c23f194541e1b40353ae3b9507dba4af7920b8c431a9506e16429

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsu1103.tmp

Filesize
906B

MD5
75b20e838dbb09c42585f49d4dda9665

SHA1
24426ab0e1383e39ca4b9f050485d5e4237dd980

SHA256
a9670bc76ffc3532adafcb5e61e8807b09402d0cf7279eae63c8f77bbd8feba8

SHA512
a39c2f20206c74c9247de580c98e5095233c0ac38f84a3ffbb36f2fff5fd8f0e7bdec1c99eb5feb63eb6cb293a01bc12536a3b3243d86f7f9134aac140f91d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsu1381.tmp

Filesize
115B

MD5
c1428200909ff5bfdb30a82eecbb4b40

SHA1
c022ecfec082a19ad22d68eb5c30784ebace04b9

SHA256
af6ae06df1d9727c660330189641382281b93bf379b58c1533b8b80517078bff

SHA512
99cea80ce86b54c952cfe22630f983ec16ae1175cff11e6267f493b0eb61affa610340eaf813dda21bcae0b02a53b291924d1ba0a5724a7ae0c7fc26a02cc4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsu1382.tmp

Filesize
170B

MD5
2b92ccb45188055a62c8b7a5bb22ee4d

SHA1
4fa5631cd535c2cdd6090d424b84028d77e3f757

SHA256
2608d508bf2471271183ceba949e60e08ded64182203db88987cb92004ee3e8c

SHA512
4b54bdb0dd5aa521c52fe64171b30d5aa656b4c4d14098e7f91048f4c88a87da419025af8d2ea4659fd5d240be27fb2c7f614b37ef4c09b8ceec5932e4ff1622

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsz1084.tmp

Filesize
785B

MD5
f6827b6e3812ffd954b3b319ac76f753

SHA1
e70eaa2459565569827851f6804f7f9dd4b9a2e1

SHA256
6b4878dd823c824d31d04e7afc5c657ee4446f115baf17e126e18a7dd57d504a

SHA512
5a2c1b37dee466b96b4b1bd6ec5e58513895a86668c97b87378049b1ef7ff6ec424b1c95b3b501e14005961be142ac64b5252429fc9ebc0622c7d3e488f69bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nsz10D3.tmp

Filesize
850B

MD5
a15d7aa44313eb2719f2f5fdc175d58a

SHA1
39b76833ca3db5407b036c7a6e5d5ae18511cb93

SHA256
794b7ab90e565713fabd10b087e9fe45e91cd19e722fad429cdad821d29d034a

SHA512
dfb210af5f7c101aa8cab9ad55ec91ff8dfd1a0ab3303784918a607a2ee97d5c9150828d7b94c6bd3f849dadf9dc501f9abf014837a22a2c334fdf54c9115df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nszA09.tmp

Filesize
1KB

MD5
06c8ac90d8d44e2e3c51bbb97651f3b1

SHA1
7ddb08a5b7dac57e89ace3b996fea710a65b4650

SHA256
42a90f1e4d117bd74dde52b5a636248478c13e1ffb7675918d127f1f77552960

SHA512
03db2635e360516def9bb676dfa42aad9ad4d2abd69c46e30d06fca66faa348f1299e13605e758812f07ef255ab4a4615720336d7d1c509406c940136a9cebd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nszBE2.tmp

Filesize
1KB

MD5
e1de86a43836e402221e0617c084cb64

SHA1
e3d9aa7ece2bb3715bdb191e934a8db1ddf3abc6

SHA256
e5829d9795789275c7a6ff46550a91698eb831dcbcd23e13ef7c7cec62843ba4

SHA512
95d843c241e6aabc6628d4adbadc8b56d06f24bf5f19158781f87eab1e65047ccfa434ff4c32e06066698757b14299dc0d854466aa3e4692136b78f7fa3e3ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.8.11.10\nszCCD.tmp

Filesize
1KB

MD5
201d653501637ad46f528f9304b9d585

SHA1
76a609f4a16bb0ea2876738aea862c59a6e61469

SHA256
58d4783ab04bbd8ac89192b1065c5d98ea0b7389b7b0079b18c53123ec306af3

SHA512
67b8a6e095ea366cbd566a62b3f5c1ce7f749c53069d8dc3be0fa3eefe028efa504017506cccea8212765f318b0fc51c92fe20280b4825b71ed960cadd919104

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse713.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk427.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk427.tmp\Processes.dll

Filesize
56KB

MD5
cc0bd4f5a79107633084471dbd4af796

SHA1
09dfcf182b1493161dec8044a5234c35ee24c43a

SHA256
3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c

SHA512
67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk427.tmp\mt.dll

Filesize
7KB

MD5
4fae8b7d6c73ca9e5fc4fe8d96c14583

SHA1
10865e388f36174297ec4ecdafd6265b331bfdcd

SHA256
069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f

SHA512
73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js

Filesize
59B

MD5
f6abf26891434f5c1da533557c20b125

SHA1
183844392b249b47a9d141dfa411e929607fa3ab

SHA256
18f3c4fb52e43871fcc2b2263c8c15ac2f0b0bee6a82c16076a56c2646eee8bd

SHA512
2014574467a054d8163d264a9cb0f8ed85b0ec9957995295eed5abad4ab3fd47c1d4a7632b03f5d531797c7f3b539c0b64cedd1d4a76c88fa09966787b0a307e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js

Filesize
114B

MD5
4221b6382c6cb300ac6aea49eea6b066

SHA1
ed59d159efa4a96efb988ce7478347cf15b60253

SHA256
b760a077039e396d2f49d83eb7b2fc6422c97e10d737640cc00f894c3181a7f8

SHA512
f52d36a7cb705ea0bbfb516bd36dfd614d5e68c73995a958dc15fe405507b7921bae6d8ca84e2cc80cc743aad308b5cb7e84cda216a7468f908085d681e226eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js

Filesize
1KB

MD5
c8ad1b6844c3724abd37e64570eeed30

SHA1
e749c0d275300c8c63f72cd5a3a4eefb15e96207

SHA256
c4ee16ebc770e4f10474aa7dccd0d4e50c383ee5693d31a1a062e7cf599a6d44

SHA512
41c490db638fafa38fbfb1181db272db76860deb3d31b48646ea034799476c1c76a7646730cf8dcbf9147ae303a90e5d0f67240304e25f72fa85d52005ceba28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js

Filesize
1KB

MD5
3b89d7ab5a4408531d59bbbe54244511

SHA1
b1eec30c7397588f6b45d3c7bd8dad29d272188b

SHA256
ae218dd1c12ace19313632458b9e9641fbd861128b822ba95ea4dac5e9da30cb

SHA512
e2370557ec7808a163eb095617d3d7495f664d71f38ef411cdd764fcd4325492d9279a2d71f2277155afb660ec3d79334ce2b60cede1d0aac748f9b218faf937

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js

Filesize
846B

MD5
ebc749e8d637f5542b491146b08c4fcb

SHA1
fdf5de77a6cfa148d09208c1dcdcfda7cd40e267

SHA256
065d718f2e0c85caf9bd80887ff8f3407a2fdccb7cd62948002cc8353d1e1ad3

SHA512
c03553f3753506e231667df308d4948e2d232f8e4dfd1440ce87419a53460baa0d3bdfc38e943082d3e9a76e20571d4a8b59b3aab3f27a2271b81e159e38d61c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\user.js

Filesize
975B

MD5
3e26cd99f6d665b45fa8fd5e65eb01af

SHA1
6add031295c7a80ce8ab499eef31a283b47b49a1

SHA256
fef93ad6c293cebf9d63b7197df290cbfb65c595101bc08b98a12441903a0750

SHA512
a558580c9c63c2a706b386b349d4ad99d4d007f3ef55bb6195970639554f65935875d76195cf3871b87eacefdfe8559e2b7f15c527d62944a96847fa455f390b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js

Filesize
478B

MD5
99293881f9e0c8d537c9f9ad8e73e4c7

SHA1
5cf94b890248463f5a9cd1905f34e76e5d13e235

SHA256
a55f51cc03866ece7973ec57f5488e0b58ef7d441dad12254c8c3f4c920ec13d

SHA512
ee6aed465afc7eb3d51ad48b116d6be0bed20da62d026728cde720aba2187910bfac482567c4da49246c0e72f1938e18e6095034d58d2762f39b281761737835

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js

Filesize
725B

MD5
03d2474b4818a16716209c227580923f

SHA1
a92f724278940afe9b614efa8132657bc62bb670

SHA256
2af1d9303f74f17aec3acb12e644a6a8f6ef89cce16b49726761533cfc40d8b4

SHA512
d3dedd5d8725674a65c9ba6333529c0f29de6f7d52853dcb4387ba19ca1331fdbd016a6eb00f8b78e6dafda838c45679ef52f33dd0bffa5c1839dbc1156919fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js

Filesize
1KB

MD5
c6fa8de12002e92f28b46f7c044b659f

SHA1
c15e0a4692816f4171da88b730fe5d22350595a6

SHA256
3d3ee3e7c47df4deb3a1cb345e04ef25890c115551a8c28ed8bd75941b5f0145

SHA512
486e227385ebed1ef79ee612092793e68a3b8493b37872df58f7cbeb3d885bed09f573b47a88dbc3eb2aaceadb9530148df7a137f0f9e67beb1582143ffeb6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\user.js

Filesize
169B

MD5
aa7146096c0845579768f90d28796aff

SHA1
141d990a6712ce0a851f30a42a981d584bf366fa

SHA256
90c1e96183cdf31b0008a36646233b2f474408c4be3ec889a3f8b28db901c551

SHA512
f41bdc67249f30f60f7200ccfa0f287ab688ef8b2dcf8d5f758744e8e51edb9b5ce2f186cbb09faf91cb52e82d95c0b70bad5c478768fefc55f82dab0f108386

Download Submit
\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\BUSolForMontiera.dll

Filesize
105KB

MD5
64bea1da4d76085d0a47ed21450401cf

SHA1
296d8b511c0f7b8b7d0791c522db553f9461ba35

SHA256
80924cda632e20e1ead804b67fe64ce87c2b6dacbe73b9a2ee1904d402b2ea9d

SHA512
f4644bcd3dff71648209caa2d7489b0cc87050271cbddf875439cb4eba3e3fa400acc29703cff231f6a1c6f2097697f2f4387ca265682d8e4185a1242dfeb2d8

Download Submit
\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\MyBabylonTB.exe

Filesize
1.6MB

MD5
7c82cc9aca3eb71e463ff607cd607e3b

SHA1
5ffcc47376a89ec39fba8516694fb37c3b7d2bda

SHA256
9c1b8b8b3372737fe355bb6f4f96fc9b04bcdda5f3bfbe9617d22cbc35a400ea

SHA512
7ef9e92153607646f9eb9dec4fd087e9523df523d4f06eff994698d79ddc4e8e1f681fde13e1eb888e5a85457db558b10ffaf190c17bdc98688a59a90efc4670

Download Submit
\Users\Admin\AppData\Local\Temp\65E436B5-BAB0-7891-90CC-E769F8F05265\Setup.exe

Filesize
1.8MB

MD5
74af846f2ad4aec60779623fc8bbcd83

SHA1
9f2fbfe260c9111f88e8edc6dfc068d08c1491c5

SHA256
f795ffc4c850a6a214aac740258c6560a72a5a5c1759bb9cd231df2e1a271edf

SHA512
157e612a02e0a6ca87f5d8b572950cc85c8980641bc1f973b20836c1e91d0df0a132a58191a99efdba0b5c4923bc412083b833a12a1ef3554ade745c07a2605f

Download Submit
\Users\Admin\AppData\Local\Temp\crp191D.exe

Filesize
754KB

MD5
5ac98c84160a9400db448d153c959bb6

SHA1
829d808c091045f45c513a6e4ab17055a52a9320

SHA256
e4f1009192f163aacafc3ac23f3fbce358122040a5dbf99b86c9f4cac9809ecc

SHA512
36f4e7f4c0f2bd647d23714b08d322ff8383e52ede16f5719f09e710e133669586af0ae7c3af2ab98a066724b2f1dffc114437d7d8820e98614b86470ade2376

Download Submit
\Users\Admin\AppData\Local\Temp\nsk427.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsk427.tmp\Time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
\Users\Admin\AppData\Local\Temp\nsk427.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsk427.tmp\chrmPref.dll

Filesize
208KB

MD5
241d60c30189b740c9086e34ff259e66

SHA1
7be0132de11c34018b6326d1de20fe9f20dea790

SHA256
8b3d8f239f11b53bc28f645546696441446e9a593be59cbf604fcc28a7e6d474

SHA512
ad342cea73ba3f7e7afc57828abc7320c0c5e39e20f5b06637c565a2b4579f05d81540e02b094776abbb17b021712a0f28e5f62637d8cea04b832e79252dd5fc

Download Submit
\Users\Admin\AppData\Local\Temp\nsk427.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
memory/2356-2868-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/2712-38-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2788-37-0x0000000000D00000-0x0000000000D02000-memory.dmp

Filesize
8KB

Download
memory/2896-43-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/2896-377-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/4048-2894-0x0000000000210000-0x0000000000212000-memory.dmp

Filesize
8KB

Download