58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

General

Target

virus.exe
Size

315KB
MD5

0be23ddaec11bb1e64f2f54d4505cbcd
SHA1

24dce5a1b78c691f57d20de2afe00af2f88c1bb5
SHA256

58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e
SHA512

5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879
SSDEEP

6144:elNBW0lmEWfK8OZn05Wm6wFBDpomqTVg+e67YCkxLr3DI3NoAcs:ent8OZQBDDpsyfFr3Io

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

client.execlient.exe

pid process

928 client.exe
596 client.exe
Loads dropped DLL 2 IoCs

Processes:

virus.execlient.exe

pid process

1716 virus.exe
928 client.exe

pid	process
928	client.exe
596	client.exe

pid	process
1716	virus.exe
928	client.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\Babylon RAT\client.exe	upx
C:\ProgramData\Babylon RAT\client.exe	upx
behavioral1/memory/1716-60-0x0000000000D80000-0x0000000000DFE000-memory.dmp	upx
C:\ProgramData\Babylon RAT\client.exe	upx
behavioral1/memory/928-62-0x0000000000A90000-0x0000000000B0E000-memory.dmp	upx
\ProgramData\Babylon RAT\client.exe	upx
C:\ProgramData\Babylon RAT\client.exe	upx
behavioral1/memory/596-66-0x0000000000A90000-0x0000000000B0E000-memory.dmp	upx
behavioral1/memory/928-67-0x0000000000A90000-0x0000000000B0E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

client.execlient.exevirus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	virus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	virus.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	client.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

virus.execlient.execlient.exe

description	pid	process
Token: SeShutdownPrivilege	1716	virus.exe
Token: SeDebugPrivilege	1716	virus.exe
Token: SeTcbPrivilege	1716	virus.exe
Token: SeShutdownPrivilege	928	client.exe
Token: SeDebugPrivilege	928	client.exe
Token: SeTcbPrivilege	928	client.exe
Token: SeShutdownPrivilege	596	client.exe
Token: SeDebugPrivilege	596	client.exe
Token: SeTcbPrivilege	596	client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

virus.execlient.execlient.exe

description	pid	process	target process
PID 1716 wrote to memory of 1108	1716	virus.exe	cmd.exe
PID 1716 wrote to memory of 1108	1716	virus.exe	cmd.exe
PID 1716 wrote to memory of 1108	1716	virus.exe	cmd.exe
PID 1716 wrote to memory of 1108	1716	virus.exe	cmd.exe
PID 1716 wrote to memory of 928	1716	virus.exe	client.exe
PID 1716 wrote to memory of 928	1716	virus.exe	client.exe
PID 1716 wrote to memory of 928	1716	virus.exe	client.exe
PID 1716 wrote to memory of 928	1716	virus.exe	client.exe
PID 928 wrote to memory of 1348	928	client.exe	cmd.exe
PID 928 wrote to memory of 1348	928	client.exe	cmd.exe
PID 928 wrote to memory of 1348	928	client.exe	cmd.exe
PID 928 wrote to memory of 1348	928	client.exe	cmd.exe
PID 928 wrote to memory of 596	928	client.exe	client.exe
PID 928 wrote to memory of 596	928	client.exe	client.exe
PID 928 wrote to memory of 596	928	client.exe	client.exe
PID 928 wrote to memory of 596	928	client.exe	client.exe
PID 928 wrote to memory of 1112	928	client.exe	cmd.exe
PID 928 wrote to memory of 1112	928	client.exe	cmd.exe
PID 928 wrote to memory of 1112	928	client.exe	cmd.exe
PID 928 wrote to memory of 1112	928	client.exe	cmd.exe
PID 596 wrote to memory of 1228	596	client.exe	cmd.exe
PID 596 wrote to memory of 1228	596	client.exe	cmd.exe
PID 596 wrote to memory of 1228	596	client.exe	cmd.exe
PID 596 wrote to memory of 1228	596	client.exe	cmd.exe
PID 596 wrote to memory of 1768	596	client.exe	cmd.exe
PID 596 wrote to memory of 1768	596	client.exe	cmd.exe
PID 596 wrote to memory of 1768	596	client.exe	cmd.exe
PID 596 wrote to memory of 1768	596	client.exe	cmd.exe
PID 928 wrote to memory of 948	928	client.exe	cmd.exe
PID 928 wrote to memory of 948	928	client.exe	cmd.exe
PID 928 wrote to memory of 948	928	client.exe	cmd.exe
PID 928 wrote to memory of 948	928	client.exe	cmd.exe
PID 596 wrote to memory of 1824	596	client.exe	cmd.exe
PID 596 wrote to memory of 1824	596	client.exe	cmd.exe
PID 596 wrote to memory of 1824	596	client.exe	cmd.exe
PID 596 wrote to memory of 1824	596	client.exe	cmd.exe
PID 928 wrote to memory of 1580	928	client.exe	cmd.exe
PID 928 wrote to memory of 1580	928	client.exe	cmd.exe
PID 928 wrote to memory of 1580	928	client.exe	cmd.exe
PID 928 wrote to memory of 1580	928	client.exe	cmd.exe
PID 596 wrote to memory of 1792	596	client.exe	cmd.exe
PID 596 wrote to memory of 1792	596	client.exe	cmd.exe
PID 596 wrote to memory of 1792	596	client.exe	cmd.exe
PID 596 wrote to memory of 1792	596	client.exe	cmd.exe
PID 596 wrote to memory of 1948	596	client.exe	cmd.exe
PID 596 wrote to memory of 1948	596	client.exe	cmd.exe
PID 596 wrote to memory of 1948	596	client.exe	cmd.exe
PID 596 wrote to memory of 1948	596	client.exe	cmd.exe
PID 928 wrote to memory of 1496	928	client.exe	cmd.exe
PID 928 wrote to memory of 1496	928	client.exe	cmd.exe
PID 928 wrote to memory of 1496	928	client.exe	cmd.exe
PID 928 wrote to memory of 1496	928	client.exe	cmd.exe
PID 596 wrote to memory of 1900	596	client.exe	cmd.exe
PID 596 wrote to memory of 1900	596	client.exe	cmd.exe
PID 596 wrote to memory of 1900	596	client.exe	cmd.exe
PID 596 wrote to memory of 1900	596	client.exe	cmd.exe
PID 928 wrote to memory of 2016	928	client.exe	cmd.exe
PID 928 wrote to memory of 2016	928	client.exe	cmd.exe
PID 928 wrote to memory of 2016	928	client.exe	cmd.exe
PID 928 wrote to memory of 2016	928	client.exe	cmd.exe
PID 596 wrote to memory of 1152	596	client.exe	cmd.exe
PID 596 wrote to memory of 1152	596	client.exe	cmd.exe
PID 596 wrote to memory of 1152	596	client.exe	cmd.exe
PID 596 wrote to memory of 1152	596	client.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\virus.exe
"C:\Users\Admin\AppData\Local\Temp\virus.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
2⤵
PID:1108

C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1348

C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe" 928
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:484

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:360

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:616

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:484

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:360

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:360

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:188

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:484

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:360

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:280

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:300

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Babylon RAT\client.exe
Filesize
315KB

MD5
0be23ddaec11bb1e64f2f54d4505cbcd

SHA1
24dce5a1b78c691f57d20de2afe00af2f88c1bb5

SHA256
58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

SHA512
5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879

Download Submit
C:\ProgramData\Babylon RAT\client.exe
Filesize
315KB

MD5
0be23ddaec11bb1e64f2f54d4505cbcd

SHA1
24dce5a1b78c691f57d20de2afe00af2f88c1bb5

SHA256
58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

SHA512
5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879

Download Submit
C:\ProgramData\Babylon RAT\client.exe
Filesize
315KB

MD5
0be23ddaec11bb1e64f2f54d4505cbcd

SHA1
24dce5a1b78c691f57d20de2afe00af2f88c1bb5

SHA256
58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

SHA512
5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879

Download Submit
\ProgramData\Babylon RAT\client.exe
Filesize
315KB

MD5
0be23ddaec11bb1e64f2f54d4505cbcd

SHA1
24dce5a1b78c691f57d20de2afe00af2f88c1bb5

SHA256
58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

SHA512
5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879

Download Submit
\ProgramData\Babylon RAT\client.exe
Filesize
315KB

MD5
0be23ddaec11bb1e64f2f54d4505cbcd

SHA1
24dce5a1b78c691f57d20de2afe00af2f88c1bb5

SHA256
58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

SHA512
5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879

Download Submit
memory/596-66-0x0000000000A90000-0x0000000000B0E000-memory.dmp

Filesize
504KB

Download
memory/928-62-0x0000000000A90000-0x0000000000B0E000-memory.dmp

Filesize
504KB

Download
memory/928-65-0x00000000002F0000-0x000000000036E000-memory.dmp

Filesize
504KB

Download
memory/928-67-0x0000000000A90000-0x0000000000B0E000-memory.dmp

Filesize
504KB

Download
memory/1716-60-0x0000000000D80000-0x0000000000DFE000-memory.dmp

Filesize
504KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads