babylonrat | 9b35515881e9df17f63e542ec471ab11e41dbef91eec80ed2d751b449fc80db3

Resubmissions

06-05-2024 03:14

240506-drhjrsfc3x 10

06-05-2024 03:08

240506-dm8kdsaa57 10

Analysis

max time kernel
298s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Babylon/Babylon RAT.exe
Size

6.7MB
MD5

aecdce1d7e2a637d1dcacd2b4580487b
SHA1

d5cd12f7a18d6777c9ec8458694aa3a74fd23701
SHA256

9157a48c53ca7a4543bac5b771886c87ea407bab6bbb053b50bc22709111d572
SHA512

8bb5ad64f1b2e75e47c4671396a713018c74c44e84803887c6b4a200ea85f4c020ccfe15211af3899cdcf9d0f46ef994bfd939e462f61062044874f7a64d7a35
SSDEEP

98304:KbldsCQTcsBL54TRRTk3w0ZIWoPzSSosDlh7OLifNLxu2UVaCS2e7Csb6j9cgl36:GnPsHqRwvoPzSSosDlhCKzi9/2BO4T

Score

10^/10

babylonrat trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Babylon RAT.exe

Executes dropped EXE 8 IoCs

pid	Process
228	upx.exe
2968	ma.exe
2760	ma.exe
4820	ma.exe
2652	ma.exe
3652	ma.exe
2500	ma.exe
1620	ma.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000023431-20.dat	upx
behavioral1/memory/228-27-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/memory/228-34-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/files/0x000900000002343d-35.dat	upx
behavioral1/memory/2968-37-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/2968-40-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/2760-52-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/2968-85-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/4820-97-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/4820-99-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/2652-101-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/2652-103-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/2968-105-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/3652-106-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/2500-108-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/1620-110-0x0000000000880000-0x0000000000949000-memory.dmp	upx
behavioral1/memory/2968-111-0x0000000000880000-0x0000000000949000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 55 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Babylon RAT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000b453dc33d697da01b863d335d697da0199f30637d697da0114000000	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Babylon RAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Babylon RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Babylon RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Babylon RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Babylon RAT.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2012	Babylon RAT.exe
2968	ma.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2968	ma.exe
Token: SeDebugPrivilege	2968	ma.exe
Token: SeTcbPrivilege	2968	ma.exe
Token: SeShutdownPrivilege	2760	ma.exe
Token: SeDebugPrivilege	2760	ma.exe
Token: SeTcbPrivilege	2760	ma.exe
Token: SeShutdownPrivilege	4820	ma.exe
Token: SeDebugPrivilege	4820	ma.exe
Token: SeTcbPrivilege	4820	ma.exe
Token: SeShutdownPrivilege	2652	ma.exe
Token: SeDebugPrivilege	2652	ma.exe
Token: SeTcbPrivilege	2652	ma.exe
Token: SeShutdownPrivilege	3652	ma.exe
Token: SeDebugPrivilege	3652	ma.exe
Token: SeTcbPrivilege	3652	ma.exe
Token: SeShutdownPrivilege	2500	ma.exe
Token: SeDebugPrivilege	2500	ma.exe
Token: SeTcbPrivilege	2500	ma.exe
Token: SeShutdownPrivilege	1620	ma.exe
Token: SeDebugPrivilege	1620	ma.exe
Token: SeTcbPrivilege	1620	ma.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2012	Babylon RAT.exe
2012	Babylon RAT.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2012	Babylon RAT.exe
2012	Babylon RAT.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2012	Babylon RAT.exe
2012	Babylon RAT.exe
2968	ma.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 228	2012	Babylon RAT.exe	109
PID 2012 wrote to memory of 228	2012	Babylon RAT.exe	109
PID 2012 wrote to memory of 228	2012	Babylon RAT.exe	109

C:\Users\Admin\AppData\Local\Temp\Babylon\Babylon RAT.exe
"C:\Users\Admin\AppData\Local\Temp\Babylon\Babylon RAT.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\Babylon\upx.exe
  "C:\Users\Admin\AppData\Local\Temp\Babylon\upx.exe" "C:\Users\Admin\Desktop\ma.exe"
  2⤵
  - Executes dropped EXE
  PID:228

C:\Users\Admin\Desktop\ma.exe
"C:\Users\Admin\Desktop\ma.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Users\Admin\Desktop\ma.exe
"C:\Users\Admin\Desktop\ma.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\Desktop\ma.exe
"C:\Users\Admin\Desktop\ma.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\Desktop\ma.exe
"C:\Users\Admin\Desktop\ma.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Users\Admin\Desktop\ma.exe
"C:\Users\Admin\Desktop\ma.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Users\Admin\Desktop\ma.exe
"C:\Users\Admin\Desktop\ma.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Users\Admin\Desktop\ma.exe
"C:\Users\Admin\Desktop\ma.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Babylon\upx.exe

Filesize
298KB

MD5
e9eacbb7ab4b3f66019e0a2f13a1dba9

SHA1
ae30894b29e52bf04afc4a54795d438fb910acff

SHA256
0c3dc789d0a46493bd097526b920d913d930d96b1052cb331eec3ac560c89996

SHA512
925445d20c93c65a282fc59f773551d824bff1f8e2623fd8ea0c587831a9550c400f121defb3d82c8f0401903fa69e3154dc98e29688d02af1d5d01247914a06

Download Submit
C:\Users\Admin\Desktop\ma.exe

Filesize
355KB

MD5
98fbfd5fffa61172bbfc5351a5b7afa3

SHA1
5337438a1fa8b159c8cfa45a843808a1d890da51

SHA256
6dc8b6bc75ec5cf7714f1cb4ac8d006dc03dc74a9d84dd262e0bcc5673e52149

SHA512
3506e3346232123a1f9fc3db8e953c60632abd70e875a219fa29fca006d4fa0271cacaac81642b60029460aee95c1d764212f3ea1c420ea8191f941e93a14815

Download Submit
C:\Users\Admin\Desktop\ma.exe

Filesize
733KB

MD5
1e5076ee7d1317358f615c32a81aabdb

SHA1
a65f92776654769968118839526d6f0ffe7fde90

SHA256
b6f33eb15b2a4488cf96103cf282d1321c13ef8f5095fb0898070a5ecf25f139

SHA512
10e4a9f98abafa19617c6da49d34dd2a0c303e44bff73e3dcb7b47da5c5ed019db379b5b1e3f49f943b3bc1638fed53e28b768229985850f0c9481783b7482f2

Download Submit
memory/228-34-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/228-27-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1620-110-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2012-6-0x0000000007E00000-0x0000000007E1E000-memory.dmp

Filesize
120KB

Download
memory/2012-26-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2012-8-0x00000000095E0000-0x000000000967C000-memory.dmp

Filesize
624KB

Download
memory/2012-9-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2012-10-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/2012-11-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2012-12-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2012-13-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2012-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/2012-7-0x0000000008870000-0x00000000088DC000-memory.dmp

Filesize
432KB

Download
memory/2012-5-0x0000000007D90000-0x0000000007D9A000-memory.dmp

Filesize
40KB

Download
memory/2012-4-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2012-3-0x0000000007C00000-0x0000000007C92000-memory.dmp

Filesize
584KB

Download
memory/2012-2-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/2012-1-0x0000000000650000-0x0000000000D12000-memory.dmp

Filesize
6.8MB

Download
memory/2012-74-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2500-108-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2652-103-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2652-101-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2760-52-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2968-45-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-69-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-48-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-49-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-42-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-54-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-55-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-57-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-58-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-60-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-61-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-63-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-64-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-66-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-67-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-46-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-70-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-72-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-41-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-85-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2968-111-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2968-37-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2968-40-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2968-39-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/2968-105-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/2968-38-0x000000006DF60000-0x000000006DF99000-memory.dmp

Filesize
228KB

Download
memory/3652-106-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/4820-99-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download
memory/4820-97-0x0000000000880000-0x0000000000949000-memory.dmp

Filesize
804KB

Download