babylonrat | 3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe
Size

2.3MB
MD5

680aedcf312e4ae1d5929cff6404d047
SHA1

b3199984d0ae28d4b09e31544361d0e693524160
SHA256

3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d
SHA512

eeb2b25c0f6e873ca04546fc19a1000313ea917c098dd18599398f25747349c6e84a7e744bdd1f80c4b70b2243a4e46f7c620c04b46cc74c89348263c20e4b83
SSDEEP

24576:x1r43sfARB7U4kieI1SqjEDKcSrJIvJiu/AxWtn:Pr43o67TrXIqjbcS6vJT6Wtn

Score

10^/10

babylonrat discovery persistence trojan

Malware Config

Extracted

Family

babylonrat

doddyfire.dyndns.org

doddyfire.linkpc.net

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Executes dropped EXE 1 IoCs

pid	Process
1704	ComputerBalance.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe
2076	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProcessorDistrict = "C:\\Users\\Admin\\AppData\\Roaming\\ProcessorDistrict\\ComputerBalance.exe"	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 1940	1704	ComputerBalance.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ComputerBalance.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1940	vbc.exe
Token: SeDebugPrivilege	1940	vbc.exe
Token: SeTcbPrivilege	1940	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1940	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1704	2076	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe	31
PID 2076 wrote to memory of 1704	2076	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe	31
PID 2076 wrote to memory of 1704	2076	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe	31
PID 2076 wrote to memory of 1704	2076	3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe	31
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32
PID 1704 wrote to memory of 1940	1704	ComputerBalance.exe	32

C:\Users\Admin\AppData\Local\Temp\3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe
"C:\Users\Admin\AppData\Local\Temp\3004ccb109a29d66697eece46e437bfbd3a78aa801a8eb998d05d8774cc7528d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe
  "C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F

Filesize
834B

MD5
543ff9c4bb3fd6f4d35c0a80ba5533fc

SHA1
e318b6209faeffe8cde2dba71f226d2b161729af

SHA256
40c04d540c3d7d80564f34af3a512036bdd8e17b4ca74ba3b7e45d6d93466bcd

SHA512
6257994ac1ec8b99edcf0d666838a9874031a500adac9383d9b4242edc6c6ffec48f230740d443c1088aa911a36de26e7ce3b97313e3d36b00aede5352a8cf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_EB45958463869A839B2E6A0ABE8A149F

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A89DFCC31C360BA5CBD616749B1B1C5D

Filesize
73KB

MD5
eff6b1ce59935864f355237dfdd943ab

SHA1
1cfde1e55d8238da9327f683eb47c94d3e8227b4

SHA256
966c51a870f34da72f1c6d0e617848e1e516fa94f040461673f4848e8187a978

SHA512
e718bb98797f10d67eed3fab4d63a5aab5afb627337a2074daa3e794bec7f774ac697892ca3826d02c620559d6d4b96e0a8a09ffa11fa3d41715b4544ddf87cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
404B

MD5
a3b3678712f0cda0bf2d9553784272e1

SHA1
19c82422cdfe0c77d4a1623c677ccd69c9dbe37f

SHA256
d194e49fde1cd87f6128f5d2c9f32a0d09e23488ba7668fb41fa846e9bc60215

SHA512
ad731adf07ab4d369a4ff5c318cc5b81fcfae7f88df45c7d571f628baaa7e2a0423fd26d765d1af9f74dedd17776de5b9139fe23902534662c206dd45f8a8dbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F

Filesize
188B

MD5
518d260eb7623743311d47600cc9f94b

SHA1
540ab6c671f5a7380c3215f59f8bb715a5350522

SHA256
30bbebf07dc4b1c852b35cd234462bffcf22b7d67c7f3f4f57b137a0ed6fbd51

SHA512
b0ee0ad346df7d8e22d5ede22b8b2b7731b2093cad7da942469f450f8ec1a987a9a8a31655138eadd0998bfed87d71baac3f00bfc9b04c50ff1b8091f0aafdaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ddf86991e52415f0ee8e141fbaafcfb

SHA1
cba30cb368e6caaf4ce767bf849011133ea582ff

SHA256
e62c794adc79e732388764751b227e5a24bb023fa620daa13d3c11cd6fd74839

SHA512
d6f6a037a6a8674f9f35756b532a61e7971ba11e73d2511789ae5067e0806e418a6ac69858a0c7be5f157ccd3faa2458c156f8fbbbae425e073bd1cca0c6aa33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3640c84df7f1915d5bfaf4acadefd74b

SHA1
02d487bb31f57a0b179492dda25d6fcea2750b79

SHA256
a456ca8585a1b62f9f5cd56cf46f67ed5233a496060329d7a1b08404f1f2ffc5

SHA512
4696b681326c7b3f9b88c278a85e0b4df5395bde7de171dec586a43093f2b5417741f42bce37a78ee4cb0254f38327020a25c6180efbaab54de7a52331b39338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_EB45958463869A839B2E6A0ABE8A149F

Filesize
394B

MD5
0a3c54672bf5a17589e019e7a6d9348b

SHA1
a98344d47edc92227a355a0f848a7cd7b49ee642

SHA256
cae7c710e3a866f9dac174710a7862d2f58468debe71914fc012ac469ced80fe

SHA512
47c291faba2c7e128c395d84c593a25dff9f685d6d88119573b2fa67ecf06a4be0f07c75b0460dca8ed52d7a401cc11ebea6438ee5abcd7efdd59d134c958af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A89DFCC31C360BA5CBD616749B1B1C5D

Filesize
170B

MD5
3c86f5ba95c40946ffadc0082be26df6

SHA1
a72237c86891d8f848384448ebc2edff1ee8f846

SHA256
782e647e4d97b771d71fea03f449c5f0bdd854aacec4274d69228287a0620b23

SHA512
f9cab0d5bd8beaa9e866a711fd87d3df1a1c2fbce07c05507a6bdf9ead27647bcd0cca13210d441e19a83ac5d566186327817419000a350df42add075533ac47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
889eee0289eac4326f3e1bed22508268

SHA1
33c986ea7b263c8daed067a44b29446c1bec1546

SHA256
41b1965a5ff6bcb406df9bff360e3ca13e3749eca9eeb55f84bf51817d001c82

SHA512
9b90ca7307d64d0a7a7b804d83dc8d8ee1745c512b346ce2f2a30f27d23da4d259e05fd824589f8708123fce61b8fada53eaf4b32c183b628faf7d5e653ae937

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC6AB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC6CD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe

Filesize
2.3MB

MD5
77a0a99e974dd756a4b641156036b1b2

SHA1
d7d1a8e791f9c49c0cfa01f8b5883c3da24c3feb

SHA256
35332ce2f90536954149b8f4a5aa8c0f4653100703d3991c24c054412061d17d

SHA512
a229b47caeb0a80c98dc6492a47c29f39756bf69ccf417758815f7295f8e47ccab0cf501c736d133080f9b2c2890828e4804465ba8b908ca4f5207a482568ae5

Download Submit
memory/1704-187-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-122-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-120-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-194-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-123-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-188-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1940-193-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1940-199-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1940-198-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1940-195-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1940-192-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1940-190-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1940-189-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1940-191-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2076-108-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-121-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-0-0x00000000740E1000-0x00000000740E2000-memory.dmp

Filesize
4KB

Download
memory/2076-107-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-1-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-9-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads