58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

Resubmissions

28-03-2023 06:27

230328-g7rzxsbb5z 7

28-03-2023 06:24

230328-g6ctlshd29 7

Analysis

max time kernel
596s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virus.exe
Size

315KB
MD5

0be23ddaec11bb1e64f2f54d4505cbcd
SHA1

24dce5a1b78c691f57d20de2afe00af2f88c1bb5
SHA256

58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e
SHA512

5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879
SSDEEP

6144:elNBW0lmEWfK8OZn05Wm6wFBDpomqTVg+e67YCkxLr3DI3NoAcs:ent8OZQBDDpsyfFr3Io

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

client.execlient.exe

pid process

4992 client.exe
2128 client.exe

pid	process
4992	client.exe
2128	client.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4936-133-0x0000000000950000-0x00000000009CE000-memory.dmp	upx
C:\ProgramData\Babylon RAT\client.exe	upx
C:\ProgramData\Babylon RAT\client.exe	upx
behavioral2/memory/4936-139-0x0000000000950000-0x00000000009CE000-memory.dmp	upx
behavioral2/memory/4992-140-0x00000000002C0000-0x000000000033E000-memory.dmp	upx
C:\ProgramData\Babylon RAT\client.exe	upx
behavioral2/memory/2128-142-0x00000000002C0000-0x000000000033E000-memory.dmp	upx
behavioral2/memory/4992-144-0x00000000002C0000-0x000000000033E000-memory.dmp	upx
behavioral2/memory/4992-157-0x00000000002C0000-0x000000000033E000-memory.dmp	upx
behavioral2/memory/4992-159-0x00000000002C0000-0x000000000033E000-memory.dmp	upx
behavioral2/memory/4992-161-0x00000000002C0000-0x000000000033E000-memory.dmp	upx
behavioral2/memory/4992-163-0x00000000002C0000-0x000000000033E000-memory.dmp	upx
behavioral2/memory/1372-173-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1372-175-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1372-176-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1372-180-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1372-183-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4992-186-0x00000000002C0000-0x000000000033E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

virus.execlient.execlient.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	virus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	virus.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

client.exe

description pid process target process

PID 4992 set thread context of 1372 4992 client.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

1372 svchost.exe
1372 svchost.exe

description	pid	process	target process
PID 4992 set thread context of 1372	4992	client.exe	svchost.exe

pid	process
1372	svchost.exe
1372	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

virus.execlient.execlient.exe

description	pid	process
Token: SeShutdownPrivilege	4936	virus.exe
Token: SeDebugPrivilege	4936	virus.exe
Token: SeTcbPrivilege	4936	virus.exe
Token: SeShutdownPrivilege	4992	client.exe
Token: SeDebugPrivilege	4992	client.exe
Token: SeTcbPrivilege	4992	client.exe
Token: SeShutdownPrivilege	2128	client.exe
Token: SeDebugPrivilege	2128	client.exe
Token: SeTcbPrivilege	2128	client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

client.exe

pid process

4992 client.exe
4992 client.exe

pid	process
4992	client.exe
4992	client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

virus.execlient.execlient.exe

description	pid	process	target process
PID 4936 wrote to memory of 4964	4936	virus.exe	cmd.exe
PID 4936 wrote to memory of 4964	4936	virus.exe	cmd.exe
PID 4936 wrote to memory of 4964	4936	virus.exe	cmd.exe
PID 4936 wrote to memory of 4992	4936	virus.exe	client.exe
PID 4936 wrote to memory of 4992	4936	virus.exe	client.exe
PID 4936 wrote to memory of 4992	4936	virus.exe	client.exe
PID 4992 wrote to memory of 2104	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 2104	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 2104	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 2128	4992	client.exe	client.exe
PID 4992 wrote to memory of 2128	4992	client.exe	client.exe
PID 4992 wrote to memory of 2128	4992	client.exe	client.exe
PID 4992 wrote to memory of 2896	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 2896	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 2896	4992	client.exe	cmd.exe
PID 2128 wrote to memory of 3424	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 3424	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 3424	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 216	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 216	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 216	2128	client.exe	cmd.exe
PID 4992 wrote to memory of 3656	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 3656	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 3656	4992	client.exe	cmd.exe
PID 2128 wrote to memory of 3132	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 3132	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 3132	2128	client.exe	cmd.exe
PID 4992 wrote to memory of 4160	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 4160	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 4160	4992	client.exe	cmd.exe
PID 2128 wrote to memory of 4568	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 4568	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 4568	2128	client.exe	cmd.exe
PID 4992 wrote to memory of 1672	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 1672	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 1672	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 4268	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 4268	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 4268	4992	client.exe	cmd.exe
PID 2128 wrote to memory of 4776	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 4776	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 4776	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 3488	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 3488	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 3488	2128	client.exe	cmd.exe
PID 4992 wrote to memory of 5052	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 5052	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 5052	4992	client.exe	cmd.exe
PID 2128 wrote to memory of 4848	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 4848	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 4848	2128	client.exe	cmd.exe
PID 4992 wrote to memory of 3496	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 3496	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 3496	4992	client.exe	cmd.exe
PID 2128 wrote to memory of 4320	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 4320	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 4320	2128	client.exe	cmd.exe
PID 4992 wrote to memory of 3744	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 3744	4992	client.exe	cmd.exe
PID 4992 wrote to memory of 3744	4992	client.exe	cmd.exe
PID 2128 wrote to memory of 620	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 620	2128	client.exe	cmd.exe
PID 2128 wrote to memory of 620	2128	client.exe	cmd.exe
PID 4992 wrote to memory of 2792	4992	client.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\virus.exe
"C:\Users\Admin\AppData\Local\Temp\virus.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
2⤵
PID:4964

C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2104

C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe" 4992
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3772

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
4⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3732

\??\c:\Windows\SysWOW64\svchost.exe
c:\Windows\System32\svchost.exe /sxml ӈБӳӊӅ
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3096

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3312

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:732

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier
3⤵
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Babylon RAT\client.exe
Filesize
315KB

MD5
0be23ddaec11bb1e64f2f54d4505cbcd

SHA1
24dce5a1b78c691f57d20de2afe00af2f88c1bb5

SHA256
58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

SHA512
5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879

Download Submit
C:\ProgramData\Babylon RAT\client.exe
Filesize
315KB

MD5
0be23ddaec11bb1e64f2f54d4505cbcd

SHA1
24dce5a1b78c691f57d20de2afe00af2f88c1bb5

SHA256
58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

SHA512
5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879

Download Submit
C:\ProgramData\Babylon RAT\client.exe
Filesize
315KB

MD5
0be23ddaec11bb1e64f2f54d4505cbcd

SHA1
24dce5a1b78c691f57d20de2afe00af2f88c1bb5

SHA256
58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e

SHA512
5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879

Download Submit
C:\Users\Admin\AppData\Local\Temp\ӈБӳӊӅ
Filesize
2KB

MD5
f40fb07f65b9d2f5ea1302bfef66b0e1

SHA1
9e57421423e521349ba5955c17c462ea1fc1cf14

SHA256
51d781ce6bc68190b7ae3cfec3d95d6a02e2a08863a8978ba134239528e506f4

SHA512
f549f83872df239c4215415ec6bcb0e159eb0a84eb5b1889780bfe12804075a445291d97c1e1405278af691a8b330ab31942d353b65e4cad85aef66c06c10426

Download Submit
C:\Users\Admin\AppData\Local\Temp\ӈБӳӊӅ
Filesize
2KB

MD5
f40fb07f65b9d2f5ea1302bfef66b0e1

SHA1
9e57421423e521349ba5955c17c462ea1fc1cf14

SHA256
51d781ce6bc68190b7ae3cfec3d95d6a02e2a08863a8978ba134239528e506f4

SHA512
f549f83872df239c4215415ec6bcb0e159eb0a84eb5b1889780bfe12804075a445291d97c1e1405278af691a8b330ab31942d353b65e4cad85aef66c06c10426

Download Submit
memory/1372-173-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1372-175-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1372-183-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1372-176-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1372-180-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2128-142-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download
memory/4936-133-0x0000000000950000-0x00000000009CE000-memory.dmp

Filesize
504KB

Download
memory/4936-139-0x0000000000950000-0x00000000009CE000-memory.dmp

Filesize
504KB

Download
memory/4992-222-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-239-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-159-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download
memory/4992-161-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download
memory/4992-151-0x0000000074620000-0x0000000074659000-memory.dmp

Filesize
228KB

Download
memory/4992-148-0x0000000074620000-0x0000000074659000-memory.dmp

Filesize
228KB

Download
memory/4992-145-0x0000000074620000-0x0000000074659000-memory.dmp

Filesize
228KB

Download
memory/4992-144-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download
memory/4992-143-0x0000000074620000-0x0000000074659000-memory.dmp

Filesize
228KB

Download
memory/4992-163-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download
memory/4992-169-0x0000000074620000-0x0000000074659000-memory.dmp

Filesize
228KB

Download
memory/4992-186-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download
memory/4992-190-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-193-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-196-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-199-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-201-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-204-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-207-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-210-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-213-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-216-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-219-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-140-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download
memory/4992-225-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-227-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-230-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-233-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-236-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-157-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download
memory/4992-242-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-245-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-247-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-250-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-253-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-256-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-259-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-262-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-265-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-268-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-271-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-273-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-276-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-279-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-282-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-285-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-288-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-291-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-294-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-296-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-302-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-305-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-308-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-309-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-312-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-315-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-318-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-320-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download
memory/4992-324-0x0000000074610000-0x0000000074649000-memory.dmp

Filesize
228KB

Download
memory/4992-326-0x0000000074640000-0x0000000074679000-memory.dmp

Filesize
228KB

Download