babylonrat | 2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

Analysis

max time kernel
96s
max time network
160s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
02-02-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoClicker-3.0.exe
Size

844KB
MD5

7ecfc8cd7455dd9998f7dad88f2a8a9d
SHA1

1751d9389adb1e7187afa4938a3559e58739dce6
SHA256

2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512

cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
SSDEEP

12288:GaWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlM:BaHMv6CGrjBnybQg+mmhG

Score

10^/10

babylonrat zgrat rat trojan

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Detect ZGRat V1 36 IoCs

resource	yara_rule
behavioral1/memory/424-180-0x000002797A980000-0x000002797AEF4000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-182-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-183-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-189-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-191-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-193-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-195-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-187-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-197-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-185-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-199-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-201-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-203-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-205-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-207-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-209-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-213-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-211-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-215-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-217-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-219-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-221-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-223-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-225-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-227-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-229-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-231-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-235-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-241-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-239-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-245-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-243-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-237-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/424-233-0x000002797A980000-0x000002797AEEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1124-1154-0x00000216F90D0000-0x00000216F91D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/4740-2311-0x0000023250540000-0x0000023250644000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2956	3928	WerFault.exe	96
3472	4728	WerFault.exe	108
1952	4348	WerFault.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\dl0mq1xf87p2xgo0.zip:Zone.Identifier	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3116	AutoClicker-3.0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	firefox.exe
Token: SeDebugPrivilege	2612	firefox.exe
Token: SeDebugPrivilege	2612	firefox.exe
Token: SeDebugPrivilege	424	Babylon RAT.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2612	firefox.exe
2612	firefox.exe
2612	firefox.exe
2612	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2612	firefox.exe
2612	firefox.exe
2612	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2612	firefox.exe
2612	firefox.exe
2612	firefox.exe
2612	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 644 wrote to memory of 2612	644	firefox.exe	81
PID 2612 wrote to memory of 1980	2612	firefox.exe	82
PID 2612 wrote to memory of 1980	2612	firefox.exe	82
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 400	2612	firefox.exe	83
PID 2612 wrote to memory of 3000	2612	firefox.exe	84
PID 2612 wrote to memory of 3000	2612	firefox.exe	84
PID 2612 wrote to memory of 3000	2612	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe
"C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:644
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.0.862638658\1528902155" -parentBuildID 20221007134813 -prefsHandle 1760 -prefMapHandle 1740 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c986f19b-7474-4f62-9ad6-79bea4d05ee2} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 1840 16294bdac58 gpu
    3⤵
    PID:1980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.1.1291692164\555994470" -parentBuildID 20221007134813 -prefsHandle 2208 -prefMapHandle 2204 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b23abfd6-b893-4033-9e32-fd751e319165} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 2216 16288b72b58 socket
    3⤵
    PID:400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.2.294906811\1615402105" -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3020 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bc6a0c4-2b1a-4bd0-a076-deae6c51de37} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 3056 16294b5ed58 tab
    3⤵
    PID:3000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.3.1298273354\332775792" -childID 2 -isForBrowser -prefsHandle 3388 -prefMapHandle 3384 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa2bd96b-2938-4ba2-b292-2ce73cfeb9e2} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 3396 16288b67558 tab
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.4.2165377\804084040" -childID 3 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4a3ba23-8a1d-4335-842d-d90d806826cf} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 4056 1629b1e6358 tab
    3⤵
    PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.5.795923903\447660284" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 5080 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6897365-e660-42d1-bd3b-830d2ee62c9e} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 5096 1629bff6b58 tab
    3⤵
    PID:4824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.6.17562803\1553816492" -childID 5 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32f84e1a-bf63-4b13-a4af-ea49221f8a89} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 5128 1629c22bc58 tab
    3⤵
    PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.7.135093971\2069945373" -childID 6 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d6a105f-d2c6-4a57-a5ad-09cc390dad81} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 5444 1629c22c258 tab
    3⤵
    PID:5020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.8.168092477\1075376302" -childID 7 -isForBrowser -prefsHandle 5692 -prefMapHandle 4552 -prefsLen 26379 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcab88f8-ed2d-4688-8032-5a25e67d34ce} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 3956 1629501a558 tab
    3⤵
    PID:4024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4104

C:\Users\Admin\Desktop\Babylon 1.6.0.0\Babylon RAT.exe
"C:\Users\Admin\Desktop\Babylon 1.6.0.0\Babylon RAT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:424
- C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1140
    3⤵
    - Program crash
    PID:2956
- C:\Users\Admin\Desktop\Babylon 1.6.0.0\Babylon RAT.exe
  "C:\Users\Admin\Desktop\Babylon 1.6.0.0\Babylon RAT.exe"
  2⤵
  PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABCAGEAYgB5AGwAbwBuACAAMQAuADYALgAwAC4AMABcAEIAYQBiAHkAbABvAG4AIABSAEEAVAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQgBhAGIAeQBsAG8AbgAgAFIAQQBUAC4AZQB4AGUAOwA=
  2⤵
  PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3928 -ip 3928
1⤵
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABOAGEAbQBlAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAE4AYQBtAGUALgBlAHgAZQA=
1⤵
PID:1464

C:\Users\Admin\AppData\Roaming\TypeId\Name.exe
C:\Users\Admin\AppData\Roaming\TypeId\Name.exe
1⤵
PID:2236

C:\Users\Admin\Desktop\Babylon 1.6.0.0\Babylon RAT.exe
"C:\Users\Admin\Desktop\Babylon 1.6.0.0\Babylon RAT.exe"
1⤵
PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABCAGEAYgB5AGwAbwBuACAAMQAuADYALgAwAC4AMABcAEIAYQBiAHkAbABvAG4AIABSAEEAVAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQgBhAGIAeQBsAG8AbgAgAFIAQQBUAC4AZQB4AGUAOwA=
  2⤵
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1108
    3⤵
    - Program crash
    PID:3472
- C:\Users\Admin\Desktop\Babylon 1.6.0.0\Babylon RAT.exe
  "C:\Users\Admin\Desktop\Babylon 1.6.0.0\Babylon RAT.exe"
  2⤵
  PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4728 -ip 4728
1⤵
PID:1444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
1⤵
PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAE0AUwBCAHUAaQBsAGQALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAE0AUwBCAHUAaQBsAGQALgBlAHgAZQA7AA==
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:792
- C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"
  2⤵
  PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1108
1⤵
- Program crash
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4348 -ip 4348
1⤵
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Babylon RAT.exe.log

Filesize
1KB

MD5
6766a7cc8b7039bf7f32b9e4a63b7f4d

SHA1
8eb95e170a3dc512589a12ec936989d7d3bb86e4

SHA256
14c0bf2c6febb71441fe2b1a04934a00d49aeee1bf2d9f21452cba57ade2fd0a

SHA512
636e1091399f101f8494936489fb605ae91d542639b4704d5f541a64dffb320960c676c730bca2a835ab70c9feed517b87efa9390f7cb06c73fde50d7a75d331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
16921802f2a7f32b66433ddae49745ef

SHA1
af3e7fa5a074f9001b363ac25b36e4e9acd9d7bb

SHA256
ed7237905686e355223cb1794594d0fe78fc773b47f140ccbb20eeda3e261a12

SHA512
6e95eea333454fe06f6bfddca8053c92879addb561aabefe2fdacec9fe924592db0d9db76fd097c08714c6276d28e42b6f5e0f6cee2b288b6c0598846fdc738d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b26e5bedfb520c4c341b64a636b83fe1

SHA1
991188792f4778e59ff166007bebc549107128dc

SHA256
34836bf15fe6bf8a0903f9065338c160ea03b4f26d1217dd0c294fec4a7feafb

SHA512
b93c4eb59fffdc7ba829442156b5af536d4865362a2abecef717ed92612e2e14c10a702f25bb2a1ed0b43dcdbd2e62ef7bfdf6d435c21fc06873d9a4642efd7b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\cache2\doomed\14947

Filesize
21KB

MD5
511794e33b92b5454fa00c5eebc3d432

SHA1
6c0679217205d8b5d790ae4eb730cbb9e866e2c9

SHA256
65069f79925b5e20ae6e946cb9533fb75b8705b5fab8e367bab2916c59b310b3

SHA512
ab0e44ddf5363eb753812bd31c317facfe09a052eed5c539ccd0eb05e82a9eab824e254b47c9835987440e9c0e4a3ae25783ae6a567f7f87bb9df997af951a10

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\cache2\doomed\31499

Filesize
85KB

MD5
3bf57825e02ab1661030e6186fe5b471

SHA1
adf97eb41be364c738866dbc0e8699422bbc0e65

SHA256
d75fe429fab82f57b0717699b923b984058b06002a1ee60795c1ce3f4862586b

SHA512
4fa24eee3ba7fe1cb0630570687775fd48aea53a6d05179169265c6002ab83c4f150ac1c53e704fc22354ebd0136e13f3d1726f3dffe539f0435342b4ed9c549

Download Submit
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe

Filesize
162KB

MD5
e73fb3afdec94825e334c6b511834f9d

SHA1
9edae42d76550bff8e52250b6b8402bd63df2646

SHA256
abb5117d607d8be32dd6333cecac422c64556290ab1f2bb9b980d51e765d7b83

SHA512
a299bcf4ba3cdd050b40d806ca200fd6b84aa2c53d695d4dd7950c9ac7d8c3af0523f762d635990944cb7abf04acb22a85c4be874925acae757ebaad7ec0883a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe

Filesize
281KB

MD5
81a0a3ff060d9d3007610914a1b6bee0

SHA1
41ef56580e7744045b5491320c3661b1d1c1ec82

SHA256
4946ed2ddec16b10cc0cf119a935cdd6c96ea678a23bf5cc742bd3611fa7eeeb

SHA512
8eb2964ff12744015670dc7f48c57adf8403be03d03b938ed8dae231e142403d8441423cb94f9d142c23c5e86f8f98ff24b1226d15b69991f53383716d214b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe

Filesize
401KB

MD5
2cbe3e812283a67e3ad537af84e8332f

SHA1
38c723d118df7c074a53ac88e6196dfc09da1606

SHA256
87dd4e718f3163cd41df8ef1520d1b1066d332828ab2ca7c5824f3548c378731

SHA512
030d989b65a53f61e4d57d24e691c8b25aecf296b12c57c23b2ce4748e2c2cb2cb2d727bfef0778008ed6e7278d013529b8ea38b541237d16985154a8d07dcd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe

Filesize
285KB

MD5
0f903b9d5af245848a4ee01a9141e9f5

SHA1
6d6046a6b625c569b1110b3f4009b906d27603d2

SHA256
efcc034d7c27678b656d73301d935a026ac87bb66d0b6611b3b83711494b808f

SHA512
0a22cbfd73342084047198e2b1f16c00efdc464b4a05e17f294c4bc0cceeb0827d09cd0a9008aaa5db60df4df16841567967ae4e3ef96c9dc7f72c5731315406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe

Filesize
116KB

MD5
3ab9db6eb933890e3ef38f90b0fbb272

SHA1
a5611fe976cb86b625bb2a552dd9903b0dcb5283

SHA256
febb80bdc5ac1d33a72f81862d72008bae2186d961dabd9a8e41649fa34ae932

SHA512
9fa47ca06897101dbf84258237e97fea53aa5e3c1bb7cbff79e0331d8981e3966ea669379781590213092669ad607c98ea161976f882b430421dead005de36bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe

Filesize
290KB

MD5
46ce84d8418d4ea9f4f6a981832c6f31

SHA1
107d6fd1a7ea4e14644451b48054af2fe8233cc5

SHA256
830eef0f7d6f2a5d3be35814acf5b70148c7551f0b986b55632e20ac39145ab3

SHA512
ecc2ec3ba7c3efb485d20898e9ebe7931902a90330020678a3ee1019c4833f01cfb8f024189a43bdb9bf893284d209b8a0d5a95143f7d857b1504171c3fc5345

Download Submit
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe

Filesize
1KB

MD5
c3a170b6523f7e5e33fdc2629eaf610a

SHA1
7a71a368283b974110dea5495fc29d8c23afca0f

SHA256
bc6cc5504b3b39ab4b3390bd8f426dc2b858bb18ae3c70fe5f724d4befd0d3ef

SHA512
dd901e13377ff7e2099dcda024ebdc4a653c98e4f87dac467e5f1e4f550baa280229f267d3c206b290ca044621534ad05908bd1b2c2129d931357a6cf7b5dd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ghbfwwh0.0e2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3e64a3d57661ac014f57261cb0f32c15

SHA1
94c116beb5a3213e99d4dcf97a1c2478cac6c514

SHA256
7166ebc12ef20f3c3694195b7531bf0c568e9fa7578881fce384b1fd79595e2b

SHA512
3acbd6ce96b265feb55c85726b0fc65799664ad11ac6dd31fe4d95a1273d724b981ea3b237a9b38f99d486ef5f87dfa29b96a02d8ab1be8198a8cde1e1ec6fd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\datareporting\glean\pending_pings\14b5ee63-43fe-4c91-aaa0-75f8f40c8cb0

Filesize
10KB

MD5
27fb246043bdb1ab3c689d9b9f613490

SHA1
7d08d126f52ba59e85e96df17e14d12365b31a4f

SHA256
1a502d6247937ff6a0aad18980aed664d3a36040b2cd47a2dfc3c447eb8b61ca

SHA512
f93818e07621ed2f839b14ccebe937fc8924d9f60b13360ea79a226e993eb0e19da7530bf7e2caec3816bacbeff354042c85de4ecce0a33a511b33084177bd88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\datareporting\glean\pending_pings\387a8759-9d87-4f0f-bffe-d7f98a235f86

Filesize
746B

MD5
89784977375decbeeb2d0b4aecf33d6c

SHA1
a482a0c77f22696f1acbd18ea6ef3833b4e7595c

SHA256
444d5e2c377d1c9f3d0a6fae47b6ab27fb39bd02fe634b9120f2c52cd9fd8838

SHA512
d9d224204febdced2e1235efc41d75b7db79e55fed9bc208618f2718286cba9f20f397fa6cfb27a98d324c20bd2dcd7ae41a7a7b3a4ef62d613e88c0805ba988

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\prefs-1.js

Filesize
6KB

MD5
543f60afba8c28d1afcb0023bdce64e7

SHA1
6cd951f0fee7277592e8a55f4af70c847ec5d819

SHA256
7e0e6936b2f87defe1f10f48df16ad34ed734f406f69181271bb15439a7c1647

SHA512
83bea6168a94537f724645622a6bbea15b602a1ee1273fcef74e7b98274b7e8d84c4fcf9d0ef898bbfa8c1eb1e620baf8176cf06962ce9f05856c0a2979651ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
4b9c411c159838a90b313534053905d8

SHA1
a75437bb7c3d0bf0023620a5d4215a2611c9b6b1

SHA256
746c46f3f2cabf94e5e57062b8b3a6487dd6147cc5d181c58ea405f5bf418be6

SHA512
fad14303bd388a3edd50be4d61cc64a0159862e19869891e04a640701d726b5edd3ff5608d1c6c7aeec8be30a30abc2cb48ef5dec7a9c5021dde740f945d19be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
20a16295449b4260ce5efd92c5d408cf

SHA1
8de064bf38d66b644385b01af44ebf358bb068fa

SHA256
8e9ede2d168943ecb888e6eba3d5d60b27f9dcc021cb3bfb98998804851bba3a

SHA512
d7616cdd8e7a509541f9d27cd5792e35498deeb3534d5d2e1382d53e5bf6751d47f89fc494d85cbc7c6d04959be42441721af7f823acfbd1534e52e7866fd25f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
09fd8cffefc8c859a65f8a96b1e39e59

SHA1
ced9b877c2d16eabb045959fad926eb14396b867

SHA256
175b59f68e15988848b5b71e7e86e9e49a72d0f2b802cf5beb2e4f6a861fb2d2

SHA512
0b4fdb871c9fa512620d811b7e9b9954c835e05ada38ea639cc1889c1f1c8412d1a9a64aebf28e33078dfe93ffca6ef9b250cc9d9e19f39f5d99c3d1a927c9c0

Download Submit
C:\Users\Admin\AppData\Roaming\TypeId\Name.exe

Filesize
576KB

MD5
0c633f896f6ff598c44acdc01202927e

SHA1
8f5299411aa5a632be54980ee5f0f0d176e7e71f

SHA256
78fcc0adb9bdef03c9948cf32afb8b2891941414a7e45294e6e9ec629ec133a5

SHA512
33bb763da6593146b64dcba6eb2e5262b6bc8a5a3a5d1a57463b8d774f76885dedf534e300c663b0989e46a9d534e2abb895bd05ebd7d6c9d2de694ed9fa0602

Download Submit
C:\Users\Admin\AppData\Roaming\TypeId\Name.exe

Filesize
693KB

MD5
323a02f81a45c4e7a5a1a59ebf6ca624

SHA1
31e36fe6d34d0fe5de3658e6935a4d51bd790370

SHA256
98d108a22c37de79360e2a8389f55987ef52bcc789fcd4f0f25d196a9b898917

SHA512
eb5380192ffc905ce195e37fe06bdcf3bc9360acd0a5a85b6890cbd34a26a4d135aad573d63ba2db940e3570ab54b8562e9d5c2cd3a4968b5f8e212265254577

Download Submit
C:\Users\Admin\Downloads\dl0mq1xf87p2xgo0.hEfbwAjY.zip.part

Filesize
126KB

MD5
9bff5a1c21eb77ac955ec0586c7988df

SHA1
7dd638548102a423c75b2904b3a9579f08da988d

SHA256
5822468d2d989a45ccccda2f13527916b1dd212d4289d80a9f4576fb651a8a98

SHA512
e02c49ce5c588f63b73d4835c3f72e6763f7ce517c332cda89d72d394a4eb288a5569c8daaaf80703363637165aea93f3ea0dd87cb4b83b6b895dad626a6bac8

Download Submit
memory/424-193-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-1120-0x0000027960740000-0x0000027960741000-memory.dmp

Filesize
4KB

Download
memory/424-209-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-213-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-211-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-215-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-217-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-219-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-221-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-223-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-225-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-227-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-229-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-231-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-235-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-241-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-239-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-245-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-243-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-237-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-233-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-207-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-1119-0x0000027962210000-0x0000027962220000-memory.dmp

Filesize
64KB

Download
memory/424-1122-0x0000027960760000-0x00000279607AC000-memory.dmp

Filesize
304KB

Download
memory/424-1121-0x000002797AEF0000-0x000002797B3FA000-memory.dmp

Filesize
5.0MB

Download
memory/424-205-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-203-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-201-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-1152-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/424-179-0x000002795FCF0000-0x00000279602CA000-memory.dmp

Filesize
5.9MB

Download
memory/424-180-0x000002797A980000-0x000002797AEF4000-memory.dmp

Filesize
5.5MB

Download
memory/424-199-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-185-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-197-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-187-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-195-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-191-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-189-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-183-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-182-0x000002797A980000-0x000002797AEEE000-memory.dmp

Filesize
5.4MB

Download
memory/424-181-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/792-3327-0x000001DC63720000-0x000001DC63730000-memory.dmp

Filesize
64KB

Download
memory/792-3325-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/1124-1164-0x00000216E0940000-0x00000216E0996000-memory.dmp

Filesize
344KB

Download
memory/1124-1163-0x00000216DF020000-0x00000216DF028000-memory.dmp

Filesize
32KB

Download
memory/1124-1150-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1124-1154-0x00000216F90D0000-0x00000216F91D4000-memory.dmp

Filesize
1.0MB

Download
memory/1124-1155-0x00000216F91E0000-0x00000216F91F0000-memory.dmp

Filesize
64KB

Download
memory/1124-1157-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/1124-1187-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/1124-1166-0x00000216E09A0000-0x00000216E09F4000-memory.dmp

Filesize
336KB

Download
memory/1464-1180-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/1464-1182-0x000002621C0B0000-0x000002621C0C0000-memory.dmp

Filesize
64KB

Download
memory/1464-1181-0x000002621C0B0000-0x000002621C0C0000-memory.dmp

Filesize
64KB

Download
memory/1464-1184-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/1952-2259-0x000001B3475E0000-0x000001B3475E1000-memory.dmp

Filesize
4KB

Download
memory/1952-2258-0x000001B361900000-0x000001B361910000-memory.dmp

Filesize
64KB

Download
memory/1952-2312-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/1952-1317-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/2116-2284-0x000001786E230000-0x000001786E240000-memory.dmp

Filesize
64KB

Download
memory/2116-2317-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/2116-2306-0x000001786E230000-0x000001786E240000-memory.dmp

Filesize
64KB

Download
memory/2116-2283-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/2116-2285-0x000001786E230000-0x000001786E240000-memory.dmp

Filesize
64KB

Download
memory/2116-2315-0x000001786E230000-0x000001786E240000-memory.dmp

Filesize
64KB

Download
memory/2236-1191-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/2236-2309-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/2800-3271-0x000002C724880000-0x000002C724881000-memory.dmp

Filesize
4KB

Download
memory/2800-3324-0x000002C73EB70000-0x000002C73EB80000-memory.dmp

Filesize
64KB

Download
memory/2800-3326-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/2800-2329-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/2800-2327-0x000002C73EB70000-0x000002C73EB80000-memory.dmp

Filesize
64KB

Download
memory/3048-3297-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/3048-3317-0x0000020B6E950000-0x0000020B6E960000-memory.dmp

Filesize
64KB

Download
memory/3048-3299-0x0000020B6E950000-0x0000020B6E960000-memory.dmp

Filesize
64KB

Download
memory/3928-1162-0x00000000084D0000-0x0000000008562000-memory.dmp

Filesize
584KB

Download
memory/3928-1160-0x00000000089E0000-0x0000000008F86000-memory.dmp

Filesize
5.6MB

Download
memory/3928-1165-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/3928-1151-0x0000000074960000-0x0000000075111000-memory.dmp

Filesize
7.7MB

Download
memory/3928-1156-0x0000000000F70000-0x0000000001632000-memory.dmp

Filesize
6.8MB

Download
memory/3928-1167-0x0000000074960000-0x0000000075111000-memory.dmp

Filesize
7.7MB

Download
memory/4108-1136-0x000001D9C0360000-0x000001D9C0382000-memory.dmp

Filesize
136KB

Download
memory/4108-1128-0x000001D9C0350000-0x000001D9C0360000-memory.dmp

Filesize
64KB

Download
memory/4108-1153-0x000001D9C0350000-0x000001D9C0360000-memory.dmp

Filesize
64KB

Download
memory/4108-1123-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/4108-1161-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/4108-1125-0x000001D9C0350000-0x000001D9C0360000-memory.dmp

Filesize
64KB

Download
memory/4108-1144-0x000001D9C0350000-0x000001D9C0360000-memory.dmp

Filesize
64KB

Download
memory/4348-3328-0x00000000082E0000-0x00000000082F0000-memory.dmp

Filesize
64KB

Download
memory/4348-3321-0x0000000074A00000-0x00000000751B1000-memory.dmp

Filesize
7.7MB

Download
memory/4728-2310-0x0000000074A00000-0x00000000751B1000-memory.dmp

Filesize
7.7MB

Download
memory/4728-2318-0x0000000074A00000-0x00000000751B1000-memory.dmp

Filesize
7.7MB

Download
memory/4728-2314-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/4740-2326-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/4740-2311-0x0000023250540000-0x0000023250644000-memory.dmp

Filesize
1.0MB

Download
memory/4740-2313-0x00007FFB6AAD0000-0x00007FFB6B592000-memory.dmp

Filesize
10.8MB

Download
memory/4740-2325-0x0000023250640000-0x0000023250650000-memory.dmp

Filesize
64KB

Download