babylonrat | 4f12d0dba738f2fa84c2facbac90066853b04c160f334ef218906cd3e1c1df2d

Resubmissions

07-02-2024 10:49

240207-mws1qsgaa4 10

07-02-2024 10:31

240207-mkk6rafgg9 10

Analysis

max time kernel
920s
max time network
919s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
07-02-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Babylon 1.5.1.0.zip
Size

127KB
MD5

92f1e77a395bbedf029d0f97011823fe
SHA1

85c019157ec2d5393595b975518d4fe63d636429
SHA256

4f12d0dba738f2fa84c2facbac90066853b04c160f334ef218906cd3e1c1df2d
SHA512

a77444204efa71c932061cadca9748a33fb4cbfa35d564af12496528d68dc2f4c0d9a2d1219790e757fe15c50e6b9b3d90991da7a9c6ddcc541b0a5b23b4babf
SSDEEP

3072:AlfpYYRMBy1cvxCO0BOjS+rzkzZfgIsYnZ3E4hGlt6q8Qi+Snvky2WlZR/AIDuq9:KDuqJtf01VSgE29xxspm0niivuz3Y9SE

Score

10^/10

babylonrat trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 7 IoCs

pid	Process
524	upx.exe
4308	upx.exe
684	upx.exe
3220	keynote.exe
1092	keynote.exe
1020	keynote.exe
1544	keynote.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001ad1a-1004.dat	upx
behavioral1/memory/524-1005-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/memory/524-1013-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/files/0x000600000001ad23-1425.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
118	camo.githubusercontent.com
119	camo.githubusercontent.com
120	camo.githubusercontent.com
123	raw.githubusercontent.com
126	raw.githubusercontent.com
115	camo.githubusercontent.com
116	camo.githubusercontent.com
122	camo.githubusercontent.com
124	raw.githubusercontent.com
125	raw.githubusercontent.com
117	camo.githubusercontent.com
121	camo.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SearchProtocolHost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	SearchIndexer.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3912	4424	WerFault.exe	92
2460	2376	WerFault.exe	95
4308	2620	WerFault.exe	99

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice\Hash = "y/jvR0KgRSU="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice\Hash = "jDG9WfS+4MY="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.pdf = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Hash = "e5tw/FPHeCE="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.crw = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\UserChoice\Hash = "2R+rgnOcdPk="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice\Hash = "Zku/MXx27FA="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.html = "1"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.M2TS = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice\Hash = "KLfhdtgb1Ls="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.avi = "1"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mov = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000430206bdb259da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008026c3b0b259da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.MOD = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp\UserChoice\Hash = "UhuXTCk1J2E="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.jpeg = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\OpenWithList	SearchProtocolHost.exe

Modifies registry class 49 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings	Babylon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Babylon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Babylon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000003000000040000000200000000000000ffffffff	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Babylon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Babylon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Babylon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Babylon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Babylon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Babylon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Babylon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	Babylon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Babylon.exe
Key created	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Babylon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Babylon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Babylon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Babylon.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Babylon 1.5.1.0.zip:Zone.Identifier	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4560	Babylon.exe
2620	Babylon.exe
4284	Babylon.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: 33	3892	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3892	SearchIndexer.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeShutdownPrivilege	3220	keynote.exe
Token: SeDebugPrivilege	3220	keynote.exe
Token: SeTcbPrivilege	3220	keynote.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeShutdownPrivilege	1092	keynote.exe
Token: SeDebugPrivilege	1092	keynote.exe
Token: SeTcbPrivilege	1092	keynote.exe
Token: SeShutdownPrivilege	1020	keynote.exe
Token: SeDebugPrivilege	1020	keynote.exe
Token: SeTcbPrivilege	1020	keynote.exe
Token: SeShutdownPrivilege	1544	keynote.exe
Token: SeDebugPrivilege	1544	keynote.exe
Token: SeTcbPrivilege	1544	keynote.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
312	Babylon.exe
312	Babylon.exe
4560	Babylon.exe
4560	Babylon.exe
2620	Babylon.exe
4284	Babylon.exe
4284	Babylon.exe
4284	Babylon.exe
4284	Babylon.exe
4284	Babylon.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
312	Babylon.exe
312	Babylon.exe
4560	Babylon.exe
4560	Babylon.exe
2620	Babylon.exe
4284	Babylon.exe
4284	Babylon.exe
4284	Babylon.exe
4284	Babylon.exe
4284	Babylon.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4284	Babylon.exe
4284	Babylon.exe
4284	Babylon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 3232 wrote to memory of 4492	3232	firefox.exe	78
PID 4492 wrote to memory of 1968	4492	firefox.exe	79
PID 4492 wrote to memory of 1968	4492	firefox.exe	79
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 824	4492	firefox.exe	80
PID 4492 wrote to memory of 3140	4492	firefox.exe	81
PID 4492 wrote to memory of 3140	4492	firefox.exe	81
PID 4492 wrote to memory of 3140	4492	firefox.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Babylon 1.5.1.0.zip"
1⤵
PID:4128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.0.460759245\895818690" -parentBuildID 20221007134813 -prefsHandle 1664 -prefMapHandle 1656 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ed6f79e-f60b-4ee7-bc52-5459e45e2d17} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 1780 1475cc06b58 gpu
    3⤵
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.1.32891276\466612206" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ad3129f-4cad-4f7f-a076-6a60f8a57200} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 2136 14749571f58 socket
    3⤵
    - Checks processor information in registry
    PID:824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.2.811750888\1614760619" -childID 1 -isForBrowser -prefsHandle 2732 -prefMapHandle 2836 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f07f494-6b1e-4670-b87c-ee9fd19d033d} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 2828 1475fac5758 tab
    3⤵
    PID:3140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.3.792108439\801873554" -childID 2 -isForBrowser -prefsHandle 3416 -prefMapHandle 3412 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eeb25a23-1a98-415b-94e9-9b9ad9234886} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 3404 14749561c58 tab
    3⤵
    PID:1312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.4.1276616325\1080070942" -childID 3 -isForBrowser -prefsHandle 4196 -prefMapHandle 4184 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c952693f-5ab9-4d27-a92d-d53372f2ace6} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4208 147611a3f58 tab
    3⤵
    PID:928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.7.1102678993\1657364454" -childID 6 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0ac8e1a-ddd4-4663-95e1-e3174d424b2f} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5148 14762011858 tab
    3⤵
    PID:4408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.6.1574781176\319337287" -childID 5 -isForBrowser -prefsHandle 4956 -prefMapHandle 4960 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b12e7ef-bf82-4a36-a1d2-855c4d44ba1d} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4948 14762011258 tab
    3⤵
    PID:2328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.5.887506411\78010807" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc831f06-2867-43e3-8408-2c3c9f2866e1} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4832 147618dbc58 tab
    3⤵
    PID:3756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.8.550338712\132196779" -childID 7 -isForBrowser -prefsHandle 5616 -prefMapHandle 5612 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d75ba0c-27df-4887-881c-538a13100c0c} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5632 14763e31f58 tab
    3⤵
    PID:2504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.9.1365919033\319646363" -parentBuildID 20221007134813 -prefsHandle 3020 -prefMapHandle 3012 -prefsLen 26689 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42421ac0-4bcc-46a7-9a5a-64b1aca0ad6a} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4412 14764338058 rdd
    3⤵
    PID:4124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.10.1126609315\843764546" -childID 8 -isForBrowser -prefsHandle 4876 -prefMapHandle 5352 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf4975b5-7f06-43f3-8170-3be08ad93f91} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4888 147643ae258 tab
    3⤵
    PID:208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.11.987845148\2044200767" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 3140 -prefMapHandle 4388 -prefsLen 26689 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14c7fa09-6637-45d1-8f0f-03e18bdfa427} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 1376 1475e1f4258 utility
    3⤵
    PID:1468

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\Babylon.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\Babylon.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:312

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\server.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\server.exe"
1⤵
PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 220
  2⤵
  - Program crash
  PID:3912

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\server.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\server.exe"
1⤵
PID:2376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 512
  2⤵
  - Program crash
  PID:2460

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\Babylon.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\Babylon.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4560

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\Babylon.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\Babylon.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1568
  2⤵
  - Program crash
  PID:4308

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\Babylon.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\Babylon.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4284
- C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\upx.exe
  "C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\upx.exe" "C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe"
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\upx.exe
  "C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\upx.exe" "C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe"
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\upx.exe
  "C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\upx.exe" "C:\Users\Admin\Downloads\knote.exe"
  2⤵
  - Executes dropped EXE
  PID:684

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3892
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3128
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696
  2⤵
  - Modifies data under HKEY_USERS
  PID:2248

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe
"C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Babylon.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\cache2\doomed\1336

Filesize
13KB

MD5
def3635f487d657f3756c456c778d9fc

SHA1
e4aeab67ae7fca95a9d0ebeebe030b54653e0324

SHA256
b0eb2dd7052f6ddbc66b445487db1445e0585dcd5d5128b415866347f1ba8bd4

SHA512
ced3e310a02a1cd0e264828b0943123c9a57a9f95a87ffb96e50ae45a7208a70e3e04bfa1375ec824d87252fd985d71316bd2b10fd31574143413853190e9fb5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\cache2\doomed\21468

Filesize
10KB

MD5
1b702005df06ea532c8dfd447500e50b

SHA1
52c274d0040fa6e8cc76d376a603d06037daa84c

SHA256
9704d266e12e80e3ce9a85e615852dd7a30244030abd8f3521bbccec5a23d6af

SHA512
ae836b9df51578a042e020162eb2b05811987240c3b1f3264ee7b96e5a3d7d612cc5d97688aec5f3b77b1d619fcf2b7cfbb459a5c38dfea743addb9019d8fb38

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\cache2\doomed\6149

Filesize
53KB

MD5
e921520d975b2ce7f013b86bff63bd7b

SHA1
60dd88a99dfb3d111eab0b75adcdf96d037ed55b

SHA256
4e98147578cfd9147ea20ad2c61f9522f49f15b541c1aade23ebae90f0a360a0

SHA512
e16c3dadd8f0580ee75eb3c253a574132381075716dd6c7004697ba4c6888b13f1f0e49757c4ac25aad4f4a27eb8e1e5e7bf427a506bd35459142806de7c750e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\cache2\entries\29E572D6519E3934A089FA41C38D950A2138CC94

Filesize
46KB

MD5
2170dd32ca45ef1018be740a798b43a6

SHA1
09f4cd1433cbaf6c1de68f2880e58570bd2bbf19

SHA256
8298d589538603106f53e77de0b52b90de295fad5af48572c81ecdc4abe948e3

SHA512
e77338d359f6490196af5f993c58110ce04b50b99226dd19770c43e5a184b505f75c966b3696ebadcf461455d66fd1af52a88ea1b57157a1f6912ef05ff55733

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\cache2\entries\397854704867B2CB75BA8658E0989793BD1B00FB

Filesize
60KB

MD5
6dfe92f80158cd25f038879f2a2ef9cf

SHA1
82075ba9a12c32f5e3c84107d02192cd6be48d33

SHA256
72cad3da4aea8b02f3f5ee3510d675f6b9500e8215ca781d40b7d28ba7a71d78

SHA512
536045c83c604c025952271b92c8b25409a1349fe0c69da8fc48e5b21f061615ec762d7e9ff88852f706c8fa89cac85d852dc8b843dad675d02f24b8a1919fb1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\cache2\entries\5372C1306884CE5E69E39F33E7C4798ADE436F65

Filesize
51KB

MD5
0e8bdc5344f81711451b214d2e203a2d

SHA1
724589ee041e3e73b0cb05b7a78da8c94bf0e19a

SHA256
1977a61b5cd93427cd36505a0e5d4c7fa1fcb50b58a9e7ce34c18c151efc4cbd

SHA512
2ea33009d031d25f39c36005448fe51f080433e0d283e2c02afb0601325f98614336718f5005670da4960c33f395cbd49b0a60bd5ac810942dd509daf2a99b43

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\cache2\entries\610381FD3C71D594CFA6AFE8B8803962D0EF6779

Filesize
67KB

MD5
78cd41fca7519f37c05168238758b093

SHA1
f9be891e0a6bae640fea3f309fa33509b5ccc90c

SHA256
0153f47f43308089ec4c47e2e136cbd0d07ac06190f2cee835fd50599bdf83fe

SHA512
7f18a8c39ab6e077def817cfe07eb0865e13615ed2813a5d52e3c42c7e96e8a6555287b3812ed73f6af8a8f63c364d6249e4b2c563a3201dc516a01e5d74aa47

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\cache2\entries\634E16DC7AF73196290DC0EEA7EC63EF6B95A520

Filesize
40KB

MD5
affc692386ad4acbe35e29c128de5e72

SHA1
da65013ac0172346f713f772fc3e0d32e7730225

SHA256
33fc9b67c667eae4f19a6ec972167aa399718ffae92a8c18a46cbd69c9be5752

SHA512
21c72293b7078e151aeaae77f161814fc76de09c412028bcb7a292233fa7b167fc364b9601632aebc82a7d2c2133346a88f66dc0265d471a931931d66d00156a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\cache2\entries\B514093AD97EB137639E70982E6CC2877881F842

Filesize
33KB

MD5
cd11b3b9a0fd69c5da95fbd2b2f8d6fa

SHA1
85f3c02922273643f081eb931b143579ffc0856b

SHA256
517f142fcc1cf14845a6a584ed24d95ee681f376d0d35a23da7de539b4b4a04b

SHA512
e2f4fd5f32c20b239723d9d31bc0b45b9e2c3edd05b8898212872d2ef90952750c6d1fbc75437f02057132972bb0c1dd4d4a87544fde21c29b2bd4081f5e1d48

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\jumpListCache\n6ZPGdZ4hUGNfZk6Ik3A3w==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
1.4MB

MD5
cdd8e37183f50de4075065f9b8a67243

SHA1
7b3e62154a104fb384b587cee9d424744b1ed7c4

SHA256
189dab4d654d7081e6bcfa5b1a00d53795677b06fcb673f61f106c3fca3b93e9

SHA512
cc922c35f1ecb349e4a788247184ef5d810ae63aeac31fb00fc917db93f383958cea66e3ae61bb01c538850381b2696919d9c721d717c5d5f7385d48c4e05860

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
539KB

MD5
90e87338df3f1bb7b3e50ddcf2bfbbe7

SHA1
5676d958dab7a8eb459108810eca999d540ae2d1

SHA256
20ef6aedff696dda0e13611e67a0e7395bedcd2bbcd79cd91d5003133ff57d28

SHA512
7c9852eaa3cc03f48a28dc9acd75ffa23a0181400a8fa65d84f0b07f730ae7093b4e7e8d5d1878acbe5bf694160d6de2474392fb61b7985d78e801160e945f09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
38a0ec6c2c7d4a5b455f4c6dfb6e6c73

SHA1
c2a09f42258d878d27dda8d332442301b981f75b

SHA256
b99bb7067eac2fd83475ecc43182729f91517b236f1ee66405d269d273eefeb2

SHA512
0ad84d318f2ee966a2c32eb1dd37f1920ad486879fbc838e551d1a6100f5f0fa61136abd4b55918acc168a07828c54a704b09424387353ea8df77b7c262d8b58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\SiteSecurityServiceState.txt

Filesize
706B

MD5
bd3fa741d3a7735054305e0015964a26

SHA1
a64f479a1b10205d7267119f310f662c229bd7f2

SHA256
a689fecd0525ce20747090857f0790aabb16595d6c3d2822785dec846a376020

SHA512
2a924e86320ac769a304b9f18bf3f4ec97457763952fcae4d6f72c932b48c002d5f42ab942db9bffd678c8f4de0fdfb9973754c4b141e7f174ef0d88fc14621f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\bookmarkbackups\bookmarks-2024-02-07_11_EhYMFe9OERdOkFlkorlm3g==.jsonlz4

Filesize
953B

MD5
5018da0e495d3bb988a448388e524a3e

SHA1
95565138baf6c01cb1041ae23ae37719b0c7e493

SHA256
ea4551d8a468ff65121ba40bf53243dbf398bf8c51b20791a18e4ed3a3a0ee86

SHA512
13ff07f3d946abfcde88306535e87db4c37eccc1f2367d4c2e10bdf47274c38b05ecd52c156090e53adc4002ff85a151de15e37f9f22154be560c6bd20e8e8b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
95e0e2666c84797905d032c15cc66810

SHA1
9f183c7c71f28791aa71d4aa5cf33acabe698e04

SHA256
4e544162129f12773b51a0cf720d2abf70eebbda7e14d835f71b7c168e0773ab

SHA512
3175eae25ebfe19d4c3698f767e3ab8ced9a0e48da5601becb8bd3e7451560ed795192ed32bb16e4f7bca3183d1b1d0d1e55a27921a4c9aa6014b352791c3851

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\datareporting\glean\pending_pings\8ac80c3c-1572-43e3-87bf-356e99b54982

Filesize
746B

MD5
151beb91c5025063ea017f0d08ae4089

SHA1
52bfc9296d779c41cd5275d4dc7ab2965cb26c80

SHA256
3117d305cdbd53be8ed75771622ad472f4c4e5eea0a6bf997792d6e79a854e4a

SHA512
99ecf535c69983bb763ed59326eccaf324efa6ef705ce6f1f4036a6aaf7489c233809d0e9d7ff459e4180e5691fe4eb81ca9e27b9f2e8dd35fb338d2156eba8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\datareporting\glean\pending_pings\a1c3cd9b-09c2-4714-94e5-a655e85d4dac

Filesize
10KB

MD5
2b94ac3481a3eca4664c879c5dd1c609

SHA1
03126db0bcfe98a6af063cb0b31ac7af2c36aa64

SHA256
962196daaafc9630fb0c6cf584eb578a0f0652983f0768882725b1d6fa16d923

SHA512
37c9fef87b344af14a336765daeda1d8807ac6d87d0e405659c044f644c3be6c30a50f9f017a097808fda7550d5c407b7a81c26e5f72c0111422d8ec28b9948f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\favicons.sqlite-wal

Filesize
960KB

MD5
8cd718b81bed093a4ccbb562174a1c1d

SHA1
20a7d33d8955090449a85d87d40c5e71e345f00d

SHA256
a9d2031190ee361b31eed583feb37f769c78185c54303638d8e1c5bfd98ba62f

SHA512
308246e3dbe6cdaf3278d96a7f7df764028002bdfb57daea3fb4d7929a027ca9992180007bfce54f49e3291c28d65e370b1903b7f0dce9c934c33f98bf355b39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
420KB

MD5
03789b1bae9c30bfe39347dc444c19b0

SHA1
0d45950d2cd53744e8eec18ee4f84b61ca6f60f1

SHA256
3e5895e7b1b607096b83ce20d91d0bf209be659b3625cce5bcc2276fe75d5aa1

SHA512
d6d80e78abd407e0df58811b5d1f233be29444b0fd6b6f4f4836e2517a0de7609744a90bb52d1663be1a302743f087fa9deb0636bbbc8447ab7dcbe047ae0d45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
1006KB

MD5
3361ea59cb3bba0fd1812be5d86418c2

SHA1
afef290100fdbd3a6c3ed9a307b3f8ac5364a3a1

SHA256
4b84736c2ab95736beedc4e606ed6bbdc3dd9dbd3fddf89be8b8a12d6cb51bb5

SHA512
97020183068d22611cea6c8a821828accb9dbfdd660dfe9b10c45594f611e4431462395a74128b2fc9f331389078e199c0c3b23ff4fd6c65243687356d313a99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\places.sqlite

Filesize
559KB

MD5
c077a460a0167739654742e135446ce6

SHA1
ea30958860e69f5e21d50406133204f50cda24b0

SHA256
e250ed798974b6dcd612faecce0c850c7db6911de93c9aecca1200fb2579c0e1

SHA512
bba0ef0e31a6ac52e49af1cc36fb328f1f3130df1438b211ed2644a1d321ee311f1cb2886b3d8ab286a3569dc92d3877b192f6dc4d9137dee40d86a4ed8710e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\places.sqlite-wal

Filesize
824KB

MD5
4bcb13ec253df912cd70c79a90525e38

SHA1
edd0f84b16a8dbb2a8007e5b207b890a3af31711

SHA256
d5c3ff8adc689f8ac383655088faec4996c4eb3a834e29513aef4be8b23fab0e

SHA512
be840e2a3f2cf7adbdd7a7630caa48b8d9f80dcfe991933d8d7bbcbf810f964f9325d39444874140e2c2b048961d69bec8e63df5bb2366b1abbb0ef0cfe6a776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\prefs-1.js

Filesize
6KB

MD5
5654e43b344d7de39774abb2c1289653

SHA1
38d9a0fa6379db12ae9b9793451c47b3705e9a25

SHA256
f35a8651fc126a4c72b2264ff709ca5a23ef721947d6a0586b5111e3336bb6cd

SHA512
3ddeee7cd7593e8c114fb4305a75480364033149272fb3a04ed0eb64d38cf026edfd6ec05f9727bf0490a67e911b128a2b7a8e6e1a694cfeb5a16ce884ba9d9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\prefs-1.js

Filesize
6KB

MD5
de7fb268817e148e2841dc9c64334898

SHA1
b38e3ca732557168e7cd1621cbf58d4e144cbb1d

SHA256
add2a8e73275ce993c7bc5e1c97ad45347b6762eff13f2d2d88c3673743b2f3d

SHA512
c6dcda5afb09b50420abc5a834e3b6291120b19395fb2c6084cd336687f9130618b0c258c04d47fe38c9bf28e6a5d03411c3d97fd5d306a7f85f5615198d5d8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\prefs-1.js

Filesize
7KB

MD5
36622a592c8d120978af484c7326a4d9

SHA1
7b4689f6788844b6bf5eb4587bbf07ad21b396dd

SHA256
a053ef29e85bdc6408e0a102299ef8dcd5729fc6992ae637c9fb30598bca3f6d

SHA512
d74cdf20f5f412239a09b059e6cd3135b134b639787a173140e8f9ba3a7d2982db303b7976639939ceaf72bee4bdb4d03d3afc59e7be96e48f24557a05556e05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\prefs-1.js

Filesize
7KB

MD5
cde3025ad671ca443c67cf6c2d572cf4

SHA1
c725cc40ec9bb63e7a543fd9e44b1ef0110c68bc

SHA256
c25b1a32505b17c7e0c34403de8533da8fc791b849c334f54fe9a103644082f7

SHA512
bf2f4b99f7c84b5d63bef2c4fa0d447a0cd630f91a858fc5e8d65751a7bec00dd548c1718da93b2324627bfb5d1d7c045d262554719b46d5586f3daf3ee7383a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\prefs.js

Filesize
7KB

MD5
57230bde6afc695ea4e2bcf5b39d6223

SHA1
cd27979a70837cca4733a311729e7431c47ba02b

SHA256
cdd73adf7a70fb770d6be3f4bca874534618d10204c0eb8f40394f689065c5a0

SHA512
965720643f8b5c98f6ceb821bafed77c5ba0beee11dead24615fea55a69bafb7a42bb189a66e8585b7c178b2ee58b2e3acb92da219d28043fafcf6017ebf939e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
ec24a8ec3cbada36e3a58f1ee9a51192

SHA1
23dedb5052a6f21ec46271e8d0e8432f30b5383c

SHA256
b695bc2ef1b3db7db07089313f69b96b9e0da1a79e3741938b691e57200e5017

SHA512
eb30d7f8a9d368e6f79487473d564e3eca9c5db5e8801aa4fb6f6991a3075409cf90ccfb131bb133b98d7b44f3d1f735fc75345b934146c457ef37e19e4c065a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
18f660c9023d90958df35a667329893b

SHA1
1a8a2ea2aaee4f655c3d9a271eb9a18f2f2b0dc9

SHA256
56c61548d27bdb1ac1c41cfae8d6e51e65c39f6c0f5d757dfdfb6ec72220b9fc

SHA512
3cb16b7d70b371ca1416f979ee997d49fe0351ada10ce85359dc8d6e127ca7087050149d43217231ed83b4df73c2eda0181ab37c7d66d17e68d081ba38d01e9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
9b97397e0e319c0fe23743ee4268b8cd

SHA1
634f21943c36a3af8cb79c4219eac963d8695b6b

SHA256
6bfebe1938b932169d073aca381f2aedfab5d1a4bee09d216a24c6fcea2dd49f

SHA512
19b8b2d9a9223a4e5cfb81c4d90f534e9a0238f637bbb6bffe7533a83b66f99570d387667492d33a586ae740401b8f2d406bc5598fe4b128aa78a0396b1f7d94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
baec5b0e6ecdbe7ca68e2df5d5bdc035

SHA1
aacb04ca52cf15e7e4464f9ee8ca07ce53fae84f

SHA256
5c85f92868a2bd496d090842d0f4885b7c55b9fb12a05b82f31cf4c69124c221

SHA512
9cacdcf17c54c0bfecd1a57ae555ade38ba5c653553c073a30421e1c76533568a917374aa148f2ba0aa28588d8e251cb3f071810ad0b8b150ac91801e3efb491

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
b614950071fa1f2d2effc67d7c335906

SHA1
28559a57feef362ea01bda9ca7546a9f58f8c4b3

SHA256
f6f224fb479f52104a5f03c5b194145e07edeb2397e77ca151bbf8b552a3fdcf

SHA512
2e0bc099d4103b114a39eeb2da1052bc4342bbbb22c24fe5b25eb5e9fe34a52bd49bf75b702ca0db0a481640fd918721ca3c3e51531b0fafd743d0dd81f9c139

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
40f6c8978cca1d821da1b95c6b5a6269

SHA1
a32e7bf22782d1176ceb412d1a59701dd8838acd

SHA256
d936d4869b666430ff954711e2f55a91d40870edef3cb3b5dd3de7ae9df4b54f

SHA512
491c4420072a7a09b35e1a699253027fb66e3ec1e4cab4b55838d5cd083212d2dccc77e445e2fb77c26ee218c3734e2870b6a5abb466b6b53901487b1440d421

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
d4db818a71f588a9145e6edabbb6cc5a

SHA1
5a7bf933f674dfed2e9cf7921d6da36ffcdc0fb7

SHA256
73523a9563be441869a080f2f9d8872c7f55c3751f1d7ad4df937f6ae6a6e916

SHA512
051ba33e6d9721b0acf113e03ab14c019b26fae03080441d4f91dbd4b236a4475f0bdbb48fd57096d4e7fcc6c16d2fda94c9790a579ffecd702a834f1314f5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
7adc5c6271e004dad6f99b3924a2273a

SHA1
170b93cd9326105bc896766a0560b6efb294261d

SHA256
79be55e4e0e5dabdc7bec8bbaf456e25e96f3b368e106a27b761e1112d5dc771

SHA512
1ef044b5f819b8abe68fd8bdce0a385905789c170c01b029ad6cb823fb5621bb16d1119970ef892499cb8b505246eb7109161316a1930498e57d895de278eb92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
97f442066bed2b0661dea6b5031f38d3

SHA1
1ba830fb396999b58a3cf7d584133d596df05e67

SHA256
09c51ee0d74fc64f2ec28531d0dc4c4f5a4beecda382deaeb96f6cf303e72d8d

SHA512
572f458536f883a8d6cc3691541690d2461a11c90971fff660a87b26f456651b7bed06becd6231689926ab6b9b1471d266ec66b20c0cbfbc0b452c93cc5d315f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore.jsonlz4

Filesize
9KB

MD5
5c8841705d23a0821bf81416716beead

SHA1
1ce74b19ccb4f847f7c7e2d4d11704927ac65c32

SHA256
baf2e0e72c91611d92d02cd0c94bd88cd485600fbab6f5c867c9b2fb035e0247

SHA512
8a2488bf3262bb9af8baec98f6405a706faed42ba3b0e2ea57e462911bf8ccfa5dccf02bfe760ca9a6e318e264119164651335b25e899adfd96ea02c3fc232d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
079ee2cccc4eee3b2e3011eec417e06d

SHA1
6653947f5a920193ed1b5a102374e9cdf8878654

SHA256
cbae6f3bd9a0fff08bcd5f56320fa737f0d120d5b180a7f5168818f6ca100a7a

SHA512
d22ba54e67070aa5679d5a0d90afabe930f2dc81ea661323797b3645e7f383dd62a58ffc91a94a270a73e964ebdd1119998e74564a61c6659db2928a041825c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
97a08e148e4df4ae4e86b27d66a44fcc

SHA1
4ca4e5a34d675b60bde60269043456df76a46306

SHA256
5ef252a75efeccc2c1c2e641b16fd93f905caef859a6b37c040b059a142f0e36

SHA512
e3694a09b75b4351640bf778e9c6b39ffe26c48541231e06f3f0d364285b6e022d44bd9dcf1ef13c097da1e32f34a05a89886147ac2d1ee31b7e6277778b1b02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\targeting.snapshot.json

Filesize
3KB

MD5
90a8180b6651b054c730aaaed8119e29

SHA1
8bff1c35571ca5119aa3897fea3f8f773d86516e

SHA256
3c322ddeccfaaabc43733bbc8c3c4a4e83178e7e5616f39e73173f63aca63fd7

SHA512
86748568bde0c05843167f90feba48dfe7a819739a272c0621ba0cb927fa4baeeaa36284de130389ea8ca5fc4ffb1f7e3c7d57ef8e5325727b96a46047f4a211

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Users\Admin\Downloads\Babylon 1.5.1.0.zip

Filesize
4.8MB

MD5
091d6453e02d177f5210dda48e919f75

SHA1
d6d81909f329bb8225284d42ed894e655a0eed10

SHA256
26d95e03796934f4d68fa01b25cb9853f2022722da22b8266c7d286070a111d8

SHA512
808d1f9161bcf4cc044532b202b9ea850b8e72fe2b74fc9cf9d898a855ca9d4f68b7d6cdffa642dcdacd69697cf3f01dac8136567af12066e32af433472ab5c5

Download Submit
C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe

Filesize
353KB

MD5
8cdea99c4919fc378e2684b524106a49

SHA1
895860d1658d5ca4ea2897e21efbdefc7fb00f27

SHA256
ac1b7e8735f5f3f6e2b7518207415cf6d4d895048b858a87a21f3ad30f8ee74b

SHA512
cfb8af9b1c709d3ebf4872607a7aa458a93af0384fb130f9918a7c436b1f8ccff1756f6f248b6cc76d78dabeb8eb0d492293adac5bad10d2a79cbf96951997e1

Download Submit
C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe

Filesize
727KB

MD5
1a17a32a7ade7eb6ba8813e3e27ea3a9

SHA1
918f4be91f39b3c203c18f2a285ce7e7901da367

SHA256
3938348dbcd829119e33e91ac3933781ce4611ba6432d4916a9bcb157da6db67

SHA512
f5e01549d15134251b8d26b7aeafa600c1ccc6ad8eab4420c9e29423fa7870c99d5f522f0c7efd15deb768c7317bdfa7d2d11495d479a60e9b064c56a7485064

Download Submit
C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\keynote.exe

Filesize
642KB

MD5
ab172a87f0a18266bb458fc5c9662bc3

SHA1
3747dbfa927ea487e0e5ebc191c7a4e6a979232c

SHA256
2bb57548ab89556976b0b02834efb40cf596c59286eec1caeaab47e497fb3835

SHA512
75b52171cf544faea07dac0f7a57fb4d8ea0de850fffa50de51fc6436a16a1fd43dc4d4a8e26fbfda104d68009ef3d9986f12da0ac39310abeac95771ecd71b0

Download Submit
C:\Users\Admin\Downloads\Babylon 1.5.1.0\Babylon 1.5.1.0\upx.exe

Filesize
298KB

MD5
e9eacbb7ab4b3f66019e0a2f13a1dba9

SHA1
ae30894b29e52bf04afc4a54795d438fb910acff

SHA256
0c3dc789d0a46493bd097526b920d913d930d96b1052cb331eec3ac560c89996

SHA512
925445d20c93c65a282fc59f773551d824bff1f8e2623fd8ea0c587831a9550c400f121defb3d82c8f0401903fa69e3154dc98e29688d02af1d5d01247914a06

Download Submit
C:\Users\Admin\Downloads\knote.exe

Filesize
727KB

MD5
cbf88161d9203ee0648d0983d4579a66

SHA1
fdbc221dd27e00e4f4a67ffd680ef4dda23e8150

SHA256
869ca5c2f842f66ef565715c43cb2a89460f411f841cc97dddde1293572d7a20

SHA512
bdce3e8d9c6cc3cdd14a492db9620800b166ca694cdd468f42935cba94864b51cf86d429206022199cd213b52618a178cb43b416517ce997b3bcf20397ce5169

Download Submit
memory/312-751-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/312-749-0x0000000008210000-0x000000000822E000-memory.dmp

Filesize
120KB

Download
memory/312-747-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/312-745-0x0000000008490000-0x000000000898E000-memory.dmp

Filesize
5.0MB

Download
memory/312-748-0x0000000008160000-0x00000000081CC000-memory.dmp

Filesize
432KB

Download
memory/312-744-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/312-742-0x00000000009D0000-0x0000000000FFE000-memory.dmp

Filesize
6.2MB

Download
memory/312-746-0x0000000007F90000-0x0000000008022000-memory.dmp

Filesize
584KB

Download
memory/312-757-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/312-743-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/312-750-0x000000000A630000-0x000000000A6CC000-memory.dmp

Filesize
624KB

Download
memory/524-1013-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/524-1005-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2248-1151-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1251-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1275-0x000001EEE6780000-0x000001EEE6790000-memory.dmp

Filesize
64KB

Download
memory/2248-1276-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1277-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1289-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1231-0x000001EEE6780000-0x000001EEE6790000-memory.dmp

Filesize
64KB

Download
memory/2248-1232-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1241-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1243-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1245-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1247-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1249-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1258-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1260-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1261-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1262-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1252-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1226-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1211-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1201-0x000001EEE6780000-0x000001EEE6790000-memory.dmp

Filesize
64KB

Download
memory/2248-1198-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1194-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1182-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1179-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1177-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1171-0x000001EEE6780000-0x000001EEE6790000-memory.dmp

Filesize
64KB

Download
memory/2248-1169-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1154-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1149-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1150-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1148-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1147-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1145-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1144-0x000001EEE6870000-0x000001EEE6880000-memory.dmp

Filesize
64KB

Download
memory/2248-1142-0x000001EEE6780000-0x000001EEE6790000-memory.dmp

Filesize
64KB

Download
memory/2248-1141-0x000001EEE6780000-0x000001EEE6790000-memory.dmp

Filesize
64KB

Download
memory/2376-762-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/2620-983-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-993-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-992-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/2620-991-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/2620-990-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-985-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/2620-984-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/3892-1110-0x0000020768470000-0x0000020768471000-memory.dmp

Filesize
4KB

Download
memory/3892-1127-0x0000020768910000-0x0000020768918000-memory.dmp

Filesize
32KB

Download
memory/3892-1113-0x00000207682A0000-0x00000207682A1000-memory.dmp

Filesize
4KB

Download
memory/3892-1112-0x0000020768470000-0x0000020768478000-memory.dmp

Filesize
32KB

Download
memory/3892-1133-0x0000020768A70000-0x0000020768A78000-memory.dmp

Filesize
32KB

Download
memory/3892-1109-0x0000020768480000-0x0000020768488000-memory.dmp

Filesize
32KB

Download
memory/3892-1107-0x00000207671B0000-0x00000207671B1000-memory.dmp

Filesize
4KB

Download
memory/3892-1106-0x00000207671C0000-0x00000207671C8000-memory.dmp

Filesize
32KB

Download
memory/3892-1104-0x0000020766D70000-0x0000020766D78000-memory.dmp

Filesize
32KB

Download
memory/3892-1102-0x0000020766D70000-0x0000020766D71000-memory.dmp

Filesize
4KB

Download
memory/3892-1101-0x00000207671B0000-0x00000207671B8000-memory.dmp

Filesize
32KB

Download
memory/3892-1099-0x0000020766FD0000-0x0000020766FD8000-memory.dmp

Filesize
32KB

Download
memory/3892-1097-0x0000020765BF0000-0x0000020765BF8000-memory.dmp

Filesize
32KB

Download
memory/3892-1095-0x0000020765C40000-0x0000020765C48000-memory.dmp

Filesize
32KB

Download
memory/3892-1076-0x0000020763910000-0x0000020763918000-memory.dmp

Filesize
32KB

Download
memory/3892-1060-0x000002075F530000-0x000002075F540000-memory.dmp

Filesize
64KB

Download
memory/3892-1044-0x000002075F2B0000-0x000002075F2C0000-memory.dmp

Filesize
64KB

Download
memory/3892-1117-0x00000207686D0000-0x00000207686D8000-memory.dmp

Filesize
32KB

Download
memory/3892-1134-0x0000020768A00000-0x0000020768A01000-memory.dmp

Filesize
4KB

Download
memory/3892-1115-0x00000207682A0000-0x00000207682A8000-memory.dmp

Filesize
32KB

Download
memory/3892-1124-0x00000207686C0000-0x00000207686C8000-memory.dmp

Filesize
32KB

Download
memory/3892-1121-0x00000207686C0000-0x00000207686C1000-memory.dmp

Filesize
4KB

Download
memory/3892-1120-0x0000020768820000-0x0000020768828000-memory.dmp

Filesize
32KB

Download
memory/3892-1118-0x00000207686C0000-0x00000207686C1000-memory.dmp

Filesize
4KB

Download
memory/4284-1017-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4284-1015-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4284-1016-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4284-998-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4284-994-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/4284-996-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4284-995-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4284-1014-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/4424-761-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/4560-769-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

Filesize
64KB

Download
memory/4560-767-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/4560-766-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

Filesize
64KB

Download
memory/4560-765-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

Filesize
64KB

Download
memory/4560-764-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/4560-768-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

Filesize
64KB

Download
memory/4560-770-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download