bandook | hxxps://drive[.]google[.]com/file/d/1AhH_IFwrL1iUIvmxjPfR9v465CSX-v0I/view?usp=drive_web

Analysis

max time kernel
210s
max time network
209s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
14-12-2023 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1AhH_IFwrL1iUIvmxjPfR9v465CSX-v0I/view?usp=drive_web

Score

10^/10

bandook rat trojan upx

Malware Config

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2140-209-0x0000000013140000-0x0000000014CB8000-memory.dmp	family_bandook
behavioral1/memory/2140-211-0x0000000013140000-0x0000000014CB8000-memory.dmp	family_bandook
behavioral1/memory/2140-212-0x0000000013140000-0x0000000014CB8000-memory.dmp	family_bandook
behavioral1/memory/2140-213-0x0000000013140000-0x0000000014CB8000-memory.dmp	family_bandook
behavioral1/memory/2140-215-0x0000000013140000-0x0000000014CB8000-memory.dmp	family_bandook
behavioral1/memory/2140-217-0x0000000013140000-0x0000000014CB8000-memory.dmp	family_bandook
behavioral1/memory/760-250-0x0000000013140000-0x0000000014CB8000-memory.dmp	family_bandook

Executes dropped EXE 4 IoCs

Processes:

Facturacion#8895.exeFacturacion#8895.exeFacturacion#8895.exeFacturacion#8895.exe

pid process

4644 Facturacion#8895.exe
2740 Facturacion#8895.exe
3008 Facturacion#8895.exe
2328 Facturacion#8895.exe

pid	process
4644	Facturacion#8895.exe
2740	Facturacion#8895.exe
3008	Facturacion#8895.exe
2328	Facturacion#8895.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2140-206-0x0000000013140000-0x0000000014CB8000-memory.dmp	upx
behavioral1/memory/2140-207-0x0000000013140000-0x0000000014CB8000-memory.dmp	upx
behavioral1/memory/2140-209-0x0000000013140000-0x0000000014CB8000-memory.dmp	upx
behavioral1/memory/2140-211-0x0000000013140000-0x0000000014CB8000-memory.dmp	upx
behavioral1/memory/2140-212-0x0000000013140000-0x0000000014CB8000-memory.dmp	upx
behavioral1/memory/2140-213-0x0000000013140000-0x0000000014CB8000-memory.dmp	upx
behavioral1/memory/2140-215-0x0000000013140000-0x0000000014CB8000-memory.dmp	upx
behavioral1/memory/2140-217-0x0000000013140000-0x0000000014CB8000-memory.dmp	upx
behavioral1/memory/760-250-0x0000000013140000-0x0000000014CB8000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133470526184650386"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

chrome.exechrome.exemsinfo32.exetaskmgr.exe

pid	process
4856	chrome.exe
4856	chrome.exe
4452	chrome.exe
4452	chrome.exe
2140	msinfo32.exe
2140	msinfo32.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4856 chrome.exe
4856 chrome.exe
4856 chrome.exe
4856 chrome.exe
4856 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exetaskmgr.exe

pid	process
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4184	7zG.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe

Suspicious use of SendNotifyMessage 60 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4856 wrote to memory of 3564	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3564	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 5060	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 4576	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 4576	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe
PID 4856 wrote to memory of 3344	4856	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1AhH_IFwrL1iUIvmxjPfR9v465CSX-v0I/view?usp=drive_web
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcd7fa9758,0x7ffcd7fa9768,0x7ffcd7fa9778
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1528 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5128 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5144 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5096 --field-trial-handle=1764,i,9785134345691326324,18055170256732297926,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2092

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Facturacion#8895\" -spe -an -ai#7zMap19533:92:7zEvent22533
1⤵
- Suspicious use of FindShellTrayWindow
PID:4184

C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe
"C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe"
1⤵
- Executes dropped EXE
PID:4644
- C:\windows\syswow64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe
  C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe nnchwwghwgehwgewyeywyeywyye
  2⤵
  - Executes dropped EXE
  PID:3008

C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe
"C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe"
1⤵
- Executes dropped EXE
PID:2740
- C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe
  C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe nnchwwghwgehwgewyeywyeywyye
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\windows\syswow64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  PID:760

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
27KB

MD5
71052680d21760a0ba0c98488797f4d6

SHA1
21ab165ac404ace135b6e2d13ff51e7d1b1288e7

SHA256
80771d694e7b5e566626483a7ae1c846daf40654fc725e07fb50637e55a5d537

SHA512
49c5adb4730e28f83bd54176922d7604031f49f8bace5393a27337e5f861c5d4f8ba97a0ba2af03696ef6f0a974d953c54dfb81a1f238bac38886ff14d3fdb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
4e405f7a412d8f31f82f1054ab1e7008

SHA1
05606ce1a37616d758bfebd9f8698877c83b6715

SHA256
6ed122627a9fe5fbdd7b82f88455073718433dfc456f75c286d5eababf082636

SHA512
15f74d35fe82036358d953525d07645f16bdfb0f8ab30938817567a0c9c318b880620667be4fbb8e63cc8edc30f37140cd0978025bec2c3a0e13f11733318a9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a733b8131b157aa964c542728fa7e0f8

SHA1
e41d575ae0ea8f186b37bceb28328f0f6743f396

SHA256
c44a22efc0ed5fe9232b2defd5c256ea7c10b9e57f7ef6de6c8d6ccd3143b45a

SHA512
9036fb15f4572a3fda56e585e019e6c7bbf966d0d386eac584deb64a6929081a40517a5af1be2855e37ad388b6c63284d3d20628d0f010fb57f8aa87c4b92624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9310f2ed51106d02919cc3f0b1acacb2

SHA1
f320833e4b36f2b691ffe1ec63eb9d06017be98a

SHA256
2c555d032536d9918b88ed962a6278de701e3036dab5cc6190b1e21b4ccfc3b0

SHA512
e25b7a71cf2e3d405712d141d68885f50a887ace1f7df1585702d6da479437cc615d8f9ec5194d031ce0f5a99fc1a2eb0c3a5ebba9469a08ac329f0febc5c7f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
e41ae2bd7972d50dbfee1d8b3218b43a

SHA1
802b3814bb764229ef051d7d2ae4bc5e5eeb5c47

SHA256
b5244ee065f4b18486fd4325e3eb548bb10c57817f2d7d0b1057a4fac740073b

SHA512
9ae630e58f7c8b8cc24444a81883686b67b0e2d30319ae78f426743bc671653670b593507cae1c33eddd658995ad7be29465600451040f2695c4c9eac4b746ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
96c4f473838bbf897f6b3245f7a33ca3

SHA1
ac976a441069f6a8c0fb983fd6898badc02d3f0a

SHA256
4fe8b5b21712c5aa7369559213dbcf1e75819ac905d5fa6231aa86e937c7f263

SHA512
cdc9b22561e53a0059f537148de8112a3c49bd6531d7f5c82598868909c70246c2cedf3b6415e57616e3d3ce0dcc478d2725055e54ce684dc8df87c2555be891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
644cd71d96fa14c5b1f233a8b98b5d8c

SHA1
af20bb4fa9b04f97260b430b3d7dc4db00fdb2ef

SHA256
8d2e231271ff2615e358a0216cadd2df1ea4f5a30dc4101da1cfc8b6d4e00046

SHA512
0c7ad40e35ec5d871ca5bbd5789bd8b9d5204677a2563c9c1d723d25cf3546ec3121129bddb1f23dc4f15e85a137b5a8e2346fbdd48ee4a1673e60a7e8de283b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ab1b151f724acb154fb3200c2d663e29

SHA1
c26d54e9e0b13e6e556898cf3333a3d6e755fdf3

SHA256
896a6e440f1a439297b1b889d98a0cf8f67ef662ab0b128949654b5e7d00c6d3

SHA512
afd2aa8a04da1474df4c1d89b5bcb783eb051f10496c80b0fc17bfd707114622b8d7f522b9222fb503768fecef7d243f4dfca704dd081d6c269b7a7ddf12a256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
308ff3c45ef74e5af66422be45b19eb2

SHA1
d0c78392c87fa06cca6deb3826e00e1ed22b1456

SHA256
41833a9c3e615af5b5c397391a5f5791c0e8fec4c2d3bedb2d97e71a48e93089

SHA512
ac2e05d5ea2f1249f7b227b39e9325204dbaff223df35eda4b849727fd29bc788e99c1174e4e1275fbf40def360371b0120c9838b699f2860ceb53959d191ab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5cc5e178f7ecd9d4801d2e81f6026bda

SHA1
f8c700737a0dc022352aa100520111abcb997390

SHA256
7382f0f0c1baf75bea25c0b6f9bb6373a9332d2e09e2a291b844f8dd63d705c0

SHA512
1a274e77a3ef85dcde082f5b247c5fc001aa9cab7ac049a21a89b2b591e9121fba4940e87baf0106f858a08fa48c677f3d1e3c34df58749ed3fa697b25962267

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2079ccde648e29842c3cd4d8a25362ab

SHA1
3b58bd67d1268f599fcc5a5a542fe1d1570918b7

SHA256
60097212159c9fdb4cf8f86a90c25444a16efb1382d4901e1e124a7666da93b9

SHA512
df66e4dc716117f16941cc89168a3adb92b91aa79ec5e8967925121311e92f9342b7994e34ca8a163b5bb6c5d3fb8f5e912c2610b4d3da957ef46bfba17e7743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
14063fc220e7cb4e2051c6b07136d535

SHA1
bc4b4bbe14f9094a8b78bbd40e9075f93b93ac18

SHA256
771e9a8f72606a69c154a9a46a0700891b0e6651b0b1bdb388bc055ab3ed8a34

SHA512
1e166319f6ba0ccc647fcdb4648a64f829d15efd15bd2dbb74d492211ba44d6fc8073959d9e6936518b9907bdd474991e224564d280eb64dc4ddd2ecf2d94871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
dd808899206c097c2b970cbb88c9e1a6

SHA1
8c5ac9ab7b4dfbfd2e934881fde04705eb31fc69

SHA256
1f863a64a5002666911b435b585b1ffde729a6054c0efcd1d11c6b4be724beed

SHA512
113db5867a33813c6d87d8f937f52effd1ed43f2561b741b25d26d501675664e8d509c206ee17ac647e5ad863004f3f12246192840b4ae686dfcadb08c0840c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
e4c06cf0eff75089e2e29bc670d1638c

SHA1
7e080de6963dc5ceb6e69397b2c6083466948b28

SHA256
fe1155ab1b0f6fb8d1e997009952b7755e2a68d42df025e0e3c8efd115911578

SHA512
1befb2f71c463518cdc5367bda60d9f9c2fb53e1f0a2817f110d2dde717db4189db47ca2d2131fe14d4e81a9b06c5c35b9dc381ee25b5a7ecf018d3d1c54b083

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5853d8.TMP

Filesize
93KB

MD5
84abcbf0ceed783e9e3b015e4e8241c8

SHA1
89baebdd6a81b7565583b40bcb3c2a8223dc1ab4

SHA256
835377bd0ba4db48001679b551fb36ecea3c584f3440fb80eba45e6cff5966fb

SHA512
bbc58a684c552d19898785a6560f3438fbfcc5991ef9087d8ee6764e059e576de52632f90132ca7a5c035aede0e97ee4f306fa8db15d7c4f374348a27a1fac5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Facturacion#8895.7z.crdownload

Filesize
11.8MB

MD5
42ce0cce2246d8366e9b36689dee8e02

SHA1
16b988afbc6762578d395e1b71b2226a0a99d224

SHA256
cd49da8c7581c62737cb8f0af6c0fe39323be7f02c8c014665bfd8ff7f142f25

SHA512
bc689791973a2de3e4aaf7b532fb3336b8bafea418dfe8b8c600bb7a8bfa1db5a38e295285a42aaf83d9bc58220a32569281ac834cd0e8c4eb925090f22ad786

Download Submit
C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe

Filesize
7.0MB

MD5
6dcacae7045ed6dbc9d144d48e3fb9fa

SHA1
4edf738d4e4f75b3f9cc5e2f00e1c20f691786b7

SHA256
95f7ab2feb3c20400118a3ca18af9863249c230c430b5f787fa45c0b36f2d2dc

SHA512
fe3a34319141847ad7b917641559f5af70a9b9ab8c9c7839145531078209931c97c184ab32a0b026e500b9655213fee1c18fbbe8f1e836ed03b8599e543dfdea

Download Submit
C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe

Filesize
8.5MB

MD5
9d37b95c3ab7b4fd4271153853b33ff4

SHA1
1be6bacd678e4375a8aadcd071a173a7c8076f62

SHA256
0da901744286b770b5cc4c6fe8625e33283cdb36c8e24bc25928fefbc175d719

SHA512
b033aad6db62ec839841e1fac215739a3d51bff80fd204a9e38e6290a22f314c2ba45522526559d6cf0da8b89a98783c2494b8ff08cb80fbc69bc62856fbffd8

Download Submit
C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe

Filesize
15.6MB

MD5
22f09d81b114ed779123c9ea035df9d8

SHA1
bd4e827c04966ba925fb3a56f5013bf8f80ce37a

SHA256
fe47377ceb7cbdd97d007e807381f5d7a880e8ed01ac62d0f5825c36e1f3301c

SHA512
7c0b206bef11931223e7dce523e8a049e4192ad9301f2996925e6c1786b3ff11870665c06c07cbe0fd17a4ddebd7bf8f7f38e09fd0b3c7f79959057275dfa0fa

Download Submit
C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe

Filesize
12.7MB

MD5
1a792669c120fd99b166fa1a785bb12d

SHA1
ac31127ddb2f96234f684779c5011cb492901663

SHA256
575710401b730e4b85e919308225236cfd883b7b348b5c0bfa64bdca834fac7f

SHA512
b3b2758dbe43b44b0f672e24edec67b3a66180330817d1bf0187df107cec353284f10fb044bfca6b084b37b4c23c7b94129c3c40e7c9e1c8844757f39cea524a

Download Submit
C:\Users\Admin\Downloads\Facturacion#8895\Facturacion#8895.exe

Filesize
1.9MB

MD5
72923e144ae19efb746f575807172673

SHA1
4e3a6ed4e43384b4497534d2854e34795386a80e

SHA256
dfcd3cadaf60e0b244f70521c717c184addf38b948356f30a3085284ec8a7224

SHA512
3ba62c0cf7ea7a01f546f6d080aed92f2f990765d5ae7f4ea4a052c0c7db4765b6ddf03f9a34fc16a639ab2a493951a410abf655f1e1c415acf96e886b034b4c

Download Submit
\??\pipe\crashpad_4856_FSCJTFFXLEVWRWIF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/760-250-0x0000000013140000-0x0000000014CB8000-memory.dmp

Filesize
27.5MB

Download
memory/2140-211-0x0000000013140000-0x0000000014CB8000-memory.dmp

Filesize
27.5MB

Download
memory/2140-206-0x0000000013140000-0x0000000014CB8000-memory.dmp

Filesize
27.5MB

Download
memory/2140-217-0x0000000013140000-0x0000000014CB8000-memory.dmp

Filesize
27.5MB

Download
memory/2140-215-0x0000000013140000-0x0000000014CB8000-memory.dmp

Filesize
27.5MB

Download
memory/2140-213-0x0000000013140000-0x0000000014CB8000-memory.dmp

Filesize
27.5MB

Download
memory/2140-212-0x0000000013140000-0x0000000014CB8000-memory.dmp

Filesize
27.5MB

Download
memory/2140-209-0x0000000013140000-0x0000000014CB8000-memory.dmp

Filesize
27.5MB

Download
memory/2140-207-0x0000000013140000-0x0000000014CB8000-memory.dmp

Filesize
27.5MB

Download
memory/2328-253-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/2328-245-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/2740-251-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/2740-173-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/2740-208-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/2740-176-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/2740-202-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/2740-170-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/2740-232-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/2740-178-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/2740-177-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/3008-205-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/3008-254-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/3008-233-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/4644-203-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/4644-171-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/4644-172-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/4644-168-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/4644-210-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/4644-153-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/4644-201-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/4644-199-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download
memory/4644-174-0x0000000000400000-0x00000000013B5000-memory.dmp

Filesize
15.7MB

Download