xworm | hxxps://docs[.]google[.]com/uc?export=download&id=139lsOJyvZG951FSn5PZuE4fXdeWVgxW_&data=05

Analysis

max time kernel
299s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=139lsOJyvZG951FSn5PZuE4fXdeWVgxW_&data=05

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

87.120.116.179:1300

Mutex

aMI0xjUDQCeZl19j

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4736-124-0x00000000006A0000-0x00000000006B0000-memory.dmp	family_xworm
behavioral1/memory/4324-125-0x0000000000400000-0x00000000004EC000-memory.dmp	family_xworm
behavioral1/memory/4324-126-0x0000000000400000-0x00000000004EC000-memory.dmp	family_xworm
behavioral1/memory/1644-160-0x0000000000400000-0x00000000004EC000-memory.dmp	family_xworm
behavioral1/memory/1644-159-0x0000000000400000-0x00000000004EC000-memory.dmp	family_xworm
behavioral1/memory/4468-158-0x0000000000810000-0x0000000000820000-memory.dmp	family_xworm
behavioral1/memory/2376-203-0x0000000001460000-0x0000000001470000-memory.dmp	family_xworm
behavioral1/memory/756-205-0x0000000000400000-0x00000000004EC000-memory.dmp	family_xworm
behavioral1/memory/756-204-0x0000000000400000-0x00000000004EC000-memory.dmp	family_xworm
behavioral1/memory/4004-251-0x0000000000400000-0x00000000004EC000-memory.dmp	family_xworm
behavioral1/memory/4004-252-0x0000000000400000-0x00000000004EC000-memory.dmp	family_xworm
behavioral1/memory/236-250-0x0000000000DE0000-0x0000000000DF0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 4 IoCs

Processes:

CONSOLIDADO PAGO NOMINA PROVEEDORES.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.exe

pid	Process
4324	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
1644	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
756	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
4004	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

CONSOLIDADO PAGO NOMINA PROVEEDORES.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.exe

description	pid	Process	procid_target
PID 4324 set thread context of 4736	4324	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe	118
PID 1644 set thread context of 4468	1644	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe	122
PID 756 set thread context of 2376	756	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe	125
PID 4004 set thread context of 236	4004	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe	127

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.execsc.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.execsc.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.execsc.exeCONSOLIDADO PAGO NOMINA PROVEEDORES.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CONSOLIDADO PAGO NOMINA PROVEEDORES.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133777170553159847"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

chrome.execsc.exechrome.exe

pid	Process
2372	chrome.exe
2372	chrome.exe
4736	csc.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe
4736	csc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
2372	chrome.exe
2372	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
1812	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csc.exe

pid	Process
4736	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 2372 wrote to memory of 1216	2372	chrome.exe	85
PID 2372 wrote to memory of 1216	2372	chrome.exe	85
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 3284	2372	chrome.exe	86
PID 2372 wrote to memory of 1376	2372	chrome.exe	87
PID 2372 wrote to memory of 1376	2372	chrome.exe	87
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88
PID 2372 wrote to memory of 4544	2372	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://docs.google.com/uc?export=download&id=139lsOJyvZG951FSn5PZuE4fXdeWVgxW_&data=05
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb77bbcc40,0x7ffb77bbcc4c,0x7ffb77bbcc58
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,6957082264921308557,6736114897090117710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,6957082264921308557,6736114897090117710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,6957082264921308557,6736114897090117710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,6957082264921308557,6736114897090117710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,6957082264921308557,6736114897090117710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,6957082264921308557,6736114897090117710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,6957082264921308557,6736114897090117710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4612,i,6957082264921308557,6736114897090117710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1664

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\" -ad -an -ai#7zMap9960:132:7zEvent10978
1⤵
- Suspicious use of FindShellTrayWindow
PID:1812

C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
"C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\CONSOLIDADO PAGO NOMINA PROVEEDORES.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4736

C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
"C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\CONSOLIDADO PAGO NOMINA PROVEEDORES.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4468

C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
"C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\CONSOLIDADO PAGO NOMINA PROVEEDORES.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376

C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\CONSOLIDADO PAGO NOMINA PROVEEDORES.exe
"C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\CONSOLIDADO PAGO NOMINA PROVEEDORES.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\91f55654-9232-402f-af57-6d98ca341a0e.tmp

Filesize
116KB

MD5
08b88b01830cb2ceeb8783c8d5480c81

SHA1
42802dcfbdef29292101c74913ccac45cedece6b

SHA256
1d2ad88c04e97ba4931f2cf1f23c522d976c73cb9d3b01adea60645d00911ea7

SHA512
a78d069976b9bd3593f68c1115b224abd822aff1afdb33b29a3781360e42e6e831c941c91c9565d49e9260b742a3d432edfb217fc4f68f0e7e099672aededa8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4d1587450a9156b2fc5965acbcabb155

SHA1
760b7b45650cf3ca4763ea8ad743006142ccaafb

SHA256
1bf28c7e3f51defaa51b311de7dc50e0063fd28d5fa127b6bd6b38de45e1fa07

SHA512
03b239afe420696e1390e2f750fadd105549fab0103a0a6b487d4f16723afa18dd9bd304d0c296ade3739c4851c5434212f53b885d1556a436c1d041d2f9fd3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3e18aa2ade1419749b57f04d7caf69f5

SHA1
a51677d9b08979e3bc7db0d4ac11fa07a1e021fd

SHA256
9cd000aa8a3bc593a57d4af6b6c287967a06d41dbcd83f48f05553d56d304d0b

SHA512
5db62c353364469698debcc673b5beed45bae53773763968802429e1c60d73e334180307e29cb5d67530897a0e535720b16906f26e9041c9c35a4a42e6db1760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b8055a533f3433fd15d1afbbdb3537e6

SHA1
d1579f4dfe6ec6ae77c8c3701a3f9e78565b25e4

SHA256
0043cdfb61a1a70d98a8fe01bad0820eb9ff1748d5dd6564b8d6357f21f6b1f6

SHA512
eb384803c272ceb421ee214495326d94ca30de0521293f4e6e3f0c14c6298848c160c4ac5f1ba9431ca31b8dfd13d6e22757d9f58b97cf68aa95009a724550f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
bf903b3dae413cfe91c6af0a54b14143

SHA1
887fd102b61edbb67d5d6e1286a77fe052583384

SHA256
cbeb2ec74c28323089c2200e0e50e4a39d8a83dbfa726a4f06e5d69a6e56f6d3

SHA512
08d84938cb98b2cfcb43c4b32974f3e48b6607aa7a88d5d61c022a809e76fba57f29bd713d7d587cd4c74a043984e81a4b0bbaa9e4b82994bd76df4378e7b9bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dae62bd3507c00a63c8e43f6ec55c9f0

SHA1
98b22e4e97c8e8e103ea3341dcb0d20b48ff7c72

SHA256
14466a7fda26df16024f2b48c7672ec13cb50a26c77d36e26dc3f338892046ec

SHA512
7434e87022b5eabea6c93712a34b593e2da0ed7e32b34be4ef5688d50cfffae34d0e71ad488ae9d88dad31a958b8ed31bf84958b8151d8ad553ca3447430dc9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
39522f02f8e81bff8dc8c5808101a9e9

SHA1
483f1fe50422859c8f53a8a701b1e4f0681b5352

SHA256
6de1a1b2aaf17bcc716e97826aed40c658e2f313173b5a1356cd92604b4c19b5

SHA512
99beaa25f4b9cd4f61620d6e180f3d23913a913e9f361c79f3add641d223590872e4f30619309250bd28f4eba7ab5fb23775d759839da16d69838762810f598e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0bc728e163fe635c8f64fe4d0080a541

SHA1
6c38e1a7b5c8746a3ab87467b4a0f98f98520f8d

SHA256
cba8e617e24775662872b3e411808ade47fb54d905f3e408d2ea8ece36357932

SHA512
2ee83a3ccc6a6f556e60737ee77031a69dbefa76a4458139bd1ba4220bbd4ab2b85ea343d9ba2cd5bac4553b19f0473a7d68fd3cc48922267e546c336ac9347c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51db3c1ce4670b381f915ed9572abdeb

SHA1
23e91364610bff410cf1559ad3846a359c8487c9

SHA256
dc3999bc99e260dfd4bd0c4db888b32e80718c109077c7e2e30858c29a4588c7

SHA512
8ffd0bf79c41e52df2d2f71be403e5272610f8a44a096419cefc7827857a282119951629eb822ec29e89731beaddeac9803ff2c9957260d6bf3f32db5411f823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13a73af5a628330ea49091f0f74d4168

SHA1
a5f1c1345064eb36784a5f85346e554cf9e080d5

SHA256
4cf849b94ade5762bc58eafd2f9605ddbc33c93e7fe0194bd8312b19295f6c2b

SHA512
61939ddf6c7a1089cf512e02826abcf2d87cee0b54b8e3235bf85e6976fcc6412a235c2c09c236394f5c0c787bef9b22914b0cdd6e4b9d8e609723b7c233d8f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d21f772dfa34fa9603b5001163c8191a

SHA1
a078198413f094a80d3b426728ae8ef1d949d9b5

SHA256
8a84906ffd1f830b4f90a3443801b1f51aa84c09cb283f6c7f34947eea11dc7d

SHA512
b81dd0162227da578b6897732674f137dd839f76971d238d26317d9caf3493ac2355d94a5e3885910e906f0b2cf4abbca8880eb1eb2f5fd1259489dcb4edcb0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f8e6dd5fe9aab911b03ea04fb858c20

SHA1
436a72b9db2c521255fa655b2fbb146f4ca60499

SHA256
ae30389d7a2895e303c7fdfaaf51d9f9657241a1f02075cf2319a20b1dd8137e

SHA512
50942d02e9a623ba98e3f9878f5907bf229a1ddc333143d20220dc9d4617cf65444300f5c4ec09a0b9c1a496e127b99fd2998e567230f884a8646879ee04f7ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef9861e379f34c834cdbcba7b089f88b

SHA1
9760db2a969265afa120f99309ed4983d228dc0b

SHA256
564f2898771afdc1fa796f419916cc6104e3922053ccc7f4e4cbcb6e7868f9f4

SHA512
fe405a7774b6f40ce4cb3f5a29f013395fd972496fece712bdca6719b644dde1f2a844087915f4b41ffadded5dd530679abb53f46b5c94f32944fb3c393fb339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6d7edf02eb41ac091224420976318fc

SHA1
1897deff411137952e99a25a94c0fc6bcdbb258c

SHA256
1e1cd5887953f4b57b9bdfa22fb45bab21f922d384f074dd12f010ff47e52ee0

SHA512
e86647c55bd92eb7b97138fecc85699258b47e883d4e47d50493351610bb353ebd48158b30d3fb5375d230173ef212437e23a6d3aa2b6b88965948f8d30eab27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0934eab13df6c1251e69692d450e6b49

SHA1
c7c4808c5b4144abc48aaead812b267266176975

SHA256
932df23254c4da9bd5eef5a1a7f3227d505c799a5916fa2b2740cfd5fd228140

SHA512
2e456af7c9ff3a77581fd47d4f2e900da8e5fcb6b8969aa7051416361c6838255bd9bdbf24506027ed9967df0c03494dff822c46b3832a92c64a3e71d2542f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d636b3e4744ad58d3b314a088b726101

SHA1
ebe1910398eef9f9ece74798207eb169df1a7419

SHA256
3fe0c3ee95865dc08b8517a979dfa9dbdad930af4ddc70258f8a10b2dd72db41

SHA512
9f24300164a315ebf86c2f3b6dc0dad918f28bbd211827da14032f3b651529e74e0f8205203d34e8fcd9d774146e7c8272371278c1c71dce9ddf499d5170b8ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b25f2d6b5322e71d1f3df5c8694bd8a4

SHA1
5a266f32fde0d62451d714f499ba942ed67a4536

SHA256
556be2d6b677a5b61ce1af94d4136e11d02bf891d91ca4fcdb3a2c96bcf270ee

SHA512
7cb4d09835ef5f5cf6448f936ab03aed98676c0a574b2d43b1f404406e3620d7b181d4b681443adc68edf3c64662e9059da4df60a6558f7105d1a0411e7c747f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25a02c2f84bda9ff010a088033b259da

SHA1
a33cdd3bacb852f8b7f0e10cae66503cb05f3df4

SHA256
b897730c46553d5f3b42c8f19b76b514a54adaf3d9502f33247fcb4cf111731b

SHA512
b91b1ad20913b768bb53d8b9ae9b3a89a256d1e65b05f9a534f044ed1f1ea2674d68b79dfe35546c2b47004fedb33fbf8bd2c4303ed05a808e74038ac3cbf202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddd2c178861199288f4bb64c23303100

SHA1
f10f53ab8fac7cd851324a4a9386f1cfdfc7da45

SHA256
bb292507d6b1189b86c164ed7de7283205a9b76fc777d50d90f4a80fa95090fa

SHA512
4c95f38ad7cf81c5a0a2eaa786c85d2aaf8e81971e2de1f551494f9b2639ce03beb5650ee2eaa711f896583ff7419dc4c0d6159b10b8f726a26f0422f7da0a1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b3c4a4d935be0dcb36fea8b1c1361f79

SHA1
ee7e48cd80f7a978dedc229ffdaae55e4fc5800c

SHA256
e528bf704e890fe3bc4200b673e9e32eb6d5ac9aa4112bdfa0f5c2139ca43783

SHA512
ca91a0e5cfe279dc02455bcc12dc45e7a4cbe509ad18714b0c743a8c39d38dffd0f37e076250a9f4959e3007ff119c460b67ad9ef87ea6ab17682595aeb7ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9731811dd3a97cb597631a8450c00c49

SHA1
0b4618e5bcd2dbebcde999855a542e217b0bd9d4

SHA256
4fa72887b0c946b7a0821f8f1b67cd1385045ff6cd93eea3f87b1be3e2c69609

SHA512
be141b64b1c050963bc7d33e431051ad43ecf1d27858a51c79e16f5b4684b52c2f2888c655ecfd33ac9a8645afea05b341e89e374ce7fb6511341c50283d8823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5dacd9552545f1e8336ec9150acf2f5d

SHA1
dd83b09fa02582bc39ff074d33228600ced12357

SHA256
47a86931fb191564fb6c1262f0efddef474e175fcebfe507bd590078ce43bd30

SHA512
7033baa5c6feecde4bc2add1907745e5506e5cc5ea4c1fd502d869718ee527798e661195b936290880dbc92f71b3a7c5427b2f0d5ecf075c42f6a2fffc84a23b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa0a239b4e035d4633714d194e89200a

SHA1
5e28a4e0a9b89957c955f29d62c1ee0b615d6fe7

SHA256
a169875d422bc8c1f82f78aeaab68789411101e92212d27320464316e8939ad6

SHA512
8aa4b932276f40d0d3acbe7b5d6b5b1724a78a84f82249648f14141bec0c4fe9fa1db491faf1606ee7f95f854029ce24f5b8c5598691492d31d460024998e597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f81fb95f84d5642251ffe028533d1db0

SHA1
26b5ada412f387bb675bab6b1de1176597478a4f

SHA256
8acd234654aef2068e127b84f1fcdcec5787eb36a28f240b5b1a75b0137939cf

SHA512
76645c87fdd5eda819644a810490a6cd9289fe96a384f90d8485bb74276c4307f3fbf8e9aaa75599bed024d99a3c445e65ba1e56a82ac09827601f830388d2f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
3dbea6dbaa726b4260785b839c6d59da

SHA1
a531453397eed4457131e32d88ef8aac8edf3047

SHA256
c5331c8cef814aaaa0e8e86ec9b9c93d2939d26f5bfd4277f8772f8f4af38ee8

SHA512
0adc68d8e875be577692399b24d41f49ab4539353e607ea8d5dfde562f7f0cd28129f8b27b4b638511fbd1ac255514752591bb79d5c87d405549ee30082d1754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csc.exe.log

Filesize
323B

MD5
4af72c00db90b95c23cc32823c5b0453

SHA1
80f3754f05c09278987cba54e34b76f1ddbee5fd

SHA256
5a99dc099cb5297a4d7714af94b14f170d8a0506899c82d6b8231a220f8dba5d

SHA512
47aa798c4822bfd0b2a9110fcd1531494da99cf6e4aba5b59bfc36e21fcb1bdb5378189318bbb8519f0e8be732d90637f787ab63997d106bbcff31396155f9ef

Download Submit
C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES.zip.crdownload

Filesize
448KB

MD5
d384385d5a5700e28f62032a7b46bc1e

SHA1
ac0d931514909c0a14e90e3f394ad318ba0bc262

SHA256
b54a58c2ce94144923218132bb98b9fda0cafd72da3b8aaef54adf3d2fe4ba4f

SHA512
65afd79c8a6b2ac183657cc3f8aab34ac7470c1c4d2d6942e2ef8bb5da6ba582cf750eda52144811d83e8fdadbef751bca2712d4dddabc08038d7706eb6698bb

Download Submit
C:\Users\Admin\Downloads\CONSOLIDADO PAGO NOMINA PROVEEDORES\CONSOLIDADO PAGO NOMINA PROVEEDORES.exe

Filesize
925KB

MD5
995d3084d0fd6ccc4e85d09b6ca30c12

SHA1
847e8e0116cf85d2a11febab9d0d4c565730aa41

SHA256
cdeab2d0f4995ca3c36fbf98045f7c0ea46f85f47e51b05b14dec1919eaccb81

SHA512
6ce973bb3a6c703763136c4a68bc42724a9caf555115f9810de50edaca1bc7681767b9ceee8cd3cad6720720ad27506f21ad87a98d9f020ce3272ae41e327404

Download Submit
\??\pipe\crashpad_2372_ZYKUYLNLWJJAFTVE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/236-250-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/756-199-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/756-204-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/756-205-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/756-201-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/756-202-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/756-200-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1644-159-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1644-157-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1644-154-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1644-160-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1644-156-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1644-155-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2376-203-0x0000000001460000-0x0000000001470000-memory.dmp

Filesize
64KB

Download
memory/4004-247-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4004-246-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4004-248-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4004-252-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4004-251-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4004-249-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4324-125-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4324-120-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4324-121-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4324-126-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4324-122-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4324-123-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4468-158-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/4736-129-0x0000000006490000-0x0000000006522000-memory.dmp

Filesize
584KB

Download
memory/4736-131-0x0000000006530000-0x0000000006596000-memory.dmp

Filesize
408KB

Download
memory/4736-124-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/4736-169-0x00000000065E0000-0x00000000065EC000-memory.dmp

Filesize
48KB

Download
memory/4736-130-0x00000000029F0000-0x00000000029FA000-memory.dmp

Filesize
40KB

Download
memory/4736-128-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/4736-127-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download