91e7675364595193b02989591cdc5dd4775cb911caf67d462a94fa52c8e4504f

Analysis

max time kernel
600s
max time network
603s
platform
windows10-1703_x64
resource
win10-20230220-es
resource tags

arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
03/05/2023, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

game1 (6).zip
Size

11.8MB
MD5

395fc5195d25338573d12e09ef2152fb
SHA1

43a5a013b7f1e4dfcbd746a1f63b0fd0ebeeae9a
SHA256

91e7675364595193b02989591cdc5dd4775cb911caf67d462a94fa52c8e4504f
SHA512

af7fea0858e873c724b56c22d174779979acdf9bd1413d8fd020aa3ebe873f0549e0785ee80970abaaf2ac13f1b62bbaa450fe27ed92676cd99d62199799601a
SSDEEP

196608:dVSHrvfCYfxcvBr0hSQY+mwLJhEijn0tgvVeS4sM4fkj3ytwKpVKyhuhxrCB5i6R:dW2YfEihw+lhEij0GVy4fq3ytwKpA5hY

Score

9^/10

evasion spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a.exe

Executes dropped EXE 1 IoCs

pid	Process
960	a.exe

Loads dropped DLL 3 IoCs

pid	Process
960	a.exe
960	a.exe
960	a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 46 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000200000001aefe-131.dat	themida
behavioral1/files/0x000200000001aefe-130.dat	themida
behavioral1/files/0x000200000001aefe-129.dat	themida
behavioral1/memory/960-132-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-133-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-134-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-135-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-137-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-138-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-139-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-163-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-166-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-168-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-170-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-176-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-177-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-178-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-179-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-210-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-260-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-353-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-419-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-438-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-444-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-446-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-461-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-540-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-541-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-560-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-561-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-564-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-565-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-575-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-576-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-577-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-578-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-579-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-580-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-581-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-582-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-583-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-587-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-588-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-589-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-590-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida
behavioral1/memory/960-591-0x0000000004A60000-0x00000000067FB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
960	a.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No"	a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No"	a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No"	a.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133276267859501594"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
960	a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
3732	chrome.exe
3732	chrome.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3628	7zG.exe
Token: 35	3628	7zG.exe
Token: SeSecurityPrivilege	3628	7zG.exe
Token: SeSecurityPrivilege	3628	7zG.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: 33	960	a.exe
Token: SeIncBasePriorityPrivilege	960	a.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: 33	960	a.exe
Token: SeIncBasePriorityPrivilege	960	a.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: 33	960	a.exe
Token: SeIncBasePriorityPrivilege	960	a.exe
Token: 33	960	a.exe
Token: SeIncBasePriorityPrivilege	960	a.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe
Token: SeShutdownPrivilege	3732	chrome.exe
Token: SeCreatePagefilePrivilege	3732	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
3628	7zG.exe
960	a.exe
960	a.exe
960	a.exe
960	a.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
960	a.exe
960	a.exe
960	a.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
960	a.exe
960	a.exe
960	a.exe
960	a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 3816	3732	chrome.exe	75
PID 3732 wrote to memory of 3816	3732	chrome.exe	75
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4396	3732	chrome.exe	77
PID 3732 wrote to memory of 4436	3732	chrome.exe	78
PID 3732 wrote to memory of 4436	3732	chrome.exe	78
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79
PID 3732 wrote to memory of 4880	3732	chrome.exe	79

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\game1 (6).zip"
1⤵
PID:1236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1404

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\game1 (6)\" -spe -an -ai#7zMap32572:88:7zEvent725
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3628

C:\Users\Admin\AppData\Local\game1 (6)\a.exe
"C:\Users\Admin\AppData\Local\game1 (6)\a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaa2c49758,0x7ffaa2c49768,0x7ffaa2c49778
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:2
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1944 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4712 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4668 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3280 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5496 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2480 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5260 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2684 --field-trial-handle=1728,i,4845601276836605284,1190563666518848868,131072 /prefetch:2
  2⤵
  PID:760

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
905027b780ed9c7f8bc971996c4a35c4

SHA1
f6fd4c7f7d4044879b90a6d683882df6025c0be1

SHA256
05d635a33d7f9e48974a835c87088db75174835f3e567b88ef582e88b95b9b35

SHA512
5a8cc4be26f7e64ccd3b192e96b502613723fa32f799455fddcb39ef39f1c31e38afe7eab6d8bc5f6b99d17528962f663ed452c2bf3d68abb3cda381e8546787

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b5c78afc64ce5027ef7d6113e7af3019

SHA1
c49f5fc2cabe1834abe23cf3c9ea21299bed6030

SHA256
7f118bf7274fe06a7f94a5b9bec75f956a9bedddef5fa3fffebd7af78165ddf8

SHA512
b8d0284e25fff1203a971085d51354fe12925d34cc082de98cb6d2c55ea8b787d971f3de1fc7bd0ab1b690d0608916284381818f3e776d27d9cbe4726c7a222b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4cb318ae8c14d24372d1ade7a95b516c

SHA1
0a8bdbaecb805ce77dd7549e4879cd84d8701e16

SHA256
ffe46862eb0d609ec9657dc66346a0ec2c236c695b0e93ae93f6b054f40fda0d

SHA512
4c56efb4add29b44f203f52b90217ee0ec4c9bf7646c0c3356f139e8b381b054391253b1c18469ca37aba0d212ca304112a5baaa3988683208418fc499a25180

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a3cad34b46c73f47e7d354436e267341

SHA1
ff1e5a177ca0733b2cefc4193d5662fcbc786a16

SHA256
5e752e9e29ab39cae5ad2b06a66a9d5cf60695a53276732581341fc13eb556e4

SHA512
27a2e23a2aedde17dc66a28911a7a40d261e43645c5207db416daa79cb10d1aeea7e0fd030cc3e213751fd6116ba1ded0db314d4c7b4422795b6eeee19432ca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
4ac8394cc2024eee38dd2a454237f34c

SHA1
496d8f63be449e4c783679a96b77512a875c4f6f

SHA256
6b2a10043d188fefb838fdc3c8ffb2e237b76e8a1b0cc7cea39c4d4b71909413

SHA512
1db5e8012912607d2c003d8883bdae00ebf65c895d1b3b5cc79be4bc5a89c5363c0d88f44bc538523db03201a2bba211c818ba65865d754a9ced9d60f00d7889

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ba21c43570a812d01ddef8eeeebd34dc

SHA1
291d5786d2ea6da19fd9bf262159eed9a3c0e968

SHA256
f32a08016c8be92eb81a0f7237dbc564877a4c87e082519d572f03da3b81ee6c

SHA512
e34fc0fbec4e297839d802e398a1ef5fe6e76cafbfdcd75540091a1266eb0d9059aee49217d239c5ab5270fed1b49839ac0a9685ab481c1ea173560d97accaae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ebe514eda32ee466dc66956acb0c234a

SHA1
2f0d1419add8e2db19da1a7fde9fb565e52b2fa2

SHA256
07476e7703f265743c44f38bc84b99ca51702c0e55de3aae3b2d7b40f389e6fb

SHA512
043c5732ab224c03ad7d85bc43710d9236abd08c7d57e7d1706b69ee525ee55d1d641a5973c49a0a1e636b4c5b0daffb80f350a5338a77bd1a78099751ee9882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
72e55da01bc0b086bd9f5ef7e35eede0

SHA1
7815aaf18da8aae8966481934210459711f726d9

SHA256
834632976a714b51eaa78c39a53efa4e2f068819c0ee2b65d7020282a3d62f27

SHA512
dadd7b0cf86083750c077e0d0576e37bd72579a653f74a44bdf9bbc917ca6a3c6bd769ea16a5450c4a5e62e7e59bf474905fea7ec75ea58e47f11c5ac0068700

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
2b94c01410d8fcc47afa6e9da3de714a

SHA1
c7a4c50e2ed93ba0ddb4804fd4afeee0275a8ebd

SHA256
9ddd35a7d452dcdde2279870bc5e39c4f821e4c595700ff583d3605afb23f278

SHA512
422d07d20ee292ebfbda81050fcfc1324be4b9079aabbd3463970373d615ecf1a6cd0f665fd66c0432e4c0069ab3b374941c92075407726d72329b1578d7e41d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c8548f0c20b8603a80aea72e8d4fed34

SHA1
fb935d4d79c10accf8be27012dd403911962a68c

SHA256
3518aa2161823570abc4007f6f4d0d547bf38786544d84ba4f867a9fde9ce660

SHA512
cede01d214e6fdf3bb09d73137d3431ce9276b6c719da38a9ae8a67d84cf1bb24e4612990b1f075df0244c7ff5259cee65fb3bec6e9c317f0a124e4afb1ade32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
90abc6f4946103dace272e0e51f5da3d

SHA1
41351ec5ee4ee6991859934c7bd06e8418ebbced

SHA256
f4646aed5e127221a39da33bdabff262e3f30bd0513f2c75a0de922307fcd19b

SHA512
22ff1876055ebdd6497b32fac29bc18c8767fda7e24be8529492b26ef29b1626cf6f36750b7c6d3d746bacb92aa653423dff0ce73640acfeb89a273c23a0381a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0fddc06742b263a745f37168f74d43d9

SHA1
49368d313f39fd7df3de3bc02e8318e1fcb349bc

SHA256
dc9d541546111181e2bb303e248f47903e648b0c04f7eea15cc903c52f761077

SHA512
141c419d5cd49ef82c41e166d70527a12b60def7b1434030fa39c0771bd8b9940bebe8623841fa9430f17a84808b78b9e6f880ab1a1a014d40d4690c04f39276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
147KB

MD5
d0e8371e2a801a44081c8e7826d724d1

SHA1
b02cb7f6667cdfef5e29066e19a2a71ea58b97fa

SHA256
2b2cba758f52622aa881764a3bc8732ff0affba2bc917760cbb33ed0880f9a6b

SHA512
a9742d6cc49a59ebf4cea0fe776800139c845bc395f48d6756dc136d90efdd5e57c91aca8d252ff83a4b2cb4ba98e6ba6b92961edca1e74b3bb38e1fdc04a02d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
147KB

MD5
06184af2eb2b1d6623cac8e4e957d581

SHA1
3b9a33fc2884376afb2cd81e4a6d739f6e5529ed

SHA256
8cecdca6cb5081aa1d5ce12ca8089996e5b26a253cd135976a1e6fe868cfd8f7

SHA512
76bf29ec30ed22b6e9b1baab8a200a7f7e1fbd88873696cd27c78026a188a3a025e9f054a324006b017954629c00b24d035f53cf23a0527a142b9a806df9402f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\game1 (6)\HOJZNJGTEW.FVW

Filesize
11.5MB

MD5
2cfa595933615cfca8c96cc459cfe9fb

SHA1
8626e1d181f7c48f3b504beff09e170bf7b662df

SHA256
fd9856fa6505bec6dde5c576d2c63fb5d6105328fd5d31d701e1d02b5daa2c2a

SHA512
36e3340cc264c7849dfeef250789add2181da6543a69d27ab804d7cc85c46d122c0e7fa43e9b6271829c0769f64c8a91bb9a59c8ebdea33b076c0871eb655d2b

Download Submit
C:\Users\Admin\AppData\Local\game1 (6)\a.ahk

Filesize
186B

MD5
3e6cf1bde2ea7dd2befd373fb5523d2c

SHA1
e211a21cc32c13478ee4208279b371013de76f5f

SHA256
819b8c6c7a963238cef57cec1a256db1f6d78dce5d611a3700f65f702f33e8e3

SHA512
baec4c5071b152afdbd16badbc839f72f458de394d7824b368c818546b8706bb8f5f8cc83c50435389b46b47515bd8daedf9561eada3beff82c792dc684e7487

Download Submit
C:\Users\Admin\AppData\Local\game1 (6)\a.exe

Filesize
889KB

MD5
03c469798bf1827d989f09f346ce95f7

SHA1
05e491bc1b8fbfbfdca24b565f2464137f30691e

SHA256
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

SHA512
d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

Download Submit
C:\Users\Admin\AppData\Local\game1 (6)\a.exe

Filesize
889KB

MD5
03c469798bf1827d989f09f346ce95f7

SHA1
05e491bc1b8fbfbfdca24b565f2464137f30691e

SHA256
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

SHA512
d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

Download Submit
\Users\Admin\AppData\Local\Temp\84e42bf.dll

Filesize
8KB

MD5
d8f4ab8284f0fda871d6834e24bc6f37

SHA1
641948e44a1dcfd0ef68910768eb4b1ea6b49d10

SHA256
c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912

SHA512
f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0

Download Submit
\Users\Admin\AppData\Local\game1 (6)\HOJZNJGTEW.FVW

Filesize
11.5MB

MD5
2cfa595933615cfca8c96cc459cfe9fb

SHA1
8626e1d181f7c48f3b504beff09e170bf7b662df

SHA256
fd9856fa6505bec6dde5c576d2c63fb5d6105328fd5d31d701e1d02b5daa2c2a

SHA512
36e3340cc264c7849dfeef250789add2181da6543a69d27ab804d7cc85c46d122c0e7fa43e9b6271829c0769f64c8a91bb9a59c8ebdea33b076c0871eb655d2b

Download Submit
\Users\Admin\AppData\Local\game1 (6)\HOJZNJGTEW.FVW

Filesize
11.5MB

MD5
2cfa595933615cfca8c96cc459cfe9fb

SHA1
8626e1d181f7c48f3b504beff09e170bf7b662df

SHA256
fd9856fa6505bec6dde5c576d2c63fb5d6105328fd5d31d701e1d02b5daa2c2a

SHA512
36e3340cc264c7849dfeef250789add2181da6543a69d27ab804d7cc85c46d122c0e7fa43e9b6271829c0769f64c8a91bb9a59c8ebdea33b076c0871eb655d2b

Download Submit
memory/960-166-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-540-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-179-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-177-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-210-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-176-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-170-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-168-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-260-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-353-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-167-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/960-419-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-164-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/960-163-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-438-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-141-0x0000000061E00000-0x0000000061EC1000-memory.dmp

Filesize
772KB

Download
memory/960-444-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-446-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-139-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-461-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-138-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-137-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-135-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-178-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-541-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-134-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-133-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-560-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-561-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-564-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-565-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-132-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-575-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-576-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-577-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-578-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-579-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-580-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-581-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-582-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-583-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-587-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-588-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-589-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-590-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download
memory/960-591-0x0000000004A60000-0x00000000067FB000-memory.dmp

Filesize
29.6MB

Download