f9571da74ff23e82bab0a97fc2e26deee93ca0f8413b746c0ae432f180d0ab2f

Analysis

max time kernel
1200s
max time network
1168s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
11/02/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.html
Size

18KB
MD5

dfc167e7bcf8c4297e8230abfecab725
SHA1

1d71b95b8785f93ab7d737b87e0263099e01c735
SHA256

f9571da74ff23e82bab0a97fc2e26deee93ca0f8413b746c0ae432f180d0ab2f
SHA512

2f95b81e2c6e191b87e5cc4eb824d40e67d797ec927c9ddfe7bd043348572a88f5f5b5f19dc8af2ce599c9e04a3141111d213f51edb8e0558525d2bf7c7646de
SSDEEP

384:rPZmDpmReVoOs4dN9ylKeGMjUhHhhbuTeK7UIN2weCP+VJCBXQL:rBmBVoOs4dryI1MgBhbyesU/vJQQL

Score

10^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinXP.Horror.Destructive (Created By WobbyChip).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
23	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WinXP.Horror.Destructive (Created By WobbyChip).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Control Panel\Mouse	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Control Panel\Mouse\SwapMouseButtons = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133521399088194181"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3616	chrome.exe
3616	chrome.exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeCreatePagefilePrivilege	3616	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1780	WinXP.Horror.Destructive (Created By WobbyChip).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 3724	3616	chrome.exe	78
PID 3616 wrote to memory of 3724	3616	chrome.exe	78
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 4424	3616	chrome.exe	80
PID 3616 wrote to memory of 5068	3616	chrome.exe	82
PID 3616 wrote to memory of 5068	3616	chrome.exe	82
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81
PID 3616 wrote to memory of 4800	3616	chrome.exe	81

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca0149758,0x7ffca0149768,0x7ffca0149778
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:2
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4800 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5084 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:1
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5272 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5656 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1812,i,7602237261137920439,7942632832364706066,131072 /prefetch:2
  2⤵
  PID:1772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3256

C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe
"C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1780

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4256

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004D0
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
eb6aa4e121b142ba0d5ec988cc4251d8

SHA1
226dd7f4e11d980a3f86592339c05f38da95f756

SHA256
fee319736c616c21f2815dae3914016d9c3e7dcb66da25b0979c2c626ae560ab

SHA512
6cf02b1e1e7fc9f6098d2a1c1576829961fdfd06472dc466f27489ed268255b161223a4c3126293c6d867be82ca2446114cb749a9fe1ecbcb7c5a52a26530e44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
751ce7f8ea4a17f4a015bb3a118ff945

SHA1
85a1211c333d662757fc966ef226ff35cdf2329c

SHA256
2e0aab06f62478fb8e1c165d58aa4739b151c84caa51689ae825b44ea2e36dec

SHA512
20be1b66a0ce82722c1059b72845a68fade8d7c77cef7c3aff875cc65c0b06f0263e51ae3b6b75f3ba5bdd6da81d62cd924f919ebf77c21dd935dd8daeed0abd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
66cf2ad1be83b80fbd1e293b07fd4916

SHA1
571568551555e5e62c61e285c7e32cbb5ffc51ac

SHA256
756c55078c7c72351bb0801b9e86d1f2b48a1f81bb3ea4543851a91617086afe

SHA512
4d8c21db23c148c8e9033979a5c7eb4be37f92a8b9627ee4b27b3536c352c33903a6770d39c41074aa348783ef6cf386170badeba6541406eb64852b429bc752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0dbe9409924e10af2bd315e8f94885a8

SHA1
7514d301bfb9a9b5886f2915f3f0ef5e2c1b8518

SHA256
5fd87691ff07652c7dd82b4e8c4dd528854be223205fcd37a75ca4f7c94b255a

SHA512
13656dc19f90c04d02390edc9f5b345c189e09fad1f6d618bb02f8c0c24d4e723916efcfb19e27df83f1a5452a09ebeabdc8ec822a69e6a43f363e1950aed107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
23f2f4b23408c54a5cadc95608e4af82

SHA1
1adc95b2e47ad6c600bb1c1d2835b6723afceeaf

SHA256
09b2e8661bc1fa749ca1dbe5068c34d5ef509c09e370c55a32cd8d8671426b36

SHA512
18ef2c2ae6fda926ec93e1a3979f9d14b0b69023e8b3c7f5c96220d754d5f5f07752bb1abcdcb5e0901d0673ef09080ac4130e932eee4f53cacfd0a8712075e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
04026b3cc1e5c68935edbfddbfcbbc73

SHA1
ff907097e5994ff5bfa297ff0fd747119eb76f62

SHA256
451655bc2c2a7e2782f4b92b8f3b4399849f8b265cb7a0077966b20c0f92f781

SHA512
8a9a0161b3cdbd3858abf6d529bd98892bb0ddd7920c2fa3b20e01cf568ae7597d66111546a8a09e96d500fe97e691d8140ef48766387c3c1c61d322afd73d04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
29ad6e953e5292a5983db0152b88d378

SHA1
5249863cfea3ac0031d69236a6b3da028dff9717

SHA256
a2d27cc1c0c5c5a0a466086e9f273f3500df924211ca8149b507584d2600506b

SHA512
d5058cccc970db223bb182aec4a0991d381050d1c80c6c99fd79166a183db967c859172126014c218ac63d23a85f19c61ae68cc9238c24e220d73ecfeda2e305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8cdfa9390db851d4faab9152b445fea9

SHA1
6b80f3da0b1d9fda3aef21b44824a26ed84b7710

SHA256
2961219588fd5df43e5d474f6c8d510d70997da2c28694871670c27640f398be

SHA512
53d6cca6f1b6912622b01d46951cc8fae7f4dac5a02f894589bf72e8f744be3403d32f862dcd383e8d3b437f6be26f6620700070eb613fae0f84d3a64ea07252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
317f8498f9cadf9044dbecd2ace88462

SHA1
59512eb4486cef17fea100e00d6ed9cce2cdce10

SHA256
3614b9e6c064cb8a8222c9e0cc73b865d88b229463312c1cf5396dfc88ed6d96

SHA512
aae5f3e77ee0ac68bf511a1482f93da1ac868f98b5754236b199479b1119fa65b33644daca23539468b09269aa834b7194b146a8d1d513758fcf42338fee5bb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d2c173394efce13b4b2b8c6797cd7aa9

SHA1
a66c3a3e4bd0a198c6c26726657ac06acc9e14e3

SHA256
765b294a525a7bd70011b7fea8f8a9e87f6568a879fc1b3b4316d087e4da020e

SHA512
a3f2a3a1b69a3f4bc970fff19c4f22f9682a1b521fae0baf73a291d439251f53e4a90ce01017d3a175ffca3837ebe038a06f79ce31c896dbdde39eb2ac3d8a5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
642b4f3f8b521df882a591cca2ef536d

SHA1
845313ca0544d41fcb5ed3fbd761b9e4c6cf01a1

SHA256
9f4671c86de0ca150c94fe5362857b391a7c1c6bf34b29e1e29444125001bc44

SHA512
2b3d3196661cf9d42ff571cd5a422762227a7916b479669bba098e9b3f2d8ccff170deaca897d4ea7d526428d140650a1ab90c2587605cf4eb91d3bee86f2e4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5f3ecc4939aa1bf999c3eee9072d3184

SHA1
59850c8496d6dabd1ed54ad87e7ccbba4a654a40

SHA256
f2cf8022ded7a23be55e315bba1986d843881add9d2966f0353f5c34219e3198

SHA512
1c620e7c6d98adbf38478e6e0d2ca1e083a3ac5aac74e9f62019cb737e72206d7ce6d5bff75c56704f3fe47de3d67ce8c04364e2a22a177e85cc66842a1ec5de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5f07b90e352db0500d29238db73cfc55

SHA1
b170d8ab1a1537fa1f2fd76a4144163a0d403ac2

SHA256
3b667667947ee3b806dd4c68a1e6f3ae7102613163ac6a839b4d455ac4b901b9

SHA512
787c45e7f52e28e49f1706c4fdeffebba27794c3aa4b303cd524d0513663d31f8d62ad1f7928b497d6077683b14b6d3ba055968c0a94c6b49bf55501f85671e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c1df11b2125140e8238537a35af6e417

SHA1
7a0dad791a436ba536b5fcb52ff7713127af18de

SHA256
c4d196c8c96f1d34875b56f0d75272713bfd2888510d56b46bd18e68b31f8205

SHA512
3bcf1690195998d324852b7d3f74f2ee3603aad3e80da29f876469aa24a1f2212a843d06a2b4328bdb6f7f9943d08bc05d0b7e29fd13371e30ade27fd64ef3a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
adc544ba3ce98e09390a56a547a0220e

SHA1
0aaac4d2473c82e070fa710874d8ef180522d53d

SHA256
13c622f4dd4643a3097cc38b8882bf1ef9e0a21606d14f6f3f745122bae1a22a

SHA512
c7a0bb570822ced1490b3161500d13059b84d3737054096d2f5640bee57435a8c9d7c3f27cb7761a818ca4150c3386bb196cc1e7454067320f090217f98258dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\1ab3e4a9-6b60-449a-b7a9-d014622a68f5\0

Filesize
1.9MB

MD5
d3721cc37d894ee4d415c54fc22a3721

SHA1
dba472c139cc24f5e33f3913f69531c7d2f1b3da

SHA256
c0ca531e36fc21c7e98db87a0c7fc696fc8d856731a63fdfc5ce938aaa33dde1

SHA512
d180c5bf387139153faf5ee7a37f3441fed2d03424eaf638c1467350c0f4832432201fcc97d473e6b049663dedbb508ce5adc1fcb97335c5700cbe33118ea602

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
54a4251bbda7ee98c483d0eb6312cca9

SHA1
07b51d5da8bbbaa3043e678d2b448485535d9c0e

SHA256
0fbe229f0de1986ba6c197e3293b5897e91a82d8e355cd30d75a5b59efd66dd5

SHA512
4848b04b286add2ffad1c0002c6996d12aa256e15bce51905805312e14519dee3adacb7549df43b7947efe2119ca4ea384b56161e9e037ff8a594930b603aba4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
6945eb89462937d3fd7be48049e0b1ce

SHA1
1f5699a0867c3ba0e591e6247adeb2b6d248e239

SHA256
823d3849551b6ecf35c48bf353f62adbb7777c66a2628c92634e08f3938d335f

SHA512
0b59a83ac64b6658d8d6c27c97c80d485e6a1d3d3f00cc1914da5245cd4f75f815148e490448ddda7ae2285a5af4c94bb5437d56baf70391e1093ae9175025fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5891fa.TMP

Filesize
89KB

MD5
ac3cb26df54664ee27095143de0f4f46

SHA1
000bcf4e8debfbd439cb9edc231459e38505326e

SHA256
8ae80da44a5d4ae37ec27e5be4b8cb8bba5fb72eade6ff81743094eed9169051

SHA512
9cb2c2fc0fa107ad2e71e9eb511ea98f1223ae66ed62c5d037f08b43c5d6b144c406f4d8e814eccb7f1401a66b87427825dbf8ec8e5a09e6052166461f93c460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe

Filesize
5.1MB

MD5
eb72fb19fbc65a15747b47750d1330bb

SHA1
f97e02d8ffc5d886d3f3dc8cec3da8c63a4a8019

SHA256
b2a260cf5435b3739d4d09e1111ffc89203248ba1f3dc74d67b912f51f716185

SHA512
f7269299124ee09639673770d81078c1456a87f6b188c9f99e9fd33c8d187cf0d1afc4e56a1308eb9351fa9a563a9b0091ba273db8eb751c8592f1dadfd823b5

Download Submit
C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe

Filesize
3.2MB

MD5
85aacb150e1ff2a632b6dd977ce13f98

SHA1
00fd2fc4ab15d7854ed8cd4cef64b1501b581148

SHA256
8c17d779dc76f864904113aa64442b46b52c74b173f260a83a1a6afb3a4a9ead

SHA512
a49d7bf47165f0b00089ad39fd3e6fc6ad46d013c9018e63d31e2739d5b354c5d64c6c9e5edc653a9fa9b452c7def1fe61eba8977560748fc4e61ddc4c668648

Download Submit
C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe

Filesize
1.8MB

MD5
1b22039b8fad649fc7dcae7d87ade6ae

SHA1
350af92db1395566a8c122fb6cdb4052ae2ad7d1

SHA256
5b5b2699f8614ab1b8056f8d05efb3971ec388c651e320c66bfe555ee460058f

SHA512
dfb3d03a929c29a144bc91e10d65b5f0cdf5d0daecf7522b0ab6949c325dfbe2d3ebab7183fbec74b77997b2461464228518b1413523c85d0f24b19a28052026

Download Submit
memory/1780-372-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-407-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-343-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-354-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-357-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-358-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-359-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-360-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-361-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-336-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-335-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-374-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-375-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-377-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-378-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-379-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-316-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-389-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-392-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-394-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-395-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-396-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-309-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/1780-344-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-410-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-411-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-412-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-413-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-416-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-417-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-418-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-419-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-420-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-421-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-422-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-424-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-425-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-426-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-427-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-430-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-432-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-433-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-435-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-436-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-438-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1780-440-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download