1288f308ec81e644153a7849f6bf96bcfe5f5e295325522cea91e99f447f57a9

Analysis

max time kernel
319s
max time network
377s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2025, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe
Size

25.3MB
MD5

b25bc5ff336fd04cb088213c4edf6584
SHA1

a7c1aa8395ef64c4cf917e7728ed65e81f47fdb3
SHA256

1288f308ec81e644153a7849f6bf96bcfe5f5e295325522cea91e99f447f57a9
SHA512

2284639e298c5d814a0b0c466fd9028c0be948367ea85e897a551fa142f6ff91c0cb16b9da6bde50838286701757afc65edacfbfa7d1c9985e479d58f702f17a
SSDEEP

786432:yVqvn+uWhGe32cX5oUjNcWje5cIFCjil39:yV0+Rx32cX5TjNcWje5TFCOl39

Score

8^/10

defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3256	netsh.exe
5784	netsh.exe
5028	netsh.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_585900615f764770\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_702fdf2336d2162d\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_585900615f764770\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_702fdf2336d2162d\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_702fdf2336d2162d\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_702fdf2336d2162d\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_84ea762c0a90c362\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_84ea762c0a90c362\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_585900615f764770\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_585900615f764770\usbport.PNF	dxdiag.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	UpdaterSetup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\603d3c47-84d6-4fc2-a494-48e221e5f305.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\a2974b12-abb0-4c6b-8555-5bea696933fe.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\603d3c47-84d6-4fc2-a494-48e221e5f305.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\uninstall.cmd	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\04275a15-6b03-4451-b6ee-c11d1de2206f.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57edcb.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57c515.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57c62e.TMP	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\bb659b40-6f08-4a39-a16c-9b73bcd45462.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\04275a15-6b03-4451-b6ee-c11d1de2206f.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\uninstall.cmd	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\a2974b12-abb0-4c6b-8555-5bea696933fe.tmp	updater.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\Google1444_1528559655\bin\uninstall.cmd	UpdaterSetup.exe
File created	C:\Windows\SystemTemp\Google1444_1528559655\bin\updater.exe	UpdaterSetup.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_2086347632\_metadata\verified_contents.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_2086347632\manifest.fingerprint	updater.exe
File opened for modification	C:\Windows\SystemTemp	UpdaterSetup.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_1960_538039519\-47b07d71-505d-4665-afd4-4972a30c6530-_25.3.338.12_all_ad3g6e4oltp67fnbkapurlw64pyq.crx3	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_2086347632\HPE-25.3.338.12-CIP.exe	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_2086347632\manifest.json	updater.exe
File created	C:\Windows\SystemTemp\Google1444_1748763423\UPDATER.PACKED.7Z	UpdaterSetup.exe
File created	C:\Windows\SystemTemp\Google1444_1528559655\updater.7z	UpdaterSetup.exe

Executes dropped EXE 12 IoCs

pid	Process
3084	crashpad_handler.exe
5296	crashpad_handler.exe
1444	UpdaterSetup.exe
2488	updater.exe
5700	updater.exe
1288	updater.exe
4812	updater.exe
1960	updater.exe
6052	updater.exe
2828	HPE-25.3.338.12-CIP.exe
4848	updater.exe
5124	updater.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5924	sc.exe

Loads dropped DLL 3 IoCs

pid	Process
2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe
2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe
4668	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdaterSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ = "IPolicyStatus2"	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ = "IUpdaterAppStateSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FC1132BC-C84F-5D90-9BB6-3D44C6394B28}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ = "IAppBundleWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\ = "{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{FC1132BC-C84F-5D90-9BB6-3D44C6394B28}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\ = "{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\ = "{27634814-8E41-4C35-8577-980134A96544}"	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\ = "IUpdaterSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib\ = "{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\ = "{6430040A-5EBD-4E63-A56F-C71D5990F827}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ = "IAppCommandWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FC1132BC-C84F-5D90-9BB6-3D44C6394B28}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5BB0C40-8078-5D97-80DD-2C8F4510263D}\ = "IUpdaterInternalCallbackSystem"	updater.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe
5024	dxdiag.exe
5024	dxdiag.exe
2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe
2488	updater.exe
2488	updater.exe
2488	updater.exe
2488	updater.exe
4880	dxdiag.exe
4880	dxdiag.exe
4880	dxdiag.exe
2488	updater.exe
2488	updater.exe
1288	updater.exe
1288	updater.exe
1288	updater.exe
1288	updater.exe
1288	updater.exe
1288	updater.exe
1960	updater.exe
1960	updater.exe
1960	updater.exe
1960	updater.exe
1960	updater.exe
1960	updater.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe
Token: 33	1444	UpdaterSetup.exe
Token: SeIncBasePriorityPrivilege	1444	UpdaterSetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5024	dxdiag.exe
4880	dxdiag.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3084	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	78
PID 2564 wrote to memory of 3084	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	78
PID 2564 wrote to memory of 4912	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	79
PID 2564 wrote to memory of 4912	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	79
PID 2564 wrote to memory of 5024	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	81
PID 2564 wrote to memory of 5024	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	81
PID 2564 wrote to memory of 4668	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	84
PID 2564 wrote to memory of 4668	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	84
PID 4668 wrote to memory of 5296	4668	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	85
PID 4668 wrote to memory of 5296	4668	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	85
PID 2564 wrote to memory of 4880	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	86
PID 2564 wrote to memory of 4880	2564	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	86
PID 4668 wrote to memory of 1444	4668	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	87
PID 4668 wrote to memory of 1444	4668	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	87
PID 4668 wrote to memory of 1444	4668	Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe	87
PID 1444 wrote to memory of 2488	1444	UpdaterSetup.exe	88
PID 1444 wrote to memory of 2488	1444	UpdaterSetup.exe	88
PID 1444 wrote to memory of 2488	1444	UpdaterSetup.exe	88
PID 2488 wrote to memory of 5700	2488	updater.exe	89
PID 2488 wrote to memory of 5700	2488	updater.exe	89
PID 2488 wrote to memory of 5700	2488	updater.exe	89
PID 1288 wrote to memory of 4812	1288	updater.exe	91
PID 1288 wrote to memory of 4812	1288	updater.exe	91
PID 1288 wrote to memory of 4812	1288	updater.exe	91
PID 1960 wrote to memory of 6052	1960	updater.exe	93
PID 1960 wrote to memory of 6052	1960	updater.exe	93
PID 1960 wrote to memory of 6052	1960	updater.exe	93
PID 1960 wrote to memory of 2828	1960	updater.exe	100
PID 1960 wrote to memory of 2828	1960	updater.exe	100
PID 4848 wrote to memory of 5124	4848	updater.exe	102
PID 4848 wrote to memory of 5124	4848	updater.exe	102
PID 4848 wrote to memory of 5124	4848	updater.exe	102

C:\Users\Admin\AppData\Local\Temp\Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\crashpad_handler.exe
  C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Local\Google\Play Games\CrashReporting\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Battlestar --annotation=ver=25.3.319.0 --initial-client-data=0x6a8,0x6ac,0x6b0,0x6a4,0x6b4,0x7ffe62afd400,0x7ffe62afd410,0x7ffe62afd420
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C dir /s /-c "C:\"
  2⤵
  PID:4912
- C:\Windows\System32\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe" /t "C:\Users\Admin\AppData\Local\dxdiag.log"
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Install-CookieRun_ Kingdom-GooglePlayGames-Beta.exe" -install gpg_install_07b2faad-92ce-4440-b54c-15d2fd2c80bc "C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\crashpad_handler.exe
    C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Local\Google\Play Games\CrashReporting\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Battlestar --annotation=ver=25.3.319.0 --initial-client-data=0x3dc,0x3e0,0x3e4,0x3d8,0x3e8,0x7ffe62afd400,0x7ffe62afd410,0x7ffe62afd420
    3⤵
    - Executes dropped EXE
    PID:5296
- - C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\UpdaterSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\UpdaterSetup.exe" /install "runtime=true&needsadmin=true" /silent
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SystemTemp\Google1444_1528559655\bin\updater.exe
      "C:\Windows\SystemTemp\Google1444_1528559655\bin\updater.exe" --install=runtime=true&needsadmin=true --silent --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/enterprise_companion/*=2,*/chrome/updater/*=2
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SystemTemp\Google1444_1528559655\bin\updater.exe
        
        C:\Windows\SystemTemp\Google1444_1528559655\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0xb06290,0xb0629c,0xb062a8
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5700
- C:\Windows\System32\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe" /t "C:\Users\Admin\AppData\Local\dxdiag.log"
  2⤵
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4880
- C:\Program Files\Google\Play Games\Bootstrapper.exe
  "C:\Program Files\Google\Play Games\Bootstrapper.exe" "googleplaygames://deeplink/details?id=com.devsisters.ck&eip=CnAKEWNvbS5kZXZzaXN0ZXJzLmNrElsSWQo-aHR0cHM6Ly9wbGF5Lmdvb2dsZS5jb20vc3RvcmUvc2VhcmNoP3E9Y29va2llcnVuJTIwa2luZyZjPWFwcHMSABoVaHR0cHM6Ly93d3cuYmluZy5jb20vEhxBWmZ6TkJUWkl1ZUR2QUIyOFM2aGIzeHctaFNrGP3t57TkMg%3D%3D&doc-referrer=https://www.bing.com/&source-path=/store/search"
  2⤵
  PID:3520
- - C:\Program Files\Google\Play Games\current\service\Service.exe
    "C:\Program Files\Google\Play Games\current\service\Service.exe" "googleplaygames://deeplink/details?id=com.devsisters.ck&eip=CnAKEWNvbS5kZXZzaXN0ZXJzLmNrElsSWQo-aHR0cHM6Ly9wbGF5Lmdvb2dsZS5jb20vc3RvcmUvc2VhcmNoP3E9Y29va2llcnVuJTIwa2luZyZjPWFwcHMSABoVaHR0cHM6Ly93d3cuYmluZy5jb20vEhxBWmZ6TkJUWkl1ZUR2QUIyOFM2aGIzeHctaFNrGP3t57TkMg%3D%3D&doc-referrer=https://www.bing.com/&source-path=/store/search"
    3⤵
    PID:3992
  - - C:\Program Files\Google\Play Games\current\emulator\crashpad_handler.exe
      "C:\Program Files\Google\Play Games\current\emulator\crashpad_handler.exe" --no-rate-limit "--database=C:\Users\Admin\AppData\Local\Google\Play Games\CrashReporting\Crashpad" --url=https://clients2.google.com/cr/report --annotation=bss_session=afabed4b-7828-47b1-8a6b-a6674aced1b4 --annotation=channel=Beta "--annotation=cpu=Intel Core Processor (Broadwell)" --annotation=gpu_hw_scheduler=False --annotation=prod=Battlestar "--annotation=system=BOCHS_ BXPC____" --annotation=ver=25.3.338.12 --annotation=whpx=False "--attachment=C:\Users\Admin\AppData\Local\Google\Play Games\Logs\emulator_logs\vk_abort_mem_info.log" --initial-client-data=0xa88,0xa8c,0xa90,0xa64,0xa94,0x7ffe5671d400,0x7ffe5671d410,0x7ffe5671d420
      4⤵
      PID:3056
- C:\Windows\System32\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe" /t "C:\Users\Admin\AppData\Local\dxdiag.log"
  2⤵
  PID:224

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0xdf6290,0xdf629c,0xdf62a8
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4812

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0xdf6290,0xdf629c,0xdf62a8
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6052
- C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_2086347632\HPE-25.3.338.12-CIP.exe
  "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_2086347632\HPE-25.3.338.12-CIP.exe" /o{47B07D71-505D-4665-AFD4-4972A30C6530} /l1518 /noui
  2⤵
  - Executes dropped EXE
  PID:2828
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C dir /s /-c "C:\Windows\TEMP\Google\Play Games\r4ynu4ug.ved"
    3⤵
    PID:868
- - C:\Windows\TEMP\Google\Play Games\r4ynu4ug.ved\7zr.exe
    "C:\Windows\TEMP\Google\Play Games\r4ynu4ug.ved\7zr.exe" x "-oC:\Program Files\Google\Play Games\current" -y -bso0 -bsp1 "C:\Windows\TEMP\Google\Play Games\r4ynu4ug.ved\archive.7z"
    3⤵
    PID:2312
- - C:\Program Files\Google\Play Games\current\GooglePlayGamesServicesInstaller.exe
    "C:\Program Files\Google\Play Games\current\GooglePlayGamesServicesInstaller.exe" /silent
    3⤵
    PID:2672
  - - C:\Windows\SystemTemp\Google2672_2054299730\bin\updater.exe
      "C:\Windows\SystemTemp\Google2672_2054299730\bin\updater.exe" --silent --install=appguid={5B9D6427-8AB1-42D0-9F13-4EE089071B8E}&appname=Google+Desktop+Services&needsadmin=true --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
      4⤵
      PID:5500
    - - C:\Windows\SystemTemp\Google2672_2054299730\bin\updater.exe
        
        C:\Windows\SystemTemp\Google2672_2054299730\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6512.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6512.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0xa3d68c,0xa3d698,0xa3d6a4
        5⤵
        
        PID:5636
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "Google Play Games Service"
    3⤵
    - Modifies Windows Firewall
    PID:3256
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule dir=in action=allow enable=yes profile=domain,private,public protocol=tcp "description=Google Play Games Service" "name=Google Play Games Service" "program=C:\Program Files\Google\Play Games\current\emulator\crosvm.exe"
    3⤵
    - Modifies Windows Firewall
    PID:5028
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule dir=in action=allow enable=yes profile=domain,private,public protocol=udp "description=Google Play Games Service" "name=Google Play Games Service" "program=C:\Program Files\Google\Play Games\current\emulator\crosvm.exe"
    3⤵
    - Modifies Windows Firewall
    PID:5784
- - C:\Program Files\Google\Play Games\current\Applicator.exe
    "C:\Program Files\Google\Play Games\current\Applicator.exe" "anv" "25.3.338.12" "Admin" "C:\Users\Admin\AppData\Local"
    3⤵
    PID:4640
  - - C:\Program Files\Google\Play Games\current\service\InstallHypervisor.exe
      "C:\Program Files\Google\Play Games\current\service\InstallHypervisor.exe" --ghaxm --install-source "Fresh" --driver-dir "C:\Program Files\Google\Play Games\current\service"
      4⤵
      PID:3140
    - - C:\Windows\system32\sc.exe
        
        "sc" create googlehaxm binpath= "C:\Windows\system32\drivers\GoogleHaxm.sys" type= kernel start= system displayName= "GHAXM"
        5⤵
        Launches sc.exe
        
        PID:5924
- C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\GooglePlayGamesServicesInstaller.exe
  "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\GooglePlayGamesServicesInstaller.exe"
  2⤵
  PID:2700
- - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\GooglePlayGamesServicesInstaller.exe
    C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\GooglePlayGamesServicesInstaller.exe
    3⤵
    PID:1476
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\data\installer_windows.assets\crashpad_handler.exe
      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\data\installer_windows.assets\crashpad_handler.exe --no-rate-limit "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Google\Play Games Services\CrashReporting\Crashpad" --url=https://clients2.google.com/cr/report --annotation=assembly=ASSEMBLY_INSTALLER "--annotation=dart_version=3.8.0-265.0.dev (dev) (Thu Apr 3 21:12:43 2025 -0700) on \"windows_x64\"" --annotation=prod=Google_Desktop_Services --annotation=release_channel=RELEASE_CHANNEL_PRODUCTION --annotation=ver=25.4.291.0 --initial-client-data=0x640,0x644,0x648,0x638,0x64c,0x7ffe52b787a8,0x7ffe52b787b8,0x7ffe52b787c8
      4⤵
      PID:2384
  - - C:\Program Files\Google\Play Games Services\25.4.291.0\temp-e38baebe\7zr.exe
      "C:\Program Files\Google\Play Games Services\25.4.291.0\temp-e38baebe\7zr.exe" x "-oC:\Program Files\Google\Play Games Services\25.4.291.0" -y -bso0 -bsp1 "C:\Program Files\Google\Play Games Services\25.4.291.0\temp-e38baebe\archive.7z"
      4⤵
      PID:4964

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:2528

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --wake --system
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0xdf6290,0xdf629c,0xdf62a8
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5124

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update-internal
1⤵
PID:2280
- C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0xdf6290,0xdf629c,0xdf62a8
  2⤵
  PID:1568

C:\Program Files\Google\Play Games Services\25.4.291.0\Service\GooglePlayGamesServices.exe
"C:\Program Files\Google\Play Games Services\25.4.291.0\Service\GooglePlayGamesServices.exe"
1⤵
PID:5384
- C:\Program Files\Google\Play Games Services\25.4.291.0\Service\data\windows.assets\crashpad_handler.exe
  "C:\Program Files\Google\Play Games Services\25.4.291.0\Service\data\windows.assets\crashpad_handler.exe" --no-rate-limit "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Google\Play Games Services\CrashReporting\Crashpad" --url=https://clients2.google.com/cr/report --annotation=assembly=ASSEMBLY_DAEMON "--annotation=dart_version=3.8.0-265.0.dev (dev) (Thu Apr 3 21:12:43 2025 -0700) on \"windows_x64\"" --annotation=prod=Google_Desktop_Services --annotation=release_channel=RELEASE_CHANNEL_PRODUCTION --annotation=ver=25.4.291.0 --initial-client-data=0x900,0x9a4,0x904,0x970,0x8e8,0x7ffe4fe387a8,0x7ffe4fe387b8,0x7ffe4fe387c8
  2⤵
  PID:5064

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update
1⤵
PID:1528
- C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0xdf6290,0xdf629c,0xdf62a8
  2⤵
  PID:5872

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\settings.dat

Filesize
40B

MD5
459b0f9c86b234bab389eee8d7d878fc

SHA1
7956808e996c7f223e73d8bd17ff2d9105fea1e6

SHA256
1e7e3a283f472568fe5f4348185a72dfbd86b2d4c5e4d43213bc1a14546b64d0

SHA512
bce7164854c73c9600473344979954a08b75513cacfa3526ac7f7ff5b3f9f50da461c0ea2b8cdcfda5dc4ac5dda43c5b7f46829d3dcdd06e6c4582ae5abe7037

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
415B

MD5
f14200923c0cdc261fae5b6f6da1dd76

SHA1
fb9eb8af907db23f176234bf0908a184e09abfad

SHA256
886e8c7fda07da1e1b2bf1a8eb6f8b5a861c1c7bf8b140986e35988078303ada

SHA512
127258a496db0d868296c0f87c78adf1ce09ce81fcf050ce786a86d2e23e2e5d411808ace9403dcc06432599aa3cab18f4d5ed09575017a958dc96144f3eaa59

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
1KB

MD5
a7cd3b63069a188a91f9e55c1836a46c

SHA1
4ba6772ea10d223b1cbd1b2cb8740294aeca8931

SHA256
f75d711800b87b8a08a3af66b24978e5aee262cc079710667c5433165a631650

SHA512
dc1854cb7d1ee0ef3ce2557705c754dafeee7511380efc3bc2a09fa490e99312b1cfe36600adb810b0cd1db18c3e96c5a3b359e5fcca136ed18cf934e657585a

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
951B

MD5
af286600ba425ab0eb3aa9be37053571

SHA1
0e6d213bc184cbd5903bac10148170a8b8f6b7a1

SHA256
cc82cb798b8852cb77bad51768149fdbee0c68ae5eb6fba1376ae871bd45065f

SHA512
6d5c7dc271fb5be85a9ecdc1c782859602dfbf4a867a114ea47292c3e334832dbe40d110b7d23b6327a0db4931c05688712ba61f317f4ed85d54d618d0f885ed

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
742B

MD5
9fc6edd31a5f36bae9449d9e452bb835

SHA1
dd6a1e0d7f99edc33c8f3f1bc532394d49aa6271

SHA256
14aa8a7aa18046613f55f42e957b71f013e12f602666610273093e2850352a48

SHA512
521bb49fb9b18c4f9075cd09d3d4381cd7f44ca6ca2c5c20f15143138ba7bf6c11188be1def5386ad81c3ce135f78eda86b650d277bf26f4820e1a3cbda77c71

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
414B

MD5
2897f266a1956747809c83a5ab6ce3de

SHA1
40f68fb2f3407e17a9951b8e8f34abddb4caa088

SHA256
1dfbc18cfa6359d0553b6442676a8ca46a5fd2b57fe69c0d8c90871c3d32a8c9

SHA512
53f31fbf32a7c8c4b80e877ccdd8d837b6e40a38b414cd79ac8284c80e2fe2b1750b4a98c0653b88075f6bd1a88970b85a9d879aa3d43667bca2232cc8028b6a

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
1KB

MD5
c654aecc6589892f3c0314471341056b

SHA1
6a5170dbf6733cdc1a15d74c7caa690f80716059

SHA256
ad4478b32ebbdab2fb2cb82deb3d06b0cc296a79de4f33007902ee765ca277de

SHA512
d510387e6a7b86f31d6cc77f39e259cb441d8b924bb4b27f983ca7569f38d8cd5df4dc0be8da1e9982c0541196d1c0f52c1cfc9b4ffef072e8ef904897f6d38e

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
21KB

MD5
c893384421a4b2749765d7b47f6bcc9b

SHA1
71365012d61a46cb4f3728e50cf4a9cccd3711a2

SHA256
48b640d02781b9ea8f6b96fe7ca2442a9665514b76fb018b274bf2d132ab8370

SHA512
e3dd5347071463479e84bebc36b0ef793c246550c83d1cfd52337bdd4ab0e5889fbe93152fd281a936c8e02c659ec64b34b7fca8a1389bb414df625e1a684222

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
22KB

MD5
c71d61e00ceafc673ab7298a0ccc7f7b

SHA1
811b0c010c6ebb723ff47765880ced28baa995e4

SHA256
5e35a00411346309e4e249608074f1e29212867f63e6e1055d485e9b7f25c53e

SHA512
691bb9c6c313fcced878bf79d609f3856538aad515755af16a8534363bcada13f3a6a3e2e7d8263f8bc036276f932c2817be3545538ab83018a66070836a8904

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
25KB

MD5
5a779fa75b93b3bfba3ff61406051c70

SHA1
71321f2634f657517e7b72c3ceea7e31c4f88fba

SHA256
b0151e458ff37f030253cd85c09a0419dc54cdbe8b2f35163a25be1496df6b39

SHA512
475217dd4f406f9793307b8aad4333320eaece33657d75a130b46f5dae07f08c825e30cebb8be45892eabf4550043382ef3c264f571ce2fb48d325e9439b13f9

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
27KB

MD5
e2949d4b01bac661d267e23fd5b67991

SHA1
24eab6fd2d24dc6760e0a7437ae96cd53494027d

SHA256
379f3ca0743411753aefc7c85898dd368c5ca603db798b095a17d3a60b12e425

SHA512
7afd4a48c0f278894c095d639c816a2eea1326a643c72f3b286862cb030e588282bc069ba354caa6ef265f44350fbb3dc57d90cdbfbc5e24eabbf8047b6ca1f7

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
30KB

MD5
622afb944a2eba172e3caf0f73518000

SHA1
ae343b4f1c74de5626e9f9ac35d8cbe17427aaac

SHA256
b9ff3a394a6b472421d098979d23425e71a30dac43b833b33d595c2a603df8f7

SHA512
859494ac98be54d25f698095cc392d07c57dd2c2db0e14c429d73f3b32fa3ec8f9b811f470254deae04a91e6865e7749d7dceab29f6c118b6be592f32a225529

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
31KB

MD5
1a7792c25eb17840be5e15660681cc8c

SHA1
00ed453a384b559cdc5332fffb22118ed502ceea

SHA256
63e324fe5b25ccaffc1cc11da921526764b5c529c909337089fde99cd080b8eb

SHA512
d8a4e62eefb43e3ffe6e74526ca3963dad31a9a0ac9a7ce5b6e7d32770294bd82b6be402488800bab2ea789c84d64da951bcda508a6eadc7c886b403a6837651

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
51KB

MD5
e31235523221280ebdd99fd79000c337

SHA1
2c817ef11bf8acfc279519a3e993d1f0c7435630

SHA256
d310d0e146fca12d9ea5f08cfcd31d28a17b980fa5351b98078d85f359f04cec

SHA512
d034fb3ba005db25cea541c98a0ffebd366697b77d47596ecd7ea32e1776525d7c6e4c85447270504838fc91444087953439e03161aeb9641a6549cbab9c8807

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
50KB

MD5
fc328c70098b1a10e35dda41988e97c0

SHA1
420664e09beed1c604f0c5574d842c6a875f8802

SHA256
41e77e70956bc363bf24669fa12c9b39cba05529a441574f7daeffa37c23e5c1

SHA512
6f7645a481fd31c576f1915da9562f2d733046bcfb8d212790c946009f3c4854607f91e8023c965365f2c6f29cc80371c83d1a115a72a10777ad5f778818d62a

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
51KB

MD5
291d62a252d766d855911acd324c370d

SHA1
33e293a3ab1b26c93087479fc3d0b14080877c9f

SHA256
9fa8c5300171fdfebd435fa8ee1de8075db17039c5de7eb56b4b8e31bbbbd1f9

SHA512
da437b0015f1c3628cc97e1f2ad1cb0e7a7d7e66ae4cafe4c6b3258ff36a68d43a6a0ca06fd18070c647104b985bbf344b6c611a1bcc5c3efcad0bdbc4057966

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
53KB

MD5
a062e4d0087577f992d2c57356efbb7d

SHA1
6c5578fc6f8c6d431fa36707463df050ef9eb26b

SHA256
1ef4d5263419b6412f36c24ea50cc31ed72a202f44ddb43199455e813e18a0b1

SHA512
dbe94298a01d12caec4b218d200a6c151360aba8492890fe3e56bac190bc15553f2edb8732d0b1f38f7932d33dd82568cf29e0837985136162de2dc2581f62fd

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
53KB

MD5
a9834404126973b19ffb110c4d5c4fc1

SHA1
9bf18ed8604865972835924da8242247edf426fb

SHA256
1b7846861ebccc8e2535b1aaf7c2c3ec8bb0c21ac10295600459de9b02214b2c

SHA512
e3478f8116fb6526ece5f4fa4b9d9048653ff9cdad0865d77f127097ab9e9bc2e867ec153cf237a38f9d38bc40311bfc8a48d280374fdb29b550088dfed69872

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
57KB

MD5
0fe22f4dd46623e3ab7ed36911cacc13

SHA1
b4a3120e2e981f1fa16bfa15abd1c08f68b5bf25

SHA256
9b895c214d5767a0f077abf0d17a1fe891bacfcc50d8e312d3a695993173a6b8

SHA512
d7a7539fe143af786e71d9fd6a2455a5f68d1f1a053872725f8642da50e9a9dc2d3e83a0e5ca6386b80b485b4a424f6e7e9310f9fd5aa4a4bb1c96f01e3f76f3

Download Submit
C:\Program Files\Google\Play Games Services\25.4.291.0\Uninstaller\data\installer_uninstaller_windows.assets\AssetManifest.bin

Filesize
320B

MD5
9c793a556ca48854e774b5080dcec85c

SHA1
62fd99e5160414c61b4e514059833a0a0a79a0d1

SHA256
fe50f08669111df7b477f353634d91b8502769c8ccf7dd2337d52718351a6ab2

SHA512
00c2b4fd2185b58cc4e8c643fe2d11310b36c034d3bf821e20990c78b1239318f44d1bcdac75daeeca3596c7d68c418d9b5bb7fe5626c0153e4d1536d90653e1

Download Submit
C:\Program Files\Google\Play Games Services\25.4.291.0\Uninstaller\data\installer_uninstaller_windows.assets\NOTICES.Z

Filesize
84KB

MD5
ba741df57c3035eb973f353205371080

SHA1
4061033eda14e5049717b32e46a150f65a24cde7

SHA256
9800731cd171a5ffd8d377eddce117448479a9fad28ff5436f7107531862dffc

SHA512
27af7421a7d351cf5e8d022b0e76edef1c88cc4d2592dfc28161c59c35f558c15f71e03931e2da7555a5070cb9d7855eafa19d56977bb71d7ad30e6a48f1ada2

Download Submit
C:\Program Files\Google\Play Games Services\25.4.291.0\Uninstaller\data\installer_uninstaller_windows.assets\shaders\ink_sparkle.frag

Filesize
6KB

MD5
51f20bf41c8f1f157941bb8431fb411c

SHA1
db0cee9291c516df048e9d426adfe3b469737cbf

SHA256
35f467c45804fb1d3cb8c483da1a8f636c8ecb6f63919b3f1bfc8ec8e2fcaf15

SHA512
0748bd823aaf84bc58a91dec01cf28e10ea8b0fc772cc9db7626af9102742d6ae6d1db56c28ae939bf67d4a2e32efb9438f32f798f7b193e1f2342138a076601

Download Submit
C:\Program Files\Google\Play Games\Bootstrapper.exe

Filesize
366KB

MD5
1204a1ee0e04d7a84694961c3be42cce

SHA1
bd234504b3d7f44cf0d68cfe83748dfd3a7fb261

SHA256
5e677926e1993fdb3b8ab03257139d425b4b63ec090cc2eaf9a16f4cec628fcc

SHA512
a2d9b31e6a67c7ed410eb0b3b042f4ef16bbcfc9b2477217263b7ab8bb862c3c3c810b197ffb5f79d7639897df33abdac77a2c48456c4a7a30baf8a08e432697

Download Submit
C:\Program Files\Google\Play Games\current\GooglePlayGamesServicesInstaller.exe

Filesize
3.8MB

MD5
5ec3117330b44f036ad258b1da0226e5

SHA1
f71d32eebdd1331310cf53761744c91d29635d16

SHA256
7f1ce31d04be8e6a9843d9424c7528de304eca7a71ce9fcb8dc27b1ab43a6f14

SHA512
c81b9b20a999709aba02bc26204d5e8a59a02255da37236e766d6f16739683fc13eb5b7bac3309745c22abd61c172930032efe33984c952853bc765c5a164f83

Download Submit
C:\Program Files\Google\Play Games\current\GooglePlayGamesServicesInstaller.exe

Filesize
4.3MB

MD5
9892b91f42b08b5cfb3633a093038ec4

SHA1
5e0e0699ffae44625a1b12a6247d98c3abf92994

SHA256
9533b118b5dfaa07592b116f33ba7defdf360992415a5948856f3467f2c5b67a

SHA512
d8144a8dade77632a465f59a4a1861336ca5046d99a1ba28e5d54c67ea5a3ac437c4c092c72af2afe3c4207a013952baefefbe9184a3160b6c45d9763773498d

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\1f336d8ce05c79d2\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
3336818fb82bc1b7883d4f02a428e570

SHA1
24633433d3e5d576bf7ffd0dd8e7aa82a6ec7768

SHA256
1fcc487324b2a4ef1b1543790626c1727270690118d7382da512f7808bc1afe3

SHA512
16349c85adc09df53fedbec32280e632368a086a773e93a92eaf5bed02eeca63bf56072e948bdf1d9b658bfc5fbbbc8bef0199c14cea4e2d6921533950c37cd7

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\1f336d8ce05c79d2\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\1f336d8ce05c79d2\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
960B

MD5
d49421835e07f9c8a3c8375711d8f5d7

SHA1
d404f1ebe1076786c343cd13d37b05b07ff47055

SHA256
1e9a2cf73160c352f044a28abf87c28531d4d4997618833b6a6f7b9de4699b60

SHA512
bf6430d780f9e31f288294a07f4c72fda3386c5e9d9cb7894559fd3a65aedf143fb2900a9faaa593bbdb8b3d7bdc444eee823d9281a836f17ee4f05c0db9f454

Download Submit
C:\Users\Admin\AppData\Local\Google\Play Games\CrashReporting\Crashpad\settings.dat

Filesize
40B

MD5
bb932a243d66cfa6b9c6d42a76e35a61

SHA1
564acec32c996d62173e11a6280c90b1f66e8d62

SHA256
65caae8278196a28fed8ad230332e88493b0b48b2cb286f2b14ebaf1872ae688

SHA512
c1b588e91df901f915a0568c794b7ee3ffba610e9c1c953abd3b199a8e8aaa79fd34629ed20c583d0bea6eb14e78bc363cda913c33de6092ae4d0aeb30eccf17

Download Submit
C:\Users\Admin\AppData\Local\Google\Play Games\InstallerCrashReporting.log

Filesize
1KB

MD5
249176ce9746640246b032640a4b1835

SHA1
2fe0b846610d4d5837dc372c93d9bc3e5ccd28cc

SHA256
5972aa0e1188aa6b20e4a67a15b05883667fd671ce922ec0838061a9ce784601

SHA512
c69e6ad73e2e2413a0bf8afce3de0ec06528ba94cd6648a238b70d77a12edf4c237cc23a7b0951ca3f1967770d6bd9cf94dd2d97bdb6e6df2586762a76c80780

Download Submit
C:\Users\Admin\AppData\Local\Google\Play Games\store.db

Filesize
108KB

MD5
257ab47f03345b577fb7b329ed52a449

SHA1
028e2f5ddef6825aea8092fa583694002102c033

SHA256
fb4d2802b33fe5179b3344cb7f1282a30aba7b0c1fe2e50988217c8243430172

SHA512
f01b953a7c4f329ccca1f08ea919f6123f949438c6ede6a36f8ad4622614014a0e7b4b3059492431f0efb3e4029fefdafe724e70c6c9824e6c5e5d5479a91e00

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f1abd39c-1e9c-4c04-ad96-db3cd35c0243.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\CrashReporting.dll

Filesize
994KB

MD5
c95b4a7da018b8bbe59658e2bc3cab07

SHA1
34fffb433434c36b542bebf215124f1efe551e63

SHA256
fa072d9333b528bb1e0fc70d951bf4c4cd87ce4b79ca27333fc7d1917f097e09

SHA512
cf540ae1c9d6e1153d4a902c0a27f5b0db29071ba34b015af0d4c097f66bb976f76b797c9a857d14cbef69e0d722638bdbb4984132ba873c503063603cea4403

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\UpdaterSetup.exe

Filesize
9.7MB

MD5
42bc65929776cb4aaf983cdcd38e4b07

SHA1
7e086789c3f50287198bf8770e57f0b86f54af55

SHA256
f31967175f861756ccd8c6a7b0f47dcd0640f8c9d952c61442c137315c1fbb40

SHA512
ea3cbcc8ec54b9022133f31b7914abd40c14605c11302dc0bf7f82d950d87a6ad34f0908ee676e398fc7ff334c565152592706b1cea8ccc29780723db6fb0443

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\crashpad_handler.exe

Filesize
1.1MB

MD5
f82f9db093848ea62afd041840a18f8a

SHA1
6aa5e34bd672c1e98b2b2d6141e33fa5c25739a0

SHA256
d560ec665c6747fca93a2e130eb33fd832907c1b6c3bc4d0a687a30a1165edf9

SHA512
efabb85965e30d09d500f8d9f875a18faa94c4aed0e25ca632da2224acd523e823de1ed92be22799e8a569b6ef84b2c10c46d9677cf1bfa9663879947f422361

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwpy5hhn.fkd\recorder_delegate_lib.dll

Filesize
4.7MB

MD5
52f7fb81002d31208e499e5fa79dd657

SHA1
d7e0da3ca09146a4ecf47158c91db747bde780b8

SHA256
954f84d7856ab976a91206eb93f2c3939c3fbb1e9b71f52e849eac03280c9dd7

SHA512
06deb74ee5ed557e1b8cf9a9163aff732889636e9f7e276bcb9a179500542205f5ddba1500a8db63c5617f99e0ed9ce200e74798d03a12a410e84c2466f42d87

Download Submit
C:\Users\Admin\AppData\Local\dxdiag.log

Filesize
83KB

MD5
9c786b0bf6c454b2d48007c91a51815f

SHA1
30d9c7c65e59d70d122a3c56b5a3d914ee7bef67

SHA256
34e75aa0811256fff49dc89c472184db2360eda43eccb545dcdb935eb80501d7

SHA512
fa6bf4a2d315da00db424e4623265f1667597b8c285df6e6bbf33cdf63a56c6bf805273df82b75b1840eb152c5ae68a5d4f1d02db0faab56550aee091d2a4622

Download Submit
C:\Users\Admin\AppData\Local\dxdiag.log

Filesize
86KB

MD5
289ec22d0df3dd82c23bc4ab4c717d1f

SHA1
0d6978a5d3126f8a9847c7c0848fff0c6f31ed0b

SHA256
cec9267216bca785d5ce664c8e573c41e29b4ee408d9748ac28ebb3d5e892edd

SHA512
5e80b0c8cfa9cceedc4a7e56f8796edcc62629b20934732b010ffd90926624a30c583c5c53800c6ba2ca71630535c6a9abc5a920be058a33b9452f67c5a8169f

Download Submit
C:\Windows\SystemTemp\Google1444_1528559655\bin\updater.exe

Filesize
5.3MB

MD5
e2937e33c2554eecc37c804a7f99f8b7

SHA1
2c33d4573e21c7d18de1d3f337bacd7c4e58fe87

SHA256
5dde29f028e75ee72f50902d20c41b699ef8fc5c294f04a321deac6909ffe409

SHA512
cf50e630cd75483f5887153490ab5c55e21a711541d0a4aa0e29d055f42076f7d58edf743bff26e145b56a69b6be9f6704e9c2b071be0aa5a7f6cc1f6be3406f

Download Submit
C:\Windows\SystemTemp\Google2672_2054299730\bin\updater.exe

Filesize
4.3MB

MD5
de6d47eee7fde88f3a4163af1a061c49

SHA1
207ca21b6ddb530748aeafbe5bb7f42e1d12d1bf

SHA256
373bd51b4cf4659279ebe5f745727b8b74a844f084d42903becfba76dc6e7454

SHA512
e10b03dc53aab75e98df56e9463160362e43b9c295df09bb74526aae8ab31d803d6e1b231a3a4d3b0ae99b8c62f549433477b33820d6432da9cb5302757cebab

Download Submit
C:\Windows\SystemTemp\Google2672_2054299730\bin\updater.exe

Filesize
4.4MB

MD5
f84c4248d272ee3616cfce8d5592d552

SHA1
31f38ce4452309c52e51259859d8e7c339704e74

SHA256
5591b2d0536ea6f25edb4a0fbd76f099f5b142d3fa4de30ae7af02223279c6a3

SHA512
1b93a1cabc05699a7c5f82c5df1a583150019a6b80fd4f397654a0cd17c4f9aae84f36aa5ee95cfb8a6b5063f0a55ac83e27e4952172a21ffb8667e4a920a97e

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\GooglePlayGamesServicesInstaller.exe

Filesize
3.3MB

MD5
0acfe674bc8c745421b4f41a470aeed3

SHA1
ee90e7b8e780840af8be59f9d4b8730b78ea3af0

SHA256
d856272a05f9184845108ac3842631ff355b1e6c3eafef53354f73db82dbf99e

SHA512
ef8c67dff14164f059e4144662a90ecc05c7ab55288fc559d39b43ad51707f81c5430ec8cac6ffbcc9e3b71ac9e47c025d1deecc96303ef7af58c33406c419be

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\GooglePlayGamesServicesInstaller.exe

Filesize
3.8MB

MD5
dfdec393fb367d8a16afc20120b1662a

SHA1
9501c578865875144de59c7ac1f2d6dcb688ab2f

SHA256
ed06641d553fafdcacda726962fba8fa44a53e5561e48b13add4d05f72383023

SHA512
a3d22c189cb9378dc005e9f98ac99d22fba2dbbf2d8039eaea02c7f92d22f031b79b5c1897cf9c1c395b3af578c290c515820d588aa1a9bdf5eebf4247882a9d

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\data\icudtl.dat

Filesize
760KB

MD5
692337664e861ad322138061132dddc6

SHA1
8a99bc860eda0772f3b1f4a125fa4d474410e21c

SHA256
c12537022ef818991a7bfed41a76d8d6ae962ffbc0e6511ac762a5d0845e7f7c

SHA512
3e2e6adb651e37e530734f999634d7c101fa1c45ae380be8ad169bbfb0a047f2878ff6c8d1428d6b9e7301b447ab2f8839484322ddb3831984be71d442829a55

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\data\installer_windows.assets\FontManifest.json

Filesize
153B

MD5
979319e51eab8e8ea9708fb153f57ede

SHA1
eedfd104c5df5a7b527d760cae6c6b22fbf70e40

SHA256
2eac50415f742dca6a7183518450db5bbe36a715867c42d43b7e01a64a45c474

SHA512
8f23eeebdbbe3a9492f32de508fc1dd30e6ae5c46464f6d4794acea8859a07016a222aa7127fb8e4667e5d644b9834997942befc59c2edb4b894cf0cec8e8ee0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\data\libinstaller_windows.so

Filesize
2.0MB

MD5
d99e3d36ea5ea3d68364ed36942f9eb0

SHA1
5e2c631742dfe876a3d8a6838f2b70a3f170048b

SHA256
3891afb6eb4a96f5f833c883dda0b0b6296fe0221863cb5fa30f880a702a670b

SHA512
2868ebdfbb584394f9c97bc8cbb679409ef620b15ea0fcb2e72ef69d83283183ad1c11a2c220ac68be22a12b23dfe26fa71055dce71475fc4e1e49c159ef5428

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\flutter_windows.dll

Filesize
3.4MB

MD5
35c9750a5e8eae6168e1ea7fb9bac09d

SHA1
0a6d5592d08f74e50c4eedbea209bcca07a0af38

SHA256
9954fb2075d8b48582170e7433ac8146536a62271a6835448ac76ff51be02f95

SHA512
018689eda55719bd95478237ea4e75f9ba409d4ac3dba80714928dcf5f203088cc154299fc78e970f57a76fa877741c6211cb110a77ae08847da48ae582a7123

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\flutter_windows.dll

Filesize
3.8MB

MD5
dd921f8e0e21ca3f26b0f828696e5a10

SHA1
6cbcb24998efc74062d45acce34d587e670fb56f

SHA256
e1b6b476ff412d824a6a87433c0b21edf41e0bbc0f8905e50e671653cec1e30c

SHA512
e1491b06e3b719ef6ea41f5263e191fac39627a290d1ad3157bb61dca74e49f77f815d6641653b61543b9f1ccbeebd71425f227076f00dda96f6a7591e52c7d8

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1960_213103932\installer_output1496635613\libnative_asset.so

Filesize
3.3MB

MD5
fed79da2292283228c99e2c11098fc95

SHA1
d2d48c738c0ee3c95a04e1b0491ed80f30cf7ec1

SHA256
4edce161122c64d2e8ac6f524e28f2368489be4542e843789883f632de6f08d6

SHA512
c1025546efa5aad81358994af976a0f4f386c08d0b4a98cd26c780b9c39d79a301817e900afebe3f038c43c6fac3d0da35f0b625ce4bf75624fb2f8c68c9faa5

Download Submit
C:\Windows\Temp\Google\Play Games\r4ynu4ug.ved\7zr.exe

Filesize
787KB

MD5
d103d8b3f8c6a19a377546d23f7d7ed4

SHA1
2f5cc9f96a6f7a35d1570a62437a358c47481d3a

SHA256
7fe7a82f9cc0293191184203ed7b9e2bedc033753c5ed7350e2bad6cadee1d59

SHA512
01e30ed22e2380dd87eabf9fb4731b209b91a1930eb21ab291286a5bdba72b7cc7918d58f4dc4899dc8d820ac52a5269d5656171d77a3eb8dd04dc9398e62e69

Download Submit
memory/2564-24-0x000001AABFA20000-0x000001AABFA28000-memory.dmp

Filesize
32KB

Download
memory/2564-8-0x000001AAA6030000-0x000001AAA603A000-memory.dmp

Filesize
40KB

Download
memory/2564-101-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-100-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-115-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-99-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-1-0x000001AAA3B00000-0x000001AAA43BA000-memory.dmp

Filesize
8.7MB

Download
memory/2564-2-0x000001AABEA10000-0x000001AABEE5C000-memory.dmp

Filesize
4.3MB

Download
memory/2564-3-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-6-0x000001AABE950000-0x000001AABE980000-memory.dmp

Filesize
192KB

Download
memory/2564-10-0x000001AAA6050000-0x000001AAA605E000-memory.dmp

Filesize
56KB

Download
memory/2564-0-0x00007FFE5C3F3000-0x00007FFE5C3F5000-memory.dmp

Filesize
8KB

Download
memory/2564-927-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-46-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-45-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-44-0x00007FFE5C3F3000-0x00007FFE5C3F5000-memory.dmp

Filesize
8KB

Download
memory/2564-43-0x000001AAC4F90000-0x000001AAC5118000-memory.dmp

Filesize
1.5MB

Download
memory/2564-9-0x000001AABE980000-0x000001AABE9C4000-memory.dmp

Filesize
272KB

Download
memory/2564-14-0x000001AABE9F0000-0x000001AABE9F8000-memory.dmp

Filesize
32KB

Download
memory/2564-42-0x000001AAC42E0000-0x000001AAC434E000-memory.dmp

Filesize
440KB

Download
memory/2564-39-0x000001AAC41A0000-0x000001AAC41C6000-memory.dmp

Filesize
152KB

Download
memory/2564-13-0x000001AABF040000-0x000001AABF0EE000-memory.dmp

Filesize
696KB

Download
memory/2564-16-0x000001AABF510000-0x000001AABF522000-memory.dmp

Filesize
72KB

Download
memory/2564-15-0x000001AABF490000-0x000001AABF50A000-memory.dmp

Filesize
488KB

Download
memory/2564-12-0x000001AABEFC0000-0x000001AABF038000-memory.dmp

Filesize
480KB

Download
memory/2564-11-0x000001AABE9C0000-0x000001AABE9E6000-memory.dmp

Filesize
152KB

Download
memory/2564-102-0x000001AAC4ED0000-0x000001AAC4ED6000-memory.dmp

Filesize
24KB

Download
memory/2564-38-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-36-0x000001AAC36C0000-0x000001AAC36F8000-memory.dmp

Filesize
224KB

Download
memory/2564-37-0x000001AAC3270000-0x000001AAC327E000-memory.dmp

Filesize
56KB

Download
memory/2564-27-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-35-0x000001AAC3220000-0x000001AAC3228000-memory.dmp

Filesize
32KB

Download
memory/2564-18-0x00007FFE5C3F0000-0x00007FFE5CEB2000-memory.dmp

Filesize
10.8MB

Download
memory/2564-17-0x000001AABF5E0000-0x000001AABF69A000-memory.dmp

Filesize
744KB

Download
memory/2564-4-0x000001AAA6000000-0x000001AAA600A000-memory.dmp

Filesize
40KB

Download
memory/2564-5-0x000001AAA6010000-0x000001AAA601A000-memory.dmp

Filesize
40KB

Download
memory/2564-7-0x000001AABEE60000-0x000001AABEFBC000-memory.dmp

Filesize
1.4MB

Download
memory/2828-862-0x0000025A994B0000-0x0000025A994BA000-memory.dmp

Filesize
40KB

Download
memory/2828-275-0x0000025A990D0000-0x0000025A990D6000-memory.dmp

Filesize
24KB

Download
memory/2828-276-0x0000025A98EF0000-0x0000025A98EF6000-memory.dmp

Filesize
24KB

Download
memory/2828-274-0x0000025A805B0000-0x0000025A805E0000-memory.dmp

Filesize
192KB

Download
memory/2828-273-0x0000025A80560000-0x0000025A8057E000-memory.dmp

Filesize
120KB

Download
memory/2828-272-0x0000025AFF330000-0x0000025AFF4B6000-memory.dmp

Filesize
1.5MB

Download
memory/2828-277-0x0000025AFF8B0000-0x0000025AFF8E2000-memory.dmp

Filesize
200KB

Download
memory/3140-857-0x000002A3E2250000-0x000002A3E2280000-memory.dmp

Filesize
192KB

Download
memory/3140-856-0x000002A3E2220000-0x000002A3E2250000-memory.dmp

Filesize
192KB

Download
memory/3140-854-0x000002A3E18E0000-0x000002A3E194E000-memory.dmp

Filesize
440KB

Download
memory/3140-855-0x000002A3E1D60000-0x000002A3E1D68000-memory.dmp

Filesize
32KB

Download
memory/3140-858-0x000002A3E1D90000-0x000002A3E1DA4000-memory.dmp

Filesize
80KB

Download
memory/3520-890-0x0000019F17D80000-0x0000019F17DDC000-memory.dmp

Filesize
368KB

Download
memory/3992-916-0x0000023E672F0000-0x0000023E672F8000-memory.dmp

Filesize
32KB

Download
memory/3992-911-0x0000023E4D240000-0x0000023E4D24A000-memory.dmp

Filesize
40KB

Download
memory/3992-893-0x0000023E4CC20000-0x0000023E4CC7E000-memory.dmp

Filesize
376KB

Download
memory/3992-895-0x0000023E68600000-0x0000023E6911C000-memory.dmp

Filesize
11.1MB

Download
memory/3992-897-0x0000023E4D0D0000-0x0000023E4D0EA000-memory.dmp

Filesize
104KB

Download
memory/3992-905-0x0000023E4D1D0000-0x0000023E4D1D8000-memory.dmp

Filesize
32KB

Download
memory/3992-896-0x0000023E4D0A0000-0x0000023E4D0AA000-memory.dmp

Filesize
40KB

Download
memory/3992-898-0x0000023E4D0B0000-0x0000023E4D0B6000-memory.dmp

Filesize
24KB

Download
memory/3992-955-0x0000023E6A330000-0x0000023E6A344000-memory.dmp

Filesize
80KB

Download
memory/3992-899-0x0000023E4D0C0000-0x0000023E4D0C6000-memory.dmp

Filesize
24KB

Download
memory/3992-900-0x0000023E67240000-0x0000023E672EE000-memory.dmp

Filesize
696KB

Download
memory/3992-909-0x0000023E4D220000-0x0000023E4D22C000-memory.dmp

Filesize
48KB

Download
memory/3992-901-0x0000023E4D0F0000-0x0000023E4D0FA000-memory.dmp

Filesize
40KB

Download
memory/3992-945-0x0000023E68480000-0x0000023E68486000-memory.dmp

Filesize
24KB

Download
memory/3992-946-0x0000023E6A270000-0x0000023E6A324000-memory.dmp

Filesize
720KB

Download
memory/3992-947-0x0000023E685C0000-0x0000023E685DA000-memory.dmp

Filesize
104KB

Download
memory/3992-951-0x0000023E69240000-0x0000023E6927A000-memory.dmp

Filesize
232KB

Download
memory/3992-952-0x0000023E69120000-0x0000023E69146000-memory.dmp

Filesize
152KB

Download
memory/3992-920-0x0000023E67490000-0x0000023E67498000-memory.dmp

Filesize
32KB

Download
memory/3992-950-0x0000023E691E0000-0x0000023E69240000-memory.dmp

Filesize
384KB

Download
memory/3992-919-0x0000023E67310000-0x0000023E6731E000-memory.dmp

Filesize
56KB

Download
memory/3992-918-0x0000023E67300000-0x0000023E6730A000-memory.dmp

Filesize
40KB

Download
memory/3992-917-0x0000023E67460000-0x0000023E67484000-memory.dmp

Filesize
144KB

Download
memory/3992-915-0x0000023E67580000-0x0000023E675EE000-memory.dmp

Filesize
440KB

Download
memory/3992-914-0x0000023E4D260000-0x0000023E4D26A000-memory.dmp

Filesize
40KB

Download
memory/3992-913-0x0000023E67530000-0x0000023E67574000-memory.dmp

Filesize
272KB

Download
memory/3992-912-0x0000023E4D250000-0x0000023E4D25C000-memory.dmp

Filesize
48KB

Download
memory/3992-894-0x0000023E67690000-0x0000023E67ADC000-memory.dmp

Filesize
4.3MB

Download
memory/3992-938-0x0000023E68100000-0x0000023E68126000-memory.dmp

Filesize
152KB

Download
memory/3992-939-0x0000023E680D0000-0x0000023E680D8000-memory.dmp

Filesize
32KB

Download
memory/3992-942-0x0000023E680E0000-0x0000023E680EA000-memory.dmp

Filesize
40KB

Download
memory/3992-937-0x0000023E67FC0000-0x0000023E67FCA000-memory.dmp

Filesize
40KB

Download
memory/3992-910-0x0000023E67BA0000-0x0000023E67C72000-memory.dmp

Filesize
840KB

Download
memory/3992-908-0x0000023E4D1E0000-0x0000023E4D1E6000-memory.dmp

Filesize
24KB

Download
memory/3992-907-0x0000023E67AE0000-0x0000023E67B92000-memory.dmp

Filesize
712KB

Download
memory/3992-906-0x0000023E674B0000-0x0000023E67528000-memory.dmp

Filesize
480KB

Download
memory/3992-904-0x0000023E4EB40000-0x0000023E4EB6A000-memory.dmp

Filesize
168KB

Download
memory/3992-943-0x0000023E684B0000-0x0000023E68510000-memory.dmp

Filesize
384KB

Download
memory/3992-903-0x0000023E4D1C0000-0x0000023E4D1CE000-memory.dmp

Filesize
56KB

Download
memory/3992-944-0x0000023E68450000-0x0000023E68486000-memory.dmp

Filesize
216KB

Download
memory/3992-902-0x0000023E4D120000-0x0000023E4D126000-memory.dmp

Filesize
24KB

Download
memory/3992-949-0x0000023E69180000-0x0000023E691DA000-memory.dmp

Filesize
360KB

Download
memory/3992-948-0x0000023E685E0000-0x0000023E685F4000-memory.dmp

Filesize
80KB

Download
memory/4640-853-0x0000026B04FD0000-0x0000026B04FEC000-memory.dmp

Filesize
112KB

Download
memory/4668-238-0x000002EC4B620000-0x000002EC4B696000-memory.dmp

Filesize
472KB

Download
memory/4668-239-0x000002EC4B5E0000-0x000002EC4B5FE000-memory.dmp

Filesize
120KB

Download
memory/5024-56-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download
memory/5024-55-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download
memory/5024-54-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download
memory/5024-53-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download
memory/5024-48-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download
memory/5024-47-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download
memory/5024-59-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download
memory/5024-57-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download
memory/5024-58-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download
memory/5024-49-0x000001E366CA0000-0x000001E366CA1000-memory.dmp

Filesize
4KB

Download