Overview

overview

10

Static

static

3

data-Setup/Setup.exe

windows10-2004-x64

10

data-Setup...za.dll

windows7-x64

3

data-Setup...za.dll

windows10-2004-x64

8

data-Setup...za.exe

windows7-x64

3

data-Setup...za.exe

windows10-2004-x64

3

data-Setup...SE.url

windows7-x64

6

data-Setup...SE.url

windows10-2004-x64

8

data-Setup...cc.dll

windows7-x64

1

data-Setup...cc.dll

windows10-2004-x64

8

data-Setup...kv.dll

windows7-x64

1

data-Setup...kv.dll

windows10-2004-x64

8

data-Setup...mon.js

windows7-x64

3

data-Setup...mon.js

windows10-2004-x64

8

data-Setup...ub.dll

windows7-x64

5

data-Setup...ub.dll

windows10-2004-x64

5

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-02-2025 19:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    data-Setup/Setup.exe

  • Size

    44KB

  • MD5

    f86507ff0856923a8686d869bbd0aa55

  • SHA1

    d561b9cdbba69fdafb08af428033c4aa506802f8

  • SHA256

    94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb

  • SHA512

    6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da

  • SSDEEP

    384:RozxIpl4504JaAystntGecMJ6gjpS1BO2NjrLVXjW9VBhKigecicWwnWzYDTFu:Rg04PGeZQG2NDVXjWLu1imL

Score
10/10
vidaradwarediscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice
exe.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

Extracted

Family

vidar

C2

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

  • Detect Vidar Stealer 6 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Blocklisted process makes network request 3 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 13 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:3436
    • C:\Users\Admin\AppData\Local\Temp\data-Setup\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\data-Setup\Setup.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extract_and_run.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Users\Admin\AppData\Local\Temp\data-Setup\data\7za.exe
          7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_3816
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4036
        • C:\Windows\system32\timeout.exe
          timeout /t 2
          4⤵
          • Delays execution with timeout.exe
          PID:2284
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /K "extracted_3816\sss.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4860
          • C:\Windows\system32\net.exe
            net session
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4900
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 session
              6⤵
                PID:4836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_3816\script.ps1"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4136
              • C:\Users\Admin\AppData\Roaming\WKZCM2LT.exe
                "C:\Users\Admin\AppData\Roaming\WKZCM2LT.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3592
                • C:\Users\Admin\AppData\Roaming\WKZCM2LT.exe
                  "C:\Users\Admin\AppData\Roaming\WKZCM2LT.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2232
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 816
                  7⤵
                  • Program crash
                  PID:3940
              • C:\Users\Admin\AppData\Roaming\6RUEBXLM.exe
                "C:\Users\Admin\AppData\Roaming\6RUEBXLM.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:540
          • C:\Windows\system32\timeout.exe
            timeout /t 2
            4⤵
            • Delays execution with timeout.exe
            PID:3704
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjQyQzY0QTktMzU4Ny00NzFFLThCOEMtQ0YxMkNCMzA3RTI3fSIgdXNlcmlkPSJ7RjlGNjIxMEItQzA0OS00OTkxLUJCNjItQ0IxRjNDQ0QxMEIxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0JDMkJGRTAtQzhDRC00NDUwLTk0NzEtMzZEQkJEOERFRTMwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NzgxMDQ4Nzc4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3592 -ip 3592
      1⤵
        PID:4800
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\MicrosoftEdge_X64_132.0.2957.140.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Installs/modifies Browser Helper Object
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5016
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff657cea818,0x7ff657cea824,0x7ff657cea830
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:3848
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:4784
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff657cea818,0x7ff657cea824,0x7ff657cea830
              4⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:3608
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4632
            • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7b199a818,0x7ff7b199a824,0x7ff7b199a830
              4⤵
              • Executes dropped EXE
              PID:1956
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3212
            • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7b199a818,0x7ff7b199a824,0x7ff7b199a830
              4⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:5076
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:3508
            • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7b199a818,0x7ff7b199a824,0x7ff7b199a830
              4⤵
              • Executes dropped EXE
              PID:5088
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
        1⤵
          PID:2616
        • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
          "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1172
        • C:\Windows\system32\wwahost.exe
          "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4008
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjQyQzY0QTktMzU4Ny00NzFFLThCOEMtQ0YxMkNCMzA3RTI3fSIgdXNlcmlkPSJ7RjlGNjIxMEItQzA0OS00OTkxLUJCNjItQ0IxRjNDQ0QxMEIxfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsyOUE5MEMxMC0zRjhELTRENjYtODI3Ri1FMTgzMzlBQURGMkF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGNvaG9ydD0icnJmQDAuNDIiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMyIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MTI4OTUwM0YtNUM5MS00RjlFLTlFODUtNkFDMDcyQzQwMjc4fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjMiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQyMTc3NzM5ODE0MTAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ3ODg1NDg3NDIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDc4ODU0ODc0MiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUwNjUxNzU2MiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5ODIxNTgxJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVl4ZEJEeTcwYUVmbkphckdjYXRjaUtWOGlCQkpYSkpoSVVzV3VFcFhyVnNUNnhRMmZ1dGEwYjdpQTNCSXF2TUxQQk0zZm5JUE5DeGtHT1ZCVlM5eDlBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUwNjUxNzU2MiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk4MjE1ODEmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9WXhkQkR5NzBhRWZuSmFyR2NhdGNpS1Y4aUJCSlhKSmhJVXNXdUVwWHJWc1Q2eFEyZnV0YTBiN2lBM0JJcXZNTFBCTTNmbklQTkN4a0dPVkJWUzl4OUElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9IjY1NTYyIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1MDY1MTc1NjIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUyMTM2MTI2MiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjExODU0OTI0OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjIzNCIgZG93bmxvYWRfdGltZV9tcz0iNzE3OTciIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTk3MTkiLz48cGluZyBhY3RpdmU9IjEiIGE9IjMiIHI9IjMiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins2MEM3NUFFOC1ERkRBLTRGMUEtOENENy02MTA2Mjk3RjI2REN9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuMTQiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMyIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7M0QzQjg3NjEtQzUwNi00RDIwLUI0NTktNjYzN0JFMDA2ODIzfSIvPjwvYXBwPjwvcmVxdWVzdD4
          1⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:3484

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Active Setup

        1
        T1547.014

        Browser Extensions

        1
        T1176

        Event Triggered Execution

        1
        T1546

        Component Object Model Hijacking

        1
        T1546.015

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Active Setup

        1
        T1547.014

        Event Triggered Execution

        1
        T1546

        Component Object Model Hijacking

        1
        T1546.015

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF837978-A77D-495E-82A8-4CE65977EE1E}\EDGEMITMP_C7306.tmp\setup.exe
          Filesize

          6.6MB

          MD5

          b4c8ad75087b8634d4f04dc6f92da9aa

          SHA1

          7efaa2472521c79d58c4ef18a258cc573704fb5d

          SHA256

          522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

          SHA512

          5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

          Download Submit

        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml
          Filesize

          444B

          MD5

          57ccd4f37e1059ec69bba4f05729c8bf

          SHA1

          f6d9211aa9b3c1cf039cb90567689aa16910532d

          SHA256

          71763943d29a1a07edb32c22a42f223d401e1d435cb060ffeb328f0e9c75ea28

          SHA512

          eb9dd893bd41c5f6852582292536f28f89487b76caf1104519f702597ecc9e760e51e13046ed54516a8e7b816364295528461006561a6e33a7437cebd4dea1a7

          Download Submit

        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          Filesize

          3.7MB

          MD5

          3646786aea064c0845f5bb1b8e976985

          SHA1

          a31ba2d2192898d4c0a01511395bdf87b0e53873

          SHA256

          a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

          SHA512

          145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

          Download Submit

        • C:\Program Files\msedge_installer.log
          Filesize

          72KB

          MD5

          366132495a25d28416370925382199dd

          SHA1

          7e7457de9fbbf6473045248cc1b0a98fa3e7faef

          SHA256

          59ed79753a1189eae453644d1bd4427cc599766f4926450e15a8f38a8e186ec6

          SHA512

          e554aa1c9845f8f43d40673e8c29a568865308dc5d3bc235e66a3270166f0615db8b667aeb8b7c294a34816f643324c359434dc1fee48977ae6b4a5ad6d89946

          Download Submit

        • C:\Program Files\msedge_installer.log
          Filesize

          97KB

          MD5

          73b4a5bbd52e464b556a6626999b8947

          SHA1

          208ebbc28cb831a822765a749910db050e0eaebb

          SHA256

          53a23ee0766d8009cb242f2ea931ad840b5ec02ce6d56fba506cec31403b5768

          SHA512

          c7d676d9e085936a8eea8fed0e6ea9f4600b5c4993b3185b26ea86329253d89efcc6ddf74257e38f99938d28fbfc00388c9aebca397796cf9222ff752b06e4aa

          Download Submit

        • C:\Program Files\msedge_installer.log
          Filesize

          99KB

          MD5

          15eb37b61cca153cf5a58af393ea8a5c

          SHA1

          6ffcb8c224e654e0ec4c070b65a90b11cc2209d5

          SHA256

          93a2774856dbb5c0f1e61396de68b0d811397edc1fb16c4bae309f2bdcc7583f

          SHA512

          690051b5c95d961ab380ae1df961780076cdacfefba44703b6acaa6f25c47901010cb90a7009df0e0ab0dde02c2f6c9088f0e674b950d8ec7fc3f013ea13a0d4

          Download Submit

        • C:\Program Files\msedge_installer.log
          Filesize

          101KB

          MD5

          d343087dcdca59166b0601da4db36fed

          SHA1

          f01aa15ce36859b8edc71009925bc1ec4b06808d

          SHA256

          1b4bff0a562bf5436b0ce3901fdb6cee1f134256511f5a70505a18fb64ee99b4

          SHA512

          7fa5786e67053a6c4b9500e3da33c38a02a14ade87598876f0147436b22e1c828114777f056fbd25591779ff077fa8e65634a73acf33986a4930ae2a188b7d28

          Download Submit

        • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
          Filesize

          529KB

          MD5

          81336558d3ef9862d9f2d0f736e1647e

          SHA1

          b2f17d8896d295600c5a237a1058915284efea7b

          SHA256

          b569727e23bf488cc9cdc8a20ac9b762fea47588ef78947e6da202b9f3182ee8

          SHA512

          8746e4abe01f3f26c7883f4f29127c7782e4d33413bb525bf7c87a8804cf72f550f7c199cd5a55809b88de6eec8236f82704cf845093df10f1008864eda624be

          Download Submit

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
          Filesize

          2KB

          MD5

          73f785a2d3b216bb3b4f729159ac98d0

          SHA1

          a92852e634926ee9fe722fdc4747efe2d64ded16

          SHA256

          350310e32c1e29d1b50a3f0ac2cc2962cdf43adfe088bc0b0b689aca92d64bc6

          SHA512

          d9958d1f444f97f6f63793f73ad71fe725db5d35133fe86baf38c624cf947cd997efe66e66949d9d16dfc314b2203e713acec828da0e5b4907ce8d3cf0bd3240

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          0399458c5e4eb0016d23b122bb8f5b6c

          SHA1

          2e1fcf547ef4c539845df16b9b9a1ea96da08bea

          SHA256

          bed79e2b24c22a37d83804c885039856f951f53209b88fe91b44ae8c65323b32

          SHA512

          e1e8a9d0d63549743b9446e46c5493f1675421b594d83d282ec339c434fdedaa817de874ee2edae4051acd05a1315897958c914975324e6a3b13536ff5380b7d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2sa5awjl.0ds.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extract_and_run.bat
          Filesize

          952B

          MD5

          fae61599308bbc78cae99ebdcb666f43

          SHA1

          de0a1d2344b09b29b1040bd4904f604a47a6d8c6

          SHA256

          f65af4a3d9d7f4464de4f7c136122f548c3b662a389e569d842be7e3a60d7863

          SHA512

          8e3d8d8ed97e65acd719d60624fa5c5506696e6fbbad5b0466748cccc24832e130bdf584fe0ce55f14628c68ca0a602310f7cb964cd38cf56735a6c64e4ddbf3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_3816\script.ps1
          Filesize

          2KB

          MD5

          d11c3a63c5ba659b5fe7b5534cb03df5

          SHA1

          d08b1e6af9e5c66454236e5ba64e4c3659db4c47

          SHA256

          02fba22cf32e907760e64c7e4bc4803e2b5395a7eef2091f3f0c9c103aaa3187

          SHA512

          a62a807f7ec5ca51ae392f10b68f3b6a326ae596ee2fdd4da662e58662142d5842d8e8abf1f7a84aba85ef2b067803733301b769024ae8c7bc3ce625c485b4ec

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_3816\sss.bat
          Filesize

          405B

          MD5

          9ca3883fd45a5a455e64704ac6151ac9

          SHA1

          e7f89032ce544253a51020d7e894f6919fc35839

          SHA256

          c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4

          SHA512

          e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\6RUEBXLM.exe
          Filesize

          11.8MB

          MD5

          eca54760f1e96a78e3f6bc537debc6bc

          SHA1

          82ef61482d781849a80f9f9cff67e2f76ffb7035

          SHA256

          b9b69e4088f61ce32506078d301f9cfc7db064945d6e608724e213aab5852db5

          SHA512

          f70749a89d7d66c2089981fc161db8c88cdf4a3ff6ae6df18b2c6f30b351ad9dd33e527ebea0052db2b60896f7caa44ca2edafa9381db689867d2f9806e36944

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WKZCM2LT.exe
          Filesize

          200KB

          MD5

          00affd80e21068e56ae72712509f7a98

          SHA1

          ca6af85f9f2a735f258e1a43043a4b54cdffa9df

          SHA256

          a03ce36025010929a9cc0d286ed02100d259ffc7693beb3623ea7007dce4802c

          SHA512

          07c3f0336e4a6d85bc7c14f1fcba924e45e077f0ada157fa17c4b989fced5d1ac59054c7e90729e63ce3d4f0de7e280a35776c614f681609714418d9a847b7d6

          Download Submit

        • memory/408-8-0x00007FFBA9543000-0x00007FFBA9545000-memory.dmp

          Filesize

          8KB

          Download

        • memory/408-24-0x00007FFBA9540000-0x00007FFBAA001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/408-9-0x000001FC1D4A0000-0x000001FC1D4C2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/408-69-0x00007FFBA9540000-0x00007FFBAA001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/408-19-0x00007FFBA9540000-0x00007FFBAA001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/408-21-0x00007FFBA9540000-0x00007FFBAA001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/408-23-0x00007FFBA9543000-0x00007FFBA9545000-memory.dmp

          Filesize

          8KB

          Download

        • memory/540-73-0x00007FF6C9D70000-0x00007FF6CB04D000-memory.dmp

          Filesize

          18.9MB

          Download

        • memory/540-72-0x00007FFBC7F90000-0x00007FFBC7F92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1172-141-0x00000213DFD80000-0x00000213DFD8A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1172-143-0x00000213E1030000-0x00000213E1279000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/1172-140-0x00000213C5860000-0x00000213C586E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1172-142-0x00000213DFDB0000-0x00000213DFDB8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2232-52-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2232-71-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2232-79-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2232-77-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2232-78-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2232-50-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3436-76-0x00007FF6C9D70000-0x00007FF6CB04E000-memory.dmp

          Filesize

          18.9MB

          Download

        • memory/3592-47-0x00000000009C0000-0x00000000009F6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/3592-48-0x00000000058D0000-0x0000000005E74000-memory.dmp

          Filesize

          5.6MB

          Download