Overview

overview

10

Static

static

10

f87b4e7c69...d4.exe

windows7-x64

10

f87b4e7c69...d4.exe

windows10-2004-x64

10

Resubmissions

16-02-2025 02:36

250216-c3l6naxpdl 10

15-02-2025 05:05

250215-fq5zsavngp 10

Analysis

  • max time kernel
    1790s
  • max time network
    1790s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2025 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4.exe

  • Size

    104KB

  • MD5

    eb6beba0181a014ac8c0ec040cb1121a

  • SHA1

    52805384c7cd1b73944525c480792a3d0319b116

  • SHA256

    f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4

  • SHA512

    0afb9a7d180fe017520afb39e954821f77c8b6e2e11bbf73402dcdade231d07f3b755f40606252c917b51a0f5f32d499b96b30e7f2f617c50e709eae4cd80ae4

  • SSDEEP

    1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqfIzmd:nSHIG6mQwGmfOQd8YhY0/EqUG

Score
10/10
lokibotadwarecollectiondiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://rottot.shop/Devil/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Lokibot family
    lokibot
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4.exe
    "C:\Users\Admin\AppData\Local\Temp\f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:3284
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjU0ODJCRDYtNjM2RS00QTU3LTg2RTMtOTFEREI3RjdBREY5fSIgdXNlcmlkPSJ7Q0Y0RUNCRDUtQjI1My00NDkxLTgwNjQtOEU1NkQ3QkFGRTcwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTA0ODI0ODUtMDVFRC00NkY2LThBNjQtNEVFMkQ1OTJDNjE5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzkwNzY2ODAxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4440
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\MicrosoftEdge_X64_133.0.3065.69.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2384
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7d9126a68,0x7ff7d9126a74,0x7ff7d9126a80
        3⤵
        • Executes dropped EXE
        PID:3236
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7d9126a68,0x7ff7d9126a74,0x7ff7d9126a80
          4⤵
          • Executes dropped EXE
          PID:3652
      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a7db6a68,0x7ff7a7db6a74,0x7ff7a7db6a80
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:3844
      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a7db6a68,0x7ff7a7db6a74,0x7ff7a7db6a80
          4⤵
          • Executes dropped EXE
          PID:4028
      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a7db6a68,0x7ff7a7db6a74,0x7ff7a7db6a80
          4⤵
          • Executes dropped EXE
          PID:5080
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
    1⤵
      PID:1360
    • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
      "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3168
    • C:\Windows\system32\wwahost.exe
      "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2848
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{88070F51-A463-409F-9498-4D05102F6A7E}\MicrosoftEdge_X64_133.0.3065.69_132.0.2957.140.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{88070F51-A463-409F-9498-4D05102F6A7E}\MicrosoftEdge_X64_133.0.3065.69_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:6016
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{88070F51-A463-409F-9498-4D05102F6A7E}\EDGEMITMP_CD529.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{88070F51-A463-409F-9498-4D05102F6A7E}\EDGEMITMP_CD529.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{88070F51-A463-409F-9498-4D05102F6A7E}\MicrosoftEdge_X64_133.0.3065.69_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:6064
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{88070F51-A463-409F-9498-4D05102F6A7E}\EDGEMITMP_CD529.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{88070F51-A463-409F-9498-4D05102F6A7E}\EDGEMITMP_CD529.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{88070F51-A463-409F-9498-4D05102F6A7E}\EDGEMITMP_CD529.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7fc266a68,0x7ff7fc266a74,0x7ff7fc266a80
          3⤵
          • Executes dropped EXE
          PID:6088
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjU0ODJCRDYtNjM2RS00QTU3LTg2RTMtOTFEREI3RjdBREY5fSIgdXNlcmlkPSJ7Q0Y0RUNCRDUtQjI1My00NDkxLTgwNjQtOEU1NkQ3QkFGRTcwfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InszOEI1QTE1Ni00QTM5LTQxRjctODBFMC1CNTdBMEI4QkQ4NDJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjgiIGNvaG9ydD0icnJmQDAuNjkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iOSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7QTQxRTc1OUQtQjVGRS00MEVELUIyNkQtRTFDRkI2QTVDMURBfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNjkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iOCIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDIzMjM2OTMzNTc1MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU1NjIzNjA2MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTU2MjM2MDYzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NDM0MzYwNzQwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYWY4ZTVmMmMtOGI3Zi00NzhmLThmNmMtZjFkYzU2N2UwZDY1P1AxPTE3NDAyNzgyNTMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9YTQ0ayUyZmhsaSUyYmVUZjVzUUlqNjQlMmZneXRXSiUyYjJvenNmR3RrJTJidjE3dGRSa0NsOTY4NWVJWlNyU0NWS2lzUFBZcDVPN05vWTQwWlFhVUFRJTJmcFZQaTdWTVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NDM0MzYwNzQwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hZjhlNWYyYy04YjdmLTQ3OGYtOGY2Yy1mMWRjNTY3ZTBkNjU_UDE9MTc0MDI3ODI1MyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1hNDRrJTJmaGxpJTJiZVRmNXNRSWo2NCUyZmd5dFdKJTJiMm96c2ZHdGslMmJ2MTd0ZFJrQ2w5Njg1ZUlaU3JTQ1ZLaXNQUFlwNU83Tm9ZNDBaUWFVQVElMmZwVlBpN1ZNUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3ODYxMTI4MCIgdG90YWw9IjE3ODYxMTI4MCIgZG93bmxvYWRfdGltZV9tcz0iODE0MDYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjQzNDM2MDc0MCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NDQ4MTEwNzI1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MDg0MzYwNzI2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzY1NiIgZG93bmxvYWRfdGltZV9tcz0iODc4MTMiIGRvd25sb2FkZWQ9IjE3ODYxMTI4MCIgdG90YWw9IjE3ODYxMTI4MCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjM2MTAiLz48cGluZyBhY3RpdmU9IjEiIGE9IjkiIHI9IjkiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InsyRDE3MzJEMy05OUJCLTQ0REItQTVBNy1FQjQ5OEE0RERCRjF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS42OSIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjgiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjQ0Ij48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTU2MjM2MDYzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcwODQzNjA3MjYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcyNDA3NjcwNTkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9iNjI0MjA1Ny05OGQwLTRiYWItOThlMS03MDE0NTYxZGM2NjM_UDE9MTc0MDI3ODI1MyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1LZGZGSnpMcmtiS0NNWXJIdXFwMDhpN0JXZUR1ZjYwcUM0ZkcyeExUaEVjc3IzMUdUdjFQeXVwRzl1dGlYU1pxS1NCYUd3MUhrMXZMNWxpdjBYOFZUdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcyNDA3NjcwNTkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2I2MjQyMDU3LTk4ZDAtNGJhYi05OGUxLTcwMTQ1NjFkYzY2Mz9QMT0xNzQwMjc4MjUzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUtkZkZKekxya2JLQ01Zckh1cXAwOGk3QldlRHVmNjBxQzRmRzJ4TFRoRWNzcjMxR1R2MVB5dXBHOXV0aVhTWnFLU0JhR3cxSGsxdkw1bGl2MFg4VlR3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iNTg0OTk2NjQiIHRvdGFsPSI1ODQ5OTY2NCIgZG93bmxvYWRfdGltZV9tcz0iMTUwNjMiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzI0MDc2NzA1OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MjQ4NTc5MzkzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NzU1MTQyMTc4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzY1NiIgZG93bmxvYWRfdGltZV9tcz0iMTU2NDAiIGRvd25sb2FkZWQ9IjU4NDk5NjY0IiB0b3RhbD0iNTg0OTk2NjQiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjUwNjU2Ii8-PHBpbmcgcj0iOSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MzVCMkY1RTctQjM4MC00MzgyLTlDMEItQTJCODVEREUwRTA2fSIvPjwvYXBwPjwvcmVxdWVzdD4
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:2544

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Active Setup

    1
    T1547.014

    Browser Extensions

    1
    T1176

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Active Setup

    1
    T1547.014

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Defense Evasion

    Modify Registry

    4
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Installer\msedge_7z.data
      Filesize

      3KB

      MD5

      fdafd3d3a736e5c75d913779fcfd942c

      SHA1

      712989296d8bbb3990f000a16e1a9808fd2c3393

      SHA256

      97be491fb1b44a105e615cde0a08d3439e3ab5f311216cad0954366a3d1a71c6

      SHA512

      36317b8cc623aef13aaa00c51bc7906fd6e93a1c9836051ff7953ebddff1ed2e165b44165a402ae1fb62eb6877a0477966788eb4967b820d4d9049d3fc6d85a8

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{88070F51-A463-409F-9498-4D05102F6A7E}\EDGEMITMP_CD529.tmp\SETUP.EX_
      Filesize

      2.7MB

      MD5

      8b1abae1ce12dd175032f274dfbbea25

      SHA1

      b22d211f9819cd791b9cbfcfb13a1f4922ce3f1c

      SHA256

      121f1d31e93c40320699538153b201ffe9d47bb281c7841fac111da2f6fa44c0

      SHA512

      f1fd5fa18d687a629144b018db92327e50f0c8f6fdbb3c4a4bb46090b2bc0d367efd7bd3e85eeb41cbaf7a24c9bc943c755f87cb4f511b2ca3393d4a064c937f

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD716C06-23F2-44C6-8C2E-D7B77344E1F7}\EDGEMITMP_DCFD1.tmp\setup.exe
      Filesize

      6.8MB

      MD5

      bdb1aecedc15fc82a63083452dad45c2

      SHA1

      a074fcd78665ff90ee3e50ffcccad5f6c3e7ddcb

      SHA256

      4ea0907c3fc2c2f6a4259002312671c82e008846d49957bb3b9915612e35b99f

      SHA512

      50909640c2957fc35dd5bcac3b51797aa5daa2fb95364e69df95d3577482e13f0c36a70ae098959cb9c2aaeb4cfe43025c1d8d55b5f8858b474bcb702609749d

      Download Submit

    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      Filesize

      3.9MB

      MD5

      4aaa893417cccc147989f876c6a7b295

      SHA1

      b1e35c83518bb275924ead0cd6206bf0c982d30f

      SHA256

      2c38e3c3f18e2d3fb7f04336356b9b5186cabe06b3343beec318ef0def1a9eeb

      SHA512

      109e0c88977fae65a4950fc38393ca32a70d68ef41aeb75b28e6566e0fa626e32e31be38308e7ed5b6a8ba1f56fb5f2133a07aa8bb643224c3dbb089ce9cfd0e

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      97KB

      MD5

      592d3ba99a4257db95fac645acb7aadf

      SHA1

      208acd50fed2d9e650fedda2878bf68c0260ef89

      SHA256

      cf66df5b355326e911cf427df5693b992d4f847f4dffcb9133c496fd47e63bcc

      SHA512

      d03e371e58ce161f51b7373b79b264c1570177fb1ac1da2ceef627556cf300c8d31e8fdd429e44ac57a8a4c094ccd4ba8dff0b11162c8fcd7424f05ca78acedc

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      99KB

      MD5

      8702678fa75681572a088b43c124910f

      SHA1

      a9d83c532e7298e3075b57f04903ce9a7abcfb5b

      SHA256

      b3c06d5c04a93aa66a83be32410df40b35c23adb063e5431f051c9694458a550

      SHA512

      ff71766ecef28b75940c11d8f29bfb1d954db45ae6329fe294b7fda4276a622c92e4246a80d90bf0a324571083d9ace972383e9a532efbdb50c0f6241d42b4ea

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      102KB

      MD5

      c40a1fb01d4f92822df11c9639f5761d

      SHA1

      a5c0b399be71833577f045d91ab4d2a71c2ba761

      SHA256

      5d55a597e6ab2a286813f1b4bcf671469ad37f4708b2a823f63aec4f91441427

      SHA512

      1dc38b84da8b159e809c129349f2e3fcc95a7a84893a2b940105a87a9ee3f873d092a5eb49417c3e55f42830fde6b7e8ba511b9cfe4c6ea7e4d9124b56f2658b

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      104KB

      MD5

      88c0099874fc6665dd7506358124057b

      SHA1

      a8cfc690332cea09ea8550f6a885fd014c7c0d00

      SHA256

      f44b8a6c7a5a2d7cc0e405b922b9c14bc07f99ed0475b4970839d50b7a425984

      SHA512

      2477d1847ddc7ebb92bf4585cccb37869abc437ddb4b6d95bb086e4db0e0b07c3016863b78f4f43479bd9853464616773d213f2b18d65f860f76ed4839b3805e

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      108KB

      MD5

      d2af1b8be5b52b303fef46ee3e552857

      SHA1

      c66710f86c507e1df4e0e7597a1b9e843515a9a6

      SHA256

      d61c44133d561f7dc156d414d457f701e56ab505e97f08e2f5a773f4e0bba401

      SHA512

      98026f19b27566ac6590d7e5f1d01e3ca179415e126f37360ff41115d5173d9076453431098674b7215e82ed3a4c979a5375bfc1309500937481d3d3e095b332

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
      Filesize

      619KB

      MD5

      092ab14817e111411de8fe8703c67390

      SHA1

      cf33ffe58a9e8fbfdfc0ab66fff95ce7bf5dc2cb

      SHA256

      f5aba57253529a0cb801ffbfe56d34d8793d0a52593157db9be124a0046de1c0

      SHA512

      d55ea8f5f0193a4f0d8e099a12a9f2bf67738c902c826af3ce59e64dd109622a6d15ad099437ba15bf9c65bb660ee7167c403f4a6e8ce71f6643a1a365ffb594

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-705198581-2062733989-3666524522-1000\0f5007522459c86e95ffcc62f32308f1_cef19d6c-75f8-452d-90cc-0abf0a2589c0
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-705198581-2062733989-3666524522-1000\0f5007522459c86e95ffcc62f32308f1_cef19d6c-75f8-452d-90cc-0abf0a2589c0
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • memory/3168-166-0x0000023EBD390000-0x0000023EBD39E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3168-167-0x0000023ED78B0000-0x0000023ED78BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3168-168-0x0000023ED78E0000-0x0000023ED78E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3168-169-0x0000023ED7C00000-0x0000023ED7E49000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/3284-41-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download