edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

Analysis

max time kernel
135s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-04-2023 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toba22bbc.exe
Size

977KB
MD5

13348cb1966e434e5cb63b82e42291b7
SHA1

0c8c616bbdf2b7996358142af6a6ba886fc2b2a9
SHA256

edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275
SHA512

0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b
SSDEEP

24576:8FUrdbfahvepYoeyAmzhocZn+M+WGDBGkV:8Yb1bPhoCnD+WGIkV

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

pid process

1816 svchost.exe
1780 svchost.exe
1620 svchost.exe
1480 svchost.exe
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

1196 WerFault.exe
1196 WerFault.exe
1196 WerFault.exe
1196 WerFault.exe
1196 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1816	svchost.exe
1780	svchost.exe
1620	svchost.exe
1480	svchost.exe

pid	process
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

toba22bbc.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	toba22bbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	toba22bbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	toba22bbc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipinfo.io
13 ipinfo.io
14 ipinfo.io
3 ipinfo.io

flow	ioc
4	ipinfo.io
13	ipinfo.io
14	ipinfo.io
3	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

Processes:

toba22bbc.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1320 set thread context of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1816 set thread context of 1780	1816	svchost.exe	svchost.exe
PID 1620 set thread context of 1480	1620	svchost.exe	svchost.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1068 1160 WerFault.exe toba22bbc.exe
1196 1480 WerFault.exe svchost.exe

pid	pid_target	process	target process
1068	1160	WerFault.exe	toba22bbc.exe
1196	1480	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

toba22bbc.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	toba22bbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	toba22bbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1748 schtasks.exe
316 schtasks.exe
1912 schtasks.exe

pid	process
1748	schtasks.exe
316	schtasks.exe
1912	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

toba22bbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	toba22bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	toba22bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	toba22bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	toba22bbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	toba22bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	toba22bbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	toba22bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	toba22bbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

toba22bbc.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1160 toba22bbc.exe
Token: SeDebugPrivilege 1480 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1160	toba22bbc.exe
Token: SeDebugPrivilege	1480	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

toba22bbc.execmd.exetoba22bbc.exetaskeng.exesvchost.execmd.exesvchost.exe

description	pid	process	target process
PID 1320 wrote to memory of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1320 wrote to memory of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1320 wrote to memory of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1320 wrote to memory of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1320 wrote to memory of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1320 wrote to memory of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1320 wrote to memory of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1320 wrote to memory of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1320 wrote to memory of 1160	1320	toba22bbc.exe	toba22bbc.exe
PID 1320 wrote to memory of 1044	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 1044	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 1044	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 1044	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 320	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 320	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 320	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 320	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 656	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 656	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 656	1320	toba22bbc.exe	cmd.exe
PID 1320 wrote to memory of 656	1320	toba22bbc.exe	cmd.exe
PID 320 wrote to memory of 1748	320	cmd.exe	schtasks.exe
PID 320 wrote to memory of 1748	320	cmd.exe	schtasks.exe
PID 320 wrote to memory of 1748	320	cmd.exe	schtasks.exe
PID 320 wrote to memory of 1748	320	cmd.exe	schtasks.exe
PID 1160 wrote to memory of 1068	1160	toba22bbc.exe	WerFault.exe
PID 1160 wrote to memory of 1068	1160	toba22bbc.exe	WerFault.exe
PID 1160 wrote to memory of 1068	1160	toba22bbc.exe	WerFault.exe
PID 1160 wrote to memory of 1068	1160	toba22bbc.exe	WerFault.exe
PID 1152 wrote to memory of 1816	1152	taskeng.exe	svchost.exe
PID 1152 wrote to memory of 1816	1152	taskeng.exe	svchost.exe
PID 1152 wrote to memory of 1816	1152	taskeng.exe	svchost.exe
PID 1152 wrote to memory of 1816	1152	taskeng.exe	svchost.exe
PID 1816 wrote to memory of 1780	1816	svchost.exe	svchost.exe
PID 1816 wrote to memory of 1780	1816	svchost.exe	svchost.exe
PID 1816 wrote to memory of 1780	1816	svchost.exe	svchost.exe
PID 1816 wrote to memory of 1780	1816	svchost.exe	svchost.exe
PID 1816 wrote to memory of 1780	1816	svchost.exe	svchost.exe
PID 1816 wrote to memory of 1780	1816	svchost.exe	svchost.exe
PID 1816 wrote to memory of 1780	1816	svchost.exe	svchost.exe
PID 1816 wrote to memory of 1780	1816	svchost.exe	svchost.exe
PID 1816 wrote to memory of 1780	1816	svchost.exe	svchost.exe
PID 1816 wrote to memory of 1636	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	svchost.exe	cmd.exe
PID 1744 wrote to memory of 316	1744	cmd.exe	schtasks.exe
PID 1744 wrote to memory of 316	1744	cmd.exe	schtasks.exe
PID 1744 wrote to memory of 316	1744	cmd.exe	schtasks.exe
PID 1744 wrote to memory of 316	1744	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 1684	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1684	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1684	1816	svchost.exe	cmd.exe
PID 1816 wrote to memory of 1684	1816	svchost.exe	cmd.exe
PID 1152 wrote to memory of 1620	1152	taskeng.exe	svchost.exe
PID 1152 wrote to memory of 1620	1152	taskeng.exe	svchost.exe
PID 1152 wrote to memory of 1620	1152	taskeng.exe	svchost.exe
PID 1152 wrote to memory of 1620	1152	taskeng.exe	svchost.exe
PID 1620 wrote to memory of 1480	1620	svchost.exe	svchost.exe
PID 1620 wrote to memory of 1480	1620	svchost.exe	svchost.exe

outlook_office_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe
"C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe
"C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 1884
3⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\taskeng.exe
taskeng.exe {28BD46E6-C980-43C7-BE3A-1085E3A39EE3} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
- Executes dropped EXE
PID:1780

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:316

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:1684

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1856
4⤵
- Loads dropped DLL
- Program crash
PID:1196

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1912

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:1424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c6791e400b82af1c3bb1df3417bc7dbc

SHA1
4f1cb53626a6cb4d8946bcf3b84552339988653a

SHA256
dd579fc384b75273b377c8f0c341a8a274ab1ee0a7138e80a8792ed9cb604c29

SHA512
3e158bf2cf8a9309af315f112ad67ab225f4e81df6e983302fc72ba33fae493331d1eb9de16da52284514ce97c689c16b7fe17806ca5f1b368879f5eddeefd61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
67ec568ec773788e5e4a7239f3112aaf

SHA1
d0f322c292404156c78c67a177cbcdbc2ba9de00

SHA256
a57331e567af7b214d4f1a9503d1feb9d63703f584102b7f19d9a7c2c7eb72b0

SHA512
a3007e5289795f522a748676a4468c475179db1d17de633805fbea93f71bb8dd18fd0df0afd7cc68acf52690fb64afffe77ea263e6e635880d601c23fa2dfc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4A0E.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4BCA.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\p11tqp44.lhy\Cookies\Chrome-Default.json
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp514D.tmp.tmpdb
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF9E.tmp.tmpdb
Filesize
288KB

MD5
ac204b6d71830cefdce82bcc54ea7f51

SHA1
d065a795a84a11659f381dc360db40f9c09dc7d8

SHA256
613d1fe937655112b1b93240a0197b259403d6243addbc5c1931d5c11261f1a4

SHA512
30a7c7b1826a5938d5c7f4aa1c9a0a4033e967a0f7a861fcb14e8ff70bd33ac77a6e3990034519f353bccad069f24586299609130f65e6dd31a3d15a84c911cd

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
memory/1160-64-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1160-59-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1160-164-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/1160-144-0x0000000008DE0000-0x0000000008E92000-memory.dmp

Filesize
712KB

Download
memory/1160-57-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1160-58-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1160-198-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/1160-74-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/1160-60-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1160-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1160-63-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1160-68-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1160-71-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1320-54-0x00000000002A0000-0x000000000039A000-memory.dmp

Filesize
1000KB

Download
memory/1320-56-0x0000000004210000-0x00000000042E6000-memory.dmp

Filesize
856KB

Download
memory/1320-55-0x00000000047B0000-0x00000000047F0000-memory.dmp

Filesize
256KB

Download
memory/1480-225-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1480-226-0x0000000000730000-0x0000000000770000-memory.dmp

Filesize
256KB

Download
memory/1480-219-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1480-302-0x0000000000730000-0x0000000000770000-memory.dmp

Filesize
256KB

Download
memory/1620-214-0x00000000043A0000-0x00000000043E0000-memory.dmp

Filesize
256KB

Download
memory/1780-211-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1780-207-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1816-202-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/1816-201-0x0000000000A40000-0x0000000000B3A000-memory.dmp

Filesize
1000KB

Download