qakbot | d5cf07929dcec70aa230c4a44f26280ef4059d73a84a3127ed6afa550dc2ce5c

Analysis

max time kernel
1801s
max time network
1791s
platform
windows7_x64
resource
win7v20201028
submitted
27-01-2021 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

instruct,01.21.doc
Size

96KB
MD5

3b11828f9b91c4f084c332c20cdbf2e7
SHA1

5e10dd3c1db565269a946e6f2b12f7b1b316989c
SHA256

d5cf07929dcec70aa230c4a44f26280ef4059d73a84a3127ed6afa550dc2ce5c
SHA512

af4da208911ee02b9c7b0383233b3b228563a7f0ea0a281dc03d818aa93644eb5eb8784a481b24e32543b57cdfae02586dd100916e6517297250a9fef64d07c1

Score

10^/10

qakbot krk01 1611569149 banker ransomware stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 1 IoCs

Processes:

h1.com

pid process

1612 h1.com
Loads dropped DLL 4 IoCs

Processes:

WINWORD.EXEregsvr32.exeregsvr32.exeregsvr32.exe

pid process

1924 WINWORD.EXE
2056 regsvr32.exe
2896 regsvr32.exe
2276 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2688 schtasks.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2132 net.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exe

pid process

2104 ipconfig.exe
456 netstat.exe

pid	process
1612	h1.com

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2688	schtasks.exe

pid	process
2132	net.exe

pid	process
2104	ipconfig.exe
456	netstat.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{6F80A47C-0CA2-4498-87B9-05BC4C5EC728}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F80A47C-0CA2-4498-87B9-05BC4C5EC728}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F80A47C-0CA2-4498-87B9-05BC4C5EC728}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F80A47C-0CA2-4498-87B9-05BC4C5EC728}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{6F80A47C-0CA2-4498-87B9-05BC4C5EC728}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F80A47C-0CA2-4498-87B9-05BC4C5EC728}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

2780 ping.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1924 WINWORD.EXE

pid	process
2780	ping.exe

Suspicious behavior: EnumeratesProcesses 150 IoCs

Processes:

regsvr32.exeexplorer.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXEWINWORD.EXEsplwow64.exeDllHost.exeexplorer.exe

pid	process
2056	regsvr32.exe
2056	regsvr32.exe
2156	explorer.exe
2008	explorer.exe
1128	taskhost.exe
1240	Dwm.exe
1276	Explorer.EXE
1924	WINWORD.EXE
1568	splwow64.exe
3036	DllHost.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
1128	taskhost.exe
1240	Dwm.exe
1276	Explorer.EXE
1924	WINWORD.EXE
1568	splwow64.exe
3036	DllHost.exe
2052	explorer.exe
1128	taskhost.exe
1240	Dwm.exe
1276	Explorer.EXE
1924	WINWORD.EXE
1568	splwow64.exe
3036	DllHost.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe
2052	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regsvr32.exe

pid process

2056 regsvr32.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

regsvr32.exeexplorer.exe

pid process

2056 regsvr32.exe
2156 explorer.exe
2156 explorer.exe
2156 explorer.exe
2156 explorer.exe
2156 explorer.exe
2156 explorer.exe

Suspicious use of AdjustPrivilegeToken 70 IoCs

Processes:

h1.comWINWORD.EXEwhoami.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1612	h1.com
Token: SeSecurityPrivilege	1612	h1.com
Token: SeTakeOwnershipPrivilege	1612	h1.com
Token: SeLoadDriverPrivilege	1612	h1.com
Token: SeSystemProfilePrivilege	1612	h1.com
Token: SeSystemtimePrivilege	1612	h1.com
Token: SeProfSingleProcessPrivilege	1612	h1.com
Token: SeIncBasePriorityPrivilege	1612	h1.com
Token: SeCreatePagefilePrivilege	1612	h1.com
Token: SeBackupPrivilege	1612	h1.com
Token: SeRestorePrivilege	1612	h1.com
Token: SeShutdownPrivilege	1612	h1.com
Token: SeDebugPrivilege	1612	h1.com
Token: SeSystemEnvironmentPrivilege	1612	h1.com
Token: SeRemoteShutdownPrivilege	1612	h1.com
Token: SeUndockPrivilege	1612	h1.com
Token: SeManageVolumePrivilege	1612	h1.com
Token: 33	1612	h1.com
Token: 34	1612	h1.com
Token: 35	1612	h1.com
Token: SeIncreaseQuotaPrivilege	1612	h1.com
Token: SeSecurityPrivilege	1612	h1.com
Token: SeTakeOwnershipPrivilege	1612	h1.com
Token: SeLoadDriverPrivilege	1612	h1.com
Token: SeSystemProfilePrivilege	1612	h1.com
Token: SeSystemtimePrivilege	1612	h1.com
Token: SeProfSingleProcessPrivilege	1612	h1.com
Token: SeIncBasePriorityPrivilege	1612	h1.com
Token: SeCreatePagefilePrivilege	1612	h1.com
Token: SeBackupPrivilege	1612	h1.com
Token: SeRestorePrivilege	1612	h1.com
Token: SeShutdownPrivilege	1612	h1.com
Token: SeDebugPrivilege	1612	h1.com
Token: SeSystemEnvironmentPrivilege	1612	h1.com
Token: SeRemoteShutdownPrivilege	1612	h1.com
Token: SeUndockPrivilege	1612	h1.com
Token: SeManageVolumePrivilege	1612	h1.com
Token: 33	1612	h1.com
Token: 34	1612	h1.com
Token: 35	1612	h1.com
Token: SeShutdownPrivilege	1924	WINWORD.EXE
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe
Token: SeDebugPrivilege	1412	whoami.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE

Suspicious use of WriteProcessMemory 200 IoCs

Processes:

WINWORD.EXEh1.comregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1924 wrote to memory of 1612	1924	WINWORD.EXE	h1.com
PID 1924 wrote to memory of 1612	1924	WINWORD.EXE	h1.com
PID 1924 wrote to memory of 1612	1924	WINWORD.EXE	h1.com
PID 1924 wrote to memory of 1612	1924	WINWORD.EXE	h1.com
PID 1924 wrote to memory of 1568	1924	WINWORD.EXE	splwow64.exe
PID 1924 wrote to memory of 1568	1924	WINWORD.EXE	splwow64.exe
PID 1924 wrote to memory of 1568	1924	WINWORD.EXE	splwow64.exe
PID 1924 wrote to memory of 1568	1924	WINWORD.EXE	splwow64.exe
PID 1612 wrote to memory of 2056	1612	h1.com	regsvr32.exe
PID 1612 wrote to memory of 2056	1612	h1.com	regsvr32.exe
PID 1612 wrote to memory of 2056	1612	h1.com	regsvr32.exe
PID 1612 wrote to memory of 2056	1612	h1.com	regsvr32.exe
PID 1612 wrote to memory of 2056	1612	h1.com	regsvr32.exe
PID 1612 wrote to memory of 2056	1612	h1.com	regsvr32.exe
PID 1612 wrote to memory of 2056	1612	h1.com	regsvr32.exe
PID 2056 wrote to memory of 2156	2056	regsvr32.exe	explorer.exe
PID 2056 wrote to memory of 2156	2056	regsvr32.exe	explorer.exe
PID 2056 wrote to memory of 2156	2056	regsvr32.exe	explorer.exe
PID 2056 wrote to memory of 2156	2056	regsvr32.exe	explorer.exe
PID 2056 wrote to memory of 2156	2056	regsvr32.exe	explorer.exe
PID 2056 wrote to memory of 2156	2056	regsvr32.exe	explorer.exe
PID 2156 wrote to memory of 2688	2156	explorer.exe	schtasks.exe
PID 2156 wrote to memory of 2688	2156	explorer.exe	schtasks.exe
PID 2156 wrote to memory of 2688	2156	explorer.exe	schtasks.exe
PID 2156 wrote to memory of 2688	2156	explorer.exe	schtasks.exe
PID 2828 wrote to memory of 2876	2828	taskeng.exe	regsvr32.exe
PID 2828 wrote to memory of 2876	2828	taskeng.exe	regsvr32.exe
PID 2828 wrote to memory of 2876	2828	taskeng.exe	regsvr32.exe
PID 2828 wrote to memory of 2876	2828	taskeng.exe	regsvr32.exe
PID 2828 wrote to memory of 2876	2828	taskeng.exe	regsvr32.exe
PID 2876 wrote to memory of 2896	2876	regsvr32.exe	regsvr32.exe
PID 2876 wrote to memory of 2896	2876	regsvr32.exe	regsvr32.exe
PID 2876 wrote to memory of 2896	2876	regsvr32.exe	regsvr32.exe
PID 2876 wrote to memory of 2896	2876	regsvr32.exe	regsvr32.exe
PID 2876 wrote to memory of 2896	2876	regsvr32.exe	regsvr32.exe
PID 2876 wrote to memory of 2896	2876	regsvr32.exe	regsvr32.exe
PID 2876 wrote to memory of 2896	2876	regsvr32.exe	regsvr32.exe
PID 2156 wrote to memory of 1412	2156	explorer.exe	whoami.exe
PID 2156 wrote to memory of 1412	2156	explorer.exe	whoami.exe
PID 2156 wrote to memory of 1412	2156	explorer.exe	whoami.exe
PID 2156 wrote to memory of 1412	2156	explorer.exe	whoami.exe
PID 2156 wrote to memory of 1592	2156	explorer.exe	cmd.exe
PID 2156 wrote to memory of 1592	2156	explorer.exe	cmd.exe
PID 2156 wrote to memory of 1592	2156	explorer.exe	cmd.exe
PID 2156 wrote to memory of 1592	2156	explorer.exe	cmd.exe
PID 2156 wrote to memory of 1696	2156	explorer.exe	arp.exe
PID 2156 wrote to memory of 1696	2156	explorer.exe	arp.exe
PID 2156 wrote to memory of 1696	2156	explorer.exe	arp.exe
PID 2156 wrote to memory of 1696	2156	explorer.exe	arp.exe
PID 2156 wrote to memory of 2104	2156	explorer.exe	ipconfig.exe
PID 2156 wrote to memory of 2104	2156	explorer.exe	ipconfig.exe
PID 2156 wrote to memory of 2104	2156	explorer.exe	ipconfig.exe
PID 2156 wrote to memory of 2104	2156	explorer.exe	ipconfig.exe
PID 2156 wrote to memory of 2132	2156	explorer.exe	net.exe
PID 2156 wrote to memory of 2132	2156	explorer.exe	net.exe
PID 2156 wrote to memory of 2132	2156	explorer.exe	net.exe
PID 2156 wrote to memory of 2132	2156	explorer.exe	net.exe
PID 2156 wrote to memory of 2136	2156	explorer.exe	nslookup.exe
PID 2156 wrote to memory of 2136	2156	explorer.exe	nslookup.exe
PID 2156 wrote to memory of 2136	2156	explorer.exe	nslookup.exe
PID 2156 wrote to memory of 2136	2156	explorer.exe	nslookup.exe
PID 2156 wrote to memory of 2188	2156	explorer.exe	net.exe
PID 2156 wrote to memory of 2188	2156	explorer.exe	net.exe
PID 2156 wrote to memory of 2188	2156	explorer.exe	net.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1276

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\instruct,01.21.doc"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924

\??\c:\programdata\h1.com
c:\programdata\h1.com pagefile get /format:"c:\programdata\h1.xsl"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\programdata\51822.jpg
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rbokycaf /tr "regsvr32.exe -s \"c:\programdata\51822.jpg\"" /SC ONCE /Z /ST 19:46 /ET 19:58
6⤵
- Creates scheduled task(s)
PID:2688

C:\Windows\SysWOW64\whoami.exe
whoami /all
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWOW64\cmd.exe
cmd /c set
6⤵
PID:1592

C:\Windows\SysWOW64\arp.exe
arp -a
6⤵
PID:1696

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
6⤵
- Gathers network information
PID:2104

C:\Windows\SysWOW64\net.exe
net view /all
6⤵
- Discovers systems in the same network
PID:2132

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
6⤵
PID:2136

C:\Windows\SysWOW64\net.exe
net share
6⤵
PID:2188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
7⤵
PID:2012

C:\Windows\SysWOW64\route.exe
route print
6⤵
PID:1560

C:\Windows\SysWOW64\netstat.exe
netstat -nao
6⤵
- Gathers network information
PID:456

C:\Windows\SysWOW64\net.exe
net localgroup
6⤵
PID:1984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
7⤵
PID:340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
PID:2292

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
PID:2468

C:\Windows\SysWOW64\ping.exe
C:\Windows\SysWOW64\ping.exe -t 127.0.0.1
7⤵
- Runs ping.exe
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "rmdir /S /Q "C:\Users\Admin\EmailStorage_EIDQHRRL-Admin_1611777196""
8⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rmdir /S /Q "C:\Users\Admin\EmailStorage_EIDQHRRL-Admin_1611777196"
8⤵
PID:2856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
PID:864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
PID:2452

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\system32\taskeng.exe
taskeng.exe {6C3565CA-1F63-4BAB-9AC2-18323F8F59F8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "c:\programdata\51822.jpg"
2⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\regsvr32.exe
-s "c:\programdata\51822.jpg"
3⤵
- Loads dropped DLL
PID:2896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1284

C:\Windows\system32\taskeng.exe
taskeng.exe {D99671D7-73FC-4ED0-8549-B5EB4C037D20} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2372

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "c:\programdata\51822.jpg"
2⤵
PID:2224

C:\Windows\SysWOW64\regsvr32.exe
-s "c:\programdata\51822.jpg"
3⤵
- Loads dropped DLL
PID:2276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\h1.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
C:\Users\Admin\EmailStorage_EIDQHRRL-Admin_1611777196\COLLEC~1.TXT
MD5
2fae596bed72493fbd4e6ec54d347281

SHA1
e6fd7f27470e81adbbcce4f5394b6d947f6ac51f

SHA256
031b4b9357fa11136726b4113bcdffef8a130739ee8515d8ea932b0303aed52c

SHA512
b5c07d505a92a41a24db7324a855168fb57fb993bd4d3ed7686f3a4743311cf49d70a940f1a770437b118cd22d8d6d7678dfe2d6eade8e52099ad8da354351d4

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\51822.jpg
MD5
60d8c62b8b38e2b9faefe0af70ebdfb2

SHA1
a996c176b7793e22ad2be27b0e49d9d01535a503

SHA256
6c858bfc842fbe115910cc1e3799401671e450dbe8256958dd73039d1b729b09

SHA512
f145e269e0748365d0723f8e1c05ce2fd4044cf6fdd31aefd9662e01c0a9c32d8d68b82be0272061852b0fa3c051b7c6881856aff984d803a289e9f2f7bd1890

Download Submit
\??\c:\programdata\51822.jpg
MD5
c8e82fdb6fc9ceb03e9d75d8f1e6da35

SHA1
ac49bbc49db53440a1b3a2366389b18545c9285d

SHA256
aca1bb2539c33e258322a92812d4641929bfb919f1995c0034c5965fd2a68563

SHA512
1065cdf097ca88b1ef70006ed7dc901924e1da1444b2c502fa39a8506e1c305fddd9d8bedf64f1771199db12b6aacd401f9c46d6022e97d4f49a22dc42cc0060

Download Submit
\??\c:\programdata\asrsyqmi32.dll
MD5
259af1e166c7feb15fdd433776d2296a

SHA1
81f8a35bcd72ea34e3eb811a26db38e41f07993c

SHA256
2eb2a198a8c5d48d55a2e1b7cc62882061541b19cc7946c83c2e2fe04c85a874

SHA512
c8beeaa57bf81f585e8824b7624eedebb232bb0a56604dc74ca3a108a4dded7e668ef11e2e989bb56bf8027070871310c1bda299fc1d619b32efac17bd917a6b

Download Submit
\??\c:\programdata\h1.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\??\c:\programdata\h1.xsl
MD5
7ba1d866de55068e6fb74296af868c19

SHA1
115cda13387f40f02516b421460981c4f28cb447

SHA256
dd4b70ed3c82424d1278cd7c94a6877071532d685b9153e5153bd9941268bbdf

SHA512
4be6343dcee8910e1aed8a0ff5330bfd21f06a9e035e7cd268f357f850517d77fb6934e2a843bd664ce8943d1cf222cfe9c548536ac5a635cbbf5e5581c48c8b

Download Submit
\??\c:\programdata\jsbponn.meh
MD5
87d5dc1ccb1a5498a5ba3fa39c8e3599

SHA1
3b5c55f08a4863ef8a0b5bed6b47be0c97afa327

SHA256
caf8e0a716a98c78bd98690c92d569392a8669938a6d20bdaaaea7a52d1c833d

SHA512
a02a3579581cf9dfc22351e8fcc299975ff004c74519423977d5bc574d68b089890561cab4f78179859b0920c18b55bdfc30fddb6da1f22e13e7aacef1c67778

Download Submit
\ProgramData\51822.jpg
MD5
60d8c62b8b38e2b9faefe0af70ebdfb2

SHA1
a996c176b7793e22ad2be27b0e49d9d01535a503

SHA256
6c858bfc842fbe115910cc1e3799401671e450dbe8256958dd73039d1b729b09

SHA512
f145e269e0748365d0723f8e1c05ce2fd4044cf6fdd31aefd9662e01c0a9c32d8d68b82be0272061852b0fa3c051b7c6881856aff984d803a289e9f2f7bd1890

Download Submit
\ProgramData\51822.jpg
MD5
c8e82fdb6fc9ceb03e9d75d8f1e6da35

SHA1
ac49bbc49db53440a1b3a2366389b18545c9285d

SHA256
aca1bb2539c33e258322a92812d4641929bfb919f1995c0034c5965fd2a68563

SHA512
1065cdf097ca88b1ef70006ed7dc901924e1da1444b2c502fa39a8506e1c305fddd9d8bedf64f1771199db12b6aacd401f9c46d6022e97d4f49a22dc42cc0060

Download Submit
\ProgramData\51822.jpg
MD5
c8e82fdb6fc9ceb03e9d75d8f1e6da35

SHA1
ac49bbc49db53440a1b3a2366389b18545c9285d

SHA256
aca1bb2539c33e258322a92812d4641929bfb919f1995c0034c5965fd2a68563

SHA512
1065cdf097ca88b1ef70006ed7dc901924e1da1444b2c502fa39a8506e1c305fddd9d8bedf64f1771199db12b6aacd401f9c46d6022e97d4f49a22dc42cc0060

Download Submit
\ProgramData\h1.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
memory/340-48-0x0000000000000000-mapping.dmp

Download
memory/456-46-0x0000000000000000-mapping.dmp

Download
memory/864-159-0x0000000002190000-0x00000000021F0000-memory.dmp

Filesize
384KB

Download
memory/864-147-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/864-145-0x00000000000F0000-0x0000000000125000-memory.dmp

Filesize
212KB

Download
memory/864-144-0x000000006A400000-0x000000006A5A3000-memory.dmp

Filesize
1.6MB

Download
memory/864-141-0x0000000000000000-mapping.dmp

Download
memory/864-183-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/864-165-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/864-146-0x0000000002050000-0x00000000020C1000-memory.dmp

Filesize
452KB

Download
memory/864-153-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/1072-13-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download
memory/1128-118-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1128-117-0x00000000020C0000-0x00000000020F5000-memory.dmp

Filesize
212KB

Download
memory/1128-74-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1128-65-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/1128-73-0x0000000001C60000-0x0000000001C95000-memory.dmp

Filesize
212KB

Download
memory/1152-212-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1152-213-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1240-126-0x0000000001B50000-0x0000000001B85000-memory.dmp

Filesize
212KB

Download
memory/1240-77-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/1240-78-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1240-127-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1276-82-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1276-81-0x0000000002A00000-0x0000000002A35000-memory.dmp

Filesize
212KB

Download
memory/1276-125-0x0000000002C90000-0x0000000002CC5000-memory.dmp

Filesize
212KB

Download
memory/1276-128-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1412-35-0x0000000000000000-mapping.dmp

Download
memory/1560-45-0x0000000000000000-mapping.dmp

Download
memory/1568-135-0x0000000001B80000-0x0000000001BB5000-memory.dmp

Filesize
212KB

Download
memory/1568-136-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1568-8-0x0000000000000000-mapping.dmp

Download
memory/1568-9-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

Filesize
8KB

Download
memory/1568-88-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1568-87-0x0000000000180000-0x00000000001B5000-memory.dmp

Filesize
212KB

Download
memory/1592-36-0x0000000000000000-mapping.dmp

Download
memory/1612-6-0x0000000000000000-mapping.dmp

Download
memory/1612-12-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/1696-37-0x0000000000000000-mapping.dmp

Download
memory/1924-132-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/1924-131-0x0000000002210000-0x000000000223C000-memory.dmp

Filesize
176KB

Download
memory/1924-3-0x00000000705A1000-0x00000000705A3000-memory.dmp

Filesize
8KB

Download
memory/1924-84-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1924-83-0x0000000001F50000-0x0000000001F7C000-memory.dmp

Filesize
176KB

Download
memory/1924-10-0x0000000006390000-0x0000000006392000-memory.dmp

Filesize
8KB

Download
memory/1924-2-0x0000000072B21000-0x0000000072B24000-memory.dmp

Filesize
12KB

Download
memory/1924-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1984-47-0x0000000000000000-mapping.dmp

Download
memory/2008-92-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2008-63-0x00000000000E0000-0x0000000000115000-memory.dmp

Filesize
212KB

Download
memory/2008-64-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2008-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2008-71-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2008-60-0x0000000000000000-mapping.dmp

Download
memory/2008-86-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2008-76-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2008-80-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2012-43-0x0000000000000000-mapping.dmp

Download
memory/2052-116-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2052-124-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2052-211-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2052-138-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2052-121-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2052-134-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2052-104-0x0000000000000000-mapping.dmp

Download
memory/2052-108-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2052-109-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2056-25-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2056-15-0x0000000000000000-mapping.dmp

Download
memory/2056-19-0x000000006AC90000-0x000000006ACC5000-memory.dmp

Filesize
212KB

Download
memory/2056-16-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/2056-20-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2104-38-0x0000000000000000-mapping.dmp

Download
memory/2132-40-0x0000000000000000-mapping.dmp

Download
memory/2136-41-0x0000000000000000-mapping.dmp

Download
memory/2156-23-0x000000006A721000-0x000000006A723000-memory.dmp

Filesize
8KB

Download
memory/2156-27-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/2156-24-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/2156-21-0x0000000000000000-mapping.dmp

Download
memory/2188-42-0x0000000000000000-mapping.dmp

Download
memory/2224-197-0x0000000000000000-mapping.dmp

Download
memory/2276-199-0x0000000000000000-mapping.dmp

Download
memory/2292-53-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/2292-54-0x0000000000740000-0x00000000007B5000-memory.dmp

Filesize
468KB

Download
memory/2292-50-0x0000000000000000-mapping.dmp

Download
memory/2452-203-0x0000000000000000-mapping.dmp

Download
memory/2452-206-0x0000000000110000-0x0000000000145000-memory.dmp

Filesize
212KB

Download
memory/2452-207-0x0000000000230000-0x000000000024B000-memory.dmp

Filesize
108KB

Download
memory/2468-55-0x0000000000000000-mapping.dmp

Download
memory/2468-58-0x00000000000D0000-0x0000000000105000-memory.dmp

Filesize
212KB

Download
memory/2468-59-0x0000000002050000-0x000000000209A000-memory.dmp

Filesize
296KB

Download
memory/2688-26-0x0000000000000000-mapping.dmp

Download
memory/2780-95-0x0000000000000000-mapping.dmp

Download
memory/2780-96-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2780-103-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2824-99-0x0000000000000000-mapping.dmp

Download
memory/2856-101-0x0000000000000000-mapping.dmp

Download
memory/2876-28-0x0000000000000000-mapping.dmp

Download
memory/2896-31-0x0000000000000000-mapping.dmp

Download
memory/3036-93-0x0000000001E60000-0x0000000001E95000-memory.dmp

Filesize
212KB

Download
memory/3036-94-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/3036-140-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/3036-139-0x0000000001EF0000-0x0000000001F25000-memory.dmp

Filesize
212KB

Download
memory/3036-34-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download