qakbot | 59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35

Analysis

max time kernel
1199s
max time network
1197s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22-04-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

userapi.dll
Size

167KB
MD5

ce75519a7d251a187dbd7e72b53b093a
SHA1

fa103591148ab8478a84ce25db28ece2e678bd02
SHA256

59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35
SHA512

d40da7049f41ddb6b2e6bb751405385256fd9465101ebcf7af8441f8ffa4733df8528ea6312ca6c3d7e57b1365c4c472215865b978f17ccd11deb13b8bdbf5c8
SSDEEP

3072:GeWBsy+tW4we6Ygz5vEEFV6Q+S19N+sqoi7geA7y9utB5t:GeWBsRE/dYw5FMkj+sNiTA7ptB

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 57 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4712-1-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-8-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-7-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-10-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/568-9-0x0000000180000000-0x000000018002F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-19-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-20-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-21-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-22-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-23-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-24-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-25-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-34-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-35-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-36-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-42-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-41-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-44-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-45-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-46-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-47-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-52-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-53-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-54-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-55-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-58-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-59-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-61-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-62-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-65-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-66-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-67-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-68-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-71-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-72-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-73-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-74-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-77-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-78-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-79-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-80-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-83-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-84-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-85-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-86-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-89-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-90-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-91-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-92-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-95-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-96-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-98-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-97-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-101-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-102-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-103-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5
behavioral3/memory/4712-104-0x0000025F382C0000-0x0000025F382EF000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2208 ipconfig.exe

pid	process
2208	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = c4de7bf7e48b51e2e947bc5b13c83752968ce0f240cc076720a4e2808ac3a5c1db314edba14628f47d1bb0f50d953a7fbfcefcb1fba2aeb0a49f9ab727f8e5e717baaf6a08c92e1e0eba47a74b334353ea	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 05c34e9fa06b9b1e589af3506050f0ec4d9207fe15f76b7f214a459ae6edd7809603f3bb8f47f3289e2a124dbb5c6a37e01a52a95dcb2bb1a49acacd5289d236c9cc1be35f28024ad2e2f3c83a82333ff0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = 05bd7583726d21ff95d76e707b3e024006e9273366e5b4c99111322f20db36cec80cb7201b6aae330d114800f5a19002e5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 851f7bcfd85169eb0db363c67d8a74f20e62edd5a1845e84caf3a19537fa71f5bba479f8f34720d69c4f62293f9993f26da566ca19174347f7821eeca88b26c87235c0188c308e842aaf0978f4c1c01f96	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\b456079c = 845b9b0eefe47da47f37236e02eb045040a187cb7dfa79abfadc8a76f5e05c14720776b8d690e24e504ccc40f3c7dfc4cf68a6c86262bb3872b9b57d07ddab1bb5bd39f13f1860088cb3ab98f447610fc0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\dce07902 = 04ab864b8a6c65e4a76534aaadf030e4ed54ad09361343035d86590448c75694a62269d0d99adc8ac6842dc8f8f963a08cab68f4b70e6a9ce8f371faea9e7e753aa2b6d1aecc3a11df44ef10c971797c1f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 670a05b0556994fb9a531f9e6f7d644ceed3132449f96de2237ae8f43a2b42b8550c651ae05319033ff8cd6c330f289e191e8a070b0e710a07dd2ebe04fdacd5c211821828c5123730d966567b341774ad	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = 878c4c24ed994b6fbc407f5a1f15fc763f6ba8ae95fe79b029064dc3259d0d151c58ce497305d6721e234cf56ff71d088d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = a4000cce39aba912b0cc856f8abefe29b575c953ffb6fa5b05dfe66c5394e961791d23047dc8a0d5210913509c9caa03f9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = 07a169d53adaa568bdae9b45941d50086034f38f81ec162f7e9300ef2bb88f83812f43de8f737e92f81c65f43166c3b484	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 0749617411783e454366d5303b9e2295e5037b2d68e274f0f9f9a4bd9004cec8602b2a60c81ead07250519ee91afe74dd1912172a5d0036e4002333a78f4900711d62cbcab2f74f75ba22e8dfddd96970a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\dce07902 = a42239fcd0c62053ef81c184b2bb9a5b18efb14e97aef528bf110bf4dbb49d5821a9f8c286cb61055edce3caa3f989fca2dacf1b044872125d9d2c86b3fd9d7e38a611eec1369059898c96a99efab1197b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = 249b8588c33b881b1472bcb2d04150e254f035b05d56d7250179012cdfd65330fb2410b1eee3c8db8f77586d74bd2e8fb505d2c51f29e7d2877d136f581ec04a269bdfa6d448c8fd5d5330eab2b735cecb5bc4fdf952e02962cf44c700f4884553	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = c67d35202bcb39304dd1a58bad8be3b8814e0ce9c5caa0e52f781c5827c105f0c673c58c0d7d5848038727a5658dd544fa99b57c611b786f4b5b650a22dbf6aa20d1fde5e5562dad8dd4ee8867f2f5c84a0f4a727cdbc4bd181e6b0b07f3bbdae9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = c4ebe8034f82a47cddc58ed3e0fee957afa0e1c62645f1b3e7b41f64adf378ed055874e079c9c0d6e6614b6f3c4580e28d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 864a809640724fffc2ae21259896915e83293d074f801bd7e6481bd26228e8e561b85c109f8b713405166e7ccab58ed41366eea6f8621fc550c037a7f57cf135737a14d2cb4fb9cb9ecda247531662622f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 46deca412c779ca62510a92c148dcc24c48cc1fad84838335a3d130b82fcd757204e084e5a549471a86c9630e0f098683d206eb4d3eb49829ebbaebf4e7daa1d6815b7185308fc5b10f927f61d4b81a2d0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\b456079c = a5ffb84f6ea85cea19b480bacdd2f272a29fe2002af474b7e99f33650c183d104147ee9e47be213ddca6a5a4db41d0ace2b9866a32e28b514808b88f9b947a69b428909af2056dec1cb9d820a597652013	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\aa9e4130 = 469d4f14a708628fa7db23ad44505ff9527d3f3fa6bdcd017b3b0f5906b5b17b1a0fe36a675d72e38877c150ffeb27a754b495536158b08cc62a391c05b23bdd629c5c8778f0e86ad397fee45e76ff106d58608d6f859521a0bfa46133327aa8c1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 45c41d3dac30915386c0dac7b3eafa9ff3a50acb3698a47ad1c8d92132cb8825b4a0c246b229d6e0a99b2ee10ce5d8e90ec8e973f7f042c8f2ee62fb681a74d482628c9f600a358c5fdb3c88e6f3edac55	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 64eed3a789bd172c1f742917be4963e0f2b61c4209909225ec31c9e402cb933bd23288f12272ffe65e5a68384f017e8ff199e075883b235b474d89f591b401674785627f7007307c61c6dabf152db233fb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = 2545213e286f7bef6e910ea02bf39c1ea09001e55822d9cbd9f24cdfd7d2341d91e0c18b915fa89bec2910de378be48e16bc4cd108291c9d33cb6affd466f4dd1e53bf88f0d3e6fabd0c4ca0fc88990d17a925371862721bdcb46c7b5ee6966945	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\b456079c = e43e2ad836c6122d757ee625558f9a88538fc6bd43851eae221fe6d1c3c9e5b24de02acd0caebd6b159546ebcfad169037fbc0cdb54d0b5195f83737ba6872dfb2f2eaef9e22ea9ae3024e61712cd66078	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = 04d04ad04af4199c38a014c523cecf2a8647dc7d784742a15afcb8b43fa3545bbb9449fde2aa98cd1fc68fed2cc046ecf5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\dce07902 = 65aca9605142b69bf203e4a91c3883a5afb893874d2c65a1acd1c792046d957841df8200acd2349d5b5dff45f3eb576c39fabf4c25cdb5a9929e98c395d651df95044d3fa237e777c642c89d0bca488860	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = 47ce47c8320e65f66b88bc377c5a294cd3afdd79f89b8b80a333b051702fad4a5a5dcb2ba28a73cb2cef87047fc3bab306	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = c5deb5771b02c47f67de832a76750c02b7c2bf56f01dbcbfcc7e1bcac16c02021329c9bc5e904a480c1f164a4a6f7ec3175379bc52099e627cf0e8d857953ad9377c1ff83255dd71b93e35078b101d4c842c1497403c317a2d5d9dc1b99114cd5c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = a6666a4b210639b3829c0795873bfff12b32912e06415cb38f67da3c18bbea5f51d4b1a9b4e7c5c71c319141d2cfefbdd6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = 8720a3d81b3ea70dc8d57e95701cbad7f2f16870381b958d1b2f68f94a8ebcb57067e2a2017ca23765525e7ecee5b714463f07a66157637af0f78e61161e1fe2e72f7aa1641a52db1ef7a13c2b2d0b76d65d1a7b6925e56eb07758da32c563bf72	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\dce07902 = 476ff94cb68c3728ec3fae2f621d0594041210ba7fdfc19d441e2d93ccda96547a9bb6adab0e050f6dd9c4701c117e939affb986c6502ac33aee819299dbe5a050a5554c641b41e68e4e9003f71351bd13	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\dce07902 = 05aa1feab7c9aea4aa0b2ece936c28ea39ef14e2dc9fd4c77d1b1167ae4c4ca5afe1ab076be5833d76417ee3646845a40b62582f114667b22ba72c524f7e978b769e3fe9a43eb718a8e5d54f0773fe36eb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = e6e1deb272e2158488705c092393ef8e4cd165f60cb60c62431e399ba1fbe096463d18412f7819e8eabade8babea0005ff14d3a922cb7b84dd74d7c35ed850b991b93469ddd2d43d9034a66bc6770ec8b31f262769031c1fad4b97d412bfaa12d8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = 647d60343b4a0df8606716c874ae49cd7196f2d4f7688472be9ac52198abb185d1ccc065cf9e097d6014fd132e35137de5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = 078bba850ba079b185028ff472237ea660372ed95bb33f7e94507974ca7fd65ac717a6b7190012d980a1d38f3ca8328d894165c3dab35f9a6a9e9f939e2d06f50be44eea227d15aab63d234b66223ae455243e5612cad00f6a5db60a6a71f9e1ca	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = 64fc14df986469bd80a5e7aa77bc18198b441a6fb45759bb33fd3c73f219c11e4447a6115f4e7cb0b4fd90372d4e27ad0076f365e9a406dd97debac06b0134232243aa18e24009f5feb8638db8d1057eb66463bee0bb3535dff750b9e00bc2cd42	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 05a2bfc19b75de19298087492d42b7bcc0321b0ba091f1758b07d1b6f4b77ede6079100348e29ff67d9f1e6a6da957f4c4ba05c9933469e8ae715f23e0e2d95e7af1dfc4a3368a6efb1b70cd210ebbcf58	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\b456079c = 278984a400c5218104ff813ba3444803bedf81be5bde8ec2b90d77ec64f0f87ed73ae1fd8f8f1cacc98c738e3999a837fd462a17946bf2c7c7b2cd958ca5afce8e7521b3f6d104621168fb44184b570c54	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\b456079c = 6488e5e59bde3372e6dcbfdc8479914b5bd14c896f99d0286ce6090368ea23c9f48e92bf5a9e8a555269da91c689236dd1170f66e017cdb776f8afad947e575ff213508cf235f76261d69eeeaac046d37b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\dce07902 = c4a9ea8e869b85aa0a6db3be145c321e78699f7ac5fe493f937cc920255fb4cc8412baf4a0727cc10650e1867bc1ceccb5da9d485251ffac22a2cf969dde847c90c3b971d5fe75590aa9f9d4628b6b6c84	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = 046f0e983e558af2b01a8e26e684cd29d26e04e0da12c29dc719965988394d2d8e2aaf1994b4d379072db0526962be3c66061ebfdc4d3308a6543dee374b8c98a4add783a49c69ea1f19fbd11a0b0a08c9bd6ee28fa8700e723a4b9dd37ee115f6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\dce07902 = c58fd16955bb9761bfd6fee77bd693eba91a92b71df484e106a83ea18f52f9cab314ce7f73f557eca8d5441944c5a806e1953e1c02e285e8ce1201f72a9658f4546828e853d2046bebcac37d103179af2f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\b456079c = 4660f77af6195a67a65806c6f6790991f2e8f9ceacdacaae1249264d0b7b1fd3252d010a68fa8338577b07d3d86584eb5aebe8dd1915c1eb48ed443fb37fb8a2c0e798af705839e440e8f6ccb4fcac39e1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = e4db7373392c5b18afa8dada685880445a78858be4cb8f88983ded2969f6acc0014ea00562a16140edcacc52cba91d148a71dbd5d438e07e4ae9d04411180fdca6ff9b5eeb8aa9d802ef9904e34a741b0716ea65aaed9f89c662759e51c9682157	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 0625862130445ce98c14ba5294bab80d2c63271fa7db71b0b5af6cdd56b7ecd8faae35329a926a3016ec084e8e47b6c70f38af697a09ffbd327b07be791b3da760818f180f2581b8fac8c79df1570ab29c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\b456079c = 2446ce3cc3c78d391315a35c56503029c501c0a66675bde32f5868e2a170905d7778bb4139ac48545f32b9402c7235ee2a45a8d61ce6b54a43f7005fbb782cf9158494aab34c549ca480bedda2ea86a918	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = 8757c00ac69e2ef9440876cfab77b9c7758c38308a05041d6a9cdd28f3b9a62217457fb155e2d8623ce5733413de57ade1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = 069668e551033452f6cb0c0ffaa83386316bd3c34416dc7ac32d6b7026dc30bfd98b7d2863b42d0f2a7e0275b5e55531d5f632c61afe836ada870b82bfb535434551d188a8a28203ac7ad6d9e6f71d98d2fed6180da6ed8b614e7c301b2676ca99	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = 646311ca464131d5d92293d245b232f8b4c60394e0638af3fddec92322d0b741789034088ce0b7c2e6f75b9f4f5d1d04378ec895d255366dcd4ea713f186ac8268cda9a31b948da79ea99649c30f4c0c1ab7b21457d1debe2b2f4a63b5ec775d4a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 45fccb861e5c3a209fcf61524f5df8dbe963145c703c80859b594e6322d05147daa320722976098ce88b27c0372e2551ca713e8f6ef639a69226f81cc649e5217fb30af7a1ba74930ec5887033fc978995	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = e7d009a22ba3bcabfe56ef744ed51b282c5a4fd6102616be8099f3cd8e8c2ca2defe70641842cbf1db03efabb1b6a9d13b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = 868a3639c6136d0408d46cebb97a3efd7095c7df5cfb1becbf4c977eb5f552b37843040f75dd768d1b92a82915a8435e29	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = 07b47b9f732dc28731987f769b2fdb921b2e51a5c14bc3efad566dec58a16b1e97d079d4e5e61093653cd86a0f421fdbc2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = a6d68295507d9059191958bab2b66c01702fddb08a77214a220a8752f3df702fd22b9a7d73ceb3740cf84ad0e55de02253bb13b9aee60d6be5a4571c36e3d9326514225d344f903b90ae724b90f6a3e949	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = a4442e11c77a4c01830785bc29b84f86ebbee48d4a48f695c39a0f0f375f2f0b070c060750c73beda85f2d61755a6e63ee19626c48db3088cf51409fd7229cedca241105de9c354d65d43afb0286082898	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\b456079c = 8745d073dd983d728e433f218c2d3388162fcc4fd5201fc474409e33610b5f618ac59f3b91139dd6ad23772f09dbb28433a087a7fda272acee1edd1006445fc9c10ef68c0c4ed8538135f49f2a78fc184e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\4d2065ca = e4371b2eeb36a56ed55a3488f73e73a817cf9431a4f2b71f979326bb0f79d4ed5c3b41b5db057b835b0bcd1a0cdf8dead0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = c7b380dedd5bda052c1579fe2fb690c55601618b70581c8cc0b2c321717279de20ab9d19880f0d407c1cee1b3b2c2cd5ba42d54f72c6e2559c783aa168e89bc9d52e708202d01d035eebbfde2e0f4e2a8c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = e752ab7a83097bcb807eb9a906d5cc110a22c51ece24b651e2a19f4a9d550e20e556f64280460b6f7bc3bb11ebae61772f671eda92aa469504b0d2e7ed282ee7b5fef0b2775c1fed77c89b5cf5a9dd2a6dda3bdcb355e90eb6d87bf75702cd4026	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\b456079c = 65b9dc63bdf4d5a954402d9a51c876a6b60af8ef325dacd42198cf6a2e8ced24d4618f02918471a833e060b7cfa2c408fcfd7a6659ac6ee5572112b47ad8f81a60733b4c839962c9cd685f9ed721d89856	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = 85f95f4f16af252b30728ef2c5fb14ddefab9663e9b054ab2454b156b52cff67d59bd5b4d7ed88b3f7a9fd0dd7e110ab7002d1d2648e7db6cb13a08f684a80cb5d31eca0fbe346879fe6a8782ee27f724a29291d666a8ff06737d38145766f3a37	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = e71207ed14b29955e6c4e2ceb3abc1fc1ddccdbe133a953fac1d50eb4611a82fb4310ae11ab545cf52e06ec1855fbafcaa3f002a3a1603774d579f198aa546617695e3fc2159bb63f0b86d315028bb54dba01f75d1da079483bf1c0135a50ac700	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\ab191cb7 = 64dc7ffed29ea5dc426d8f3989c1eaa0acf50918e5e653fc98b8dfd8c1c3205afba7972dd1ca0b2d46b1f6e79d3158bd77f119a5550a1fd069b6b95e45ed96836c127bd165e8c62b5e946878c81bd4e28b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\odyowoikuxtgo\526f7ee1 = e7e374a098cac3f03b3e3c64c7d2dd22ef8239f53f0c2162a195a400cc6210d01da8dc3ce12be29972fb013586b3afcbd0ead5ca5bccfe5fad8a48e301905115ad883a0e2d7192d01cda5ef2755d416575f3c4bd45b9d873c0e1dffb79094943d7	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
568	rundll32.exe
568	rundll32.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

whoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeDebugPrivilege	728	whoami.exe
Token: SeSecurityPrivilege	3180	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exewermgr.exe

description	pid	process	target process
PID 568 wrote to memory of 4712	568	rundll32.exe	wermgr.exe
PID 568 wrote to memory of 4712	568	rundll32.exe	wermgr.exe
PID 568 wrote to memory of 4712	568	rundll32.exe	wermgr.exe
PID 568 wrote to memory of 4712	568	rundll32.exe	wermgr.exe
PID 568 wrote to memory of 4712	568	rundll32.exe	wermgr.exe
PID 4712 wrote to memory of 2208	4712	wermgr.exe	ipconfig.exe
PID 4712 wrote to memory of 2208	4712	wermgr.exe	ipconfig.exe
PID 4712 wrote to memory of 728	4712	wermgr.exe	whoami.exe
PID 4712 wrote to memory of 728	4712	wermgr.exe	whoami.exe
PID 4712 wrote to memory of 236	4712	wermgr.exe	nltest.exe
PID 4712 wrote to memory of 236	4712	wermgr.exe	nltest.exe
PID 4712 wrote to memory of 3168	4712	wermgr.exe	qwinsta.exe
PID 4712 wrote to memory of 3168	4712	wermgr.exe	qwinsta.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\userapi.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\System32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:2208

C:\Windows\System32\whoami.exe
whoami /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\System32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:236

C:\Windows\System32\qwinsta.exe
qwinsta
3⤵
PID:3168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/568-9-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/4712-0-0x0000025F382F0000-0x0000025F382F2000-memory.dmp

Filesize
8KB

Download
memory/4712-1-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-8-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-7-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-10-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-19-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-20-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-21-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-22-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-23-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-24-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-25-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-34-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-35-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-36-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-42-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-41-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-44-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-45-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-46-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-47-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-52-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-53-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-54-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-55-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-58-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-59-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-61-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-62-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-65-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-66-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-67-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-68-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-71-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-72-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-73-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-74-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-77-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-78-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-79-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-80-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-83-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-84-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-85-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-86-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-89-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-90-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-91-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-92-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-95-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-96-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-98-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-97-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-101-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-102-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-103-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download
memory/4712-104-0x0000025F382C0000-0x0000025F382EF000-memory.dmp

Filesize
188KB

Download