qakbot | 59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35

Analysis

max time kernel
1199s
max time network
1200s
platform
windows10-1703_x64
resource
win10-20240404-en
submitted
24-04-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

userapi.dll
Size

167KB
MD5

ce75519a7d251a187dbd7e72b53b093a
SHA1

fa103591148ab8478a84ce25db28ece2e678bd02
SHA256

59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35
SHA512

d40da7049f41ddb6b2e6bb751405385256fd9465101ebcf7af8441f8ffa4733df8528ea6312ca6c3d7e57b1365c4c472215865b978f17ccd11deb13b8bdbf5c8
SSDEEP

3072:GeWBsy+tW4we6Ygz5vEEFV6Q+S19N+sqoi7geA7y9utB5t:GeWBsRE/dYw5FMkj+sNiTA7ptB

Score

10^/10

qakbot tchk08 1710958492 banker discovery stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 51 IoCs

resource	yara_rule
behavioral2/memory/4072-1-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-8-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-7-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-10-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/3016-9-0x0000000180000000-0x000000018002F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-21-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-22-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-23-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-25-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-24-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-26-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-27-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-28-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-31-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-32-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-34-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-35-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-36-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-37-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-39-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-40-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-41-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-42-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-43-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-44-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-45-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-47-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-48-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-49-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-50-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-51-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-52-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-53-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-54-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-55-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-56-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-57-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-58-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-59-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-60-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-62-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-64-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-66-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-67-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-68-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-69-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-71-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-70-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-74-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-75-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4072-76-0x000002408E5B0000-0x000002408E5DF000-memory.dmp	family_qakbot_v5

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Domain Trust Discovery 1 TTPs
Attempt gathering information on domain trust relationships.
discovery

Domain Trust Discovery
T1482
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
discovery

Domain Groups
T1069.002

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2748	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 05b2abdf934723498bd2facb19982c66254db44a140828a85b681f6652ae9dcf3c7f681b1e90ceca9d870a7acdd9352f222325d9284fcd748064de1d43abbcd589d285e68696b00360e4e294c8d8ac5afec9dc2fb47578e48985b8b9b80923ba5d2bb9992f3f0bc28ddfeaa82be2d5fa04ccb5d0c620fddcf0bdba068f9496a218bccf61a8d0968645bf098b7a345fc099	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = a77583db28d14c62ea8cf0454fc5a359a851362865f553d5d956bbda3e1894d0eafe6fbf0c0ed6d04c1c513578c0db23341f926f2b1546c796a71dcab43ad9394d90253e90804d09fd81de604a2eba0676141008e25414c3ed7cb67088194ac391e64585da3effad8fcaba36b15629bbde	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = e7eccb4384acf82718605c8a5be12db804fa0f4794948cc6c914a4ab74874cb3bf0599fd6ef2e1de122a9d6adf30fe2ed8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = 4668e99515287ddcbe9fbed964d6a473dca66061c52a4549e8f55e4c65be3a68fb55a4d726962e399ac29d2640dca7be4ad35f30f77ab0f3e85770a315341936fe	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = c47301e10b10f99187934ff75810a4229698f550bbc5eaa6ceb16b80fb09a11a68fedc67c43cb457188df7de92b851452346d5fb4967ddfcd2ce951ad28c4b4aff7da80de9ab215d9f0e875bbb33859869bf5d2d4a5a401439019421fe16be6fa4775cc5b3c12c09ba5cc94152fff836da0d3b974f8be08f14a55f5ae14b09e331	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = 44c29c1a32b12423b75867e360c8896ccc25684248edaf74f6acead21a2ff2d65fbc0da6ac342f59f92e3bb76ab94dc8fe3375b569f6d5cb053eb9d7d5d36854ff4de47c73c935b9cf2048554dc05c7b06bf8095e509297a5a0834fe89dbc2d138a066d65af28fe943ba549ccf0604c1f1f5e4f044f82a6a6a1b0971785ad5253a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = c5a87cb14630a37672c024cb2ed43c970ed3116f0696ce78428a6c7b7a9966de057caf6f272e0a7bde408b3fe20e02ac83e2d53975b4bf91e2acda5fbbeea8d51102d7eab6098af0ce737a6ba90132036faa77276546907acd7584b774e933a7b613c6d0378f8c0c61e4a01e15bf10ab0aba25e3432bf3577739ff473d26d8c67042e9b97005567251cf77c6c489dc7439	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = c47a8840c2ede1a2b2425444ed98d5ca8120b60e514d80375624c602facea0620227c2a406273da04383d78a9d1ea54fb14ea4619ddec2a5fdd17fb31a00ff5be3e0ff2c3875937f3266a00b52c8b86b15aca3513df9d309474c55ffce962b806d5381cb530745001de0691022f5183408	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 245fc93fa113726df4fd907f013ec8fc807a6f63ac11fd8916325bfd3dbff680eb3e5c62f901ba30c1785ef78b8312f7637125d6e767ab2e7bf997d99a84cff1807ebfb20ce144f1051b14c49b44f714f31feade730b79f804f1488f3698cec44d2066010a5f501b46041e066171f5798e3f842554b26cd460cf3f3838be47215c311f06ce6a6dda7d870478a613ca093a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = a730bc39ecbb2bd8b7df460a64277d3341e882d531c2725a7637c107631cde93b7e32cd0d93df61001918959af71bfd7dfd462b40bff28e6a4c4a5130fe8e61abb0519da666772652c863919dcc0c4bdec1b8a19068494b19b260956ec3e5615758ba418247f8858ee97bde4c44539856c1af064bd0dbce1962a64b73c7cdd8a5a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = 6603a976508950d6e14118b7cf5458d43dc294acc3e528e7037a1dc6d1aced99c162b72807ab40d23f9001003756939949a927b2406043c0049d97f31b6413beb38c3fed78db507f1fbdc0a8bb663900b87f106773da7c2a544b4b0c1cee24d5bd07b68858feff96483e1173310fa63987	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = 476278cbc2ebb8fc885035ed8fec5ce39bb3b3dda717b6a6fe4c108acb48d1203f51e64f001fc14737df4f1e6fc6db76566e8c62f07d84dc8199ac244ac3b539a1a02e9d931598721f3f8bbba174d33483e010c4fe6a4348edbc24875b6971e99bfea91ea74a47010ee35c52d70e932337b30ae8323e8b0a4b3c767ea00cfca373	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = 66001062bfbc79ecf9a2ad4a9608d1eadf4a11e0ff6fc87acf1ccac7db7b1dc4a8851f2adaf4c2ea0c9e7641973d7d8eda	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = 67ee13a2e364c0d952a89e04a2523af8fa5723d59384cd3feb61a00a46fddcdd1d0251626482989e812f86e02d3cf0299211111f45e8a7753695a513ea29ebb671	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = c70dd295132b2efff0f74e8a12d4511a8d2c4c9743a330b8c28bf183d90dbf96b2fd27a2c58c5ad58bd8a1f1c6b032950e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = 0726ec742e0c62919c0e50d58306c471c0c90b97b2fd032b3b64685bcfd40dd4fc08147269437583ef2a23003f6d9e4242a92d01a2694cae6790f7e4e93131effcab0a25b76a424bcb6fb768060b1b4cd01c82ab84dcbdbb9b7a26fb76d03ce3f6fa966ad5acf84c745bfe56e98118d577	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = a4c51c82f9e8b25e88e5641c70214c120c05307d3134ed02c80f0448bfd8d85a8e5e62a5024319727c1d11ff5fc18c556f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = c430dec878b102539f694348bbee178697de908cbb2a687b6a0912c38b89deb88db8ca023c41a7e1f43b2859fad8103c6864aec1bc72812b199270d4327d3aa240d7805b3bd7893445afbfd500eb8fa4ce6a101d0bd07c1d35f1caaa98f28dc0103df1d79c2bf7aa4a981db82a537268e42db21329c7ef04c5eade3f6eb0ae967c278cad78b9fdf59237bb75daa611e0f4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 677283ac50a4d920ee1edc2d730dc11319ab814337398cd772920315ae08f3dc85cb88aa0375a0205c9758dc35aa743e7ec385d23e0f1a0af861d31014d060a6e0dd29194bd43d5a69455a1723b51e73d5f0ff73f0eac6e44d3893193966072bbfe339cb7b2a798eda20a09db7f5befc0026d2f173156ee23579f52d12d1d395aa6e42f1bb3bb1803b81339c8361a63c63	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 2630e5a6dfb26af5c56b3cb11ecbb7bdfdc9e71dabfc9c3655260fe7ead147f23a48dcc56442bf41a8076ecaabbcfb35d6dbbf52dab23b3647a2f3142d7531909a5ade3abd0df796fe92acc177142c13790eeececa86b78fb9edaee21014335fbdf49e8b5f83b7a7591640ed573ac204ff50cf7aba37dea15a67a68cfd5a7a0d0583724d3f74a0768323055b4e5906450a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 67ab75038b6c80fe184f2b8a8e25f10ef14e68ddf96ab83b12c154cdc68cdf15999f21f88b505481450a51f73e16cc9ed9451fb473e5ed1e51a6ab9b97767499cd521a841a876015db9c69f09c246e27309b106ea723c3b9e156b37bd8d5b43c07d904b6123cfe7d13b8e65fe9a472e3da7553b63954ccc679b1a69bfe11940bfd060780548abc23562017bdce6229f0bc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = 8677cd04e1803ae404dfc20e351be9b7fd654046ee419f557c3beb4e7361afb1351c853403382849424575d5735bdfcaa62d54fc3e7c9021d7e78d11bac3d471cc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = 262b0bba04506411de3f24659fe2c0749d03e4a85e442ebb81364d3d3460a7f48812d8d68a67dca3bfea0fb278165ffa50bd0c91435f68ceaac34713a6e181e2ce01b046d91e62d8d34c677ef87ed1ed363028f58c26eeb5de40578122939152d60b93e85903bd4ca93d495970455fe631	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = 670b21762cf2491cabd4d06b33c7494d50b2feb7978075adef12a4b7f53e0bf5d7b6dd64c85ab4c75bb361982381b335fb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = 8594d80d6dcaf8b61f834ae929e30d301fefbb1207e7e4a24e45a4c5361d3f8444643137e118218e0a1665b996ba300681df25cdf56873eda477e5f75c688a73785dbe73c056aa6d0e7f58064183b603547515caff993123762632cb7eb2c1832f18083e7f599184414a2d4920c66e9397	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = a7a668ffcdb008d80a036e31105220acb372debd65831f2caaad5ab375d7a669803df50bc3936386f964cb322f1467eada562dcfdbe14275d5dfccbeb7b2a81f97c8581c3d6bff689533e791bbdeb19c7d2258de7194064712bffb655f67b5c784a75972e407d5692f5d3772c4e09c54bf3b8428ab2f52d71271ec18361067e0c77c57fc261f37eaa041f02794bdcffc28	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = a507e70c216beecdc92afd1206b19bb83d262224a9b1021f9d540f6da88d7f7f5d3a410bf41566b61228334bc87528bf73a202c13c1089a4ede3f30ce18fb102364fb67218d359986fc7832d5023f63d4cd2dc5a6fdb9bd9351ee053b80382f0e1d421cc937c9f94bddfd34c4ac80ef8ef2539b3341fe0f4984365ede3b7bec258	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = e7ad0a126326d37c5b5a002a6f1ec3450c84e046d9e9e397b2b8b136098a509a09523da69819a430b3b84d7df9de4a279b609511146da9a0d695497f47929982f5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 458a0fd088023ed30519516e429ae5ed0e829a37caa332ed2f5c7dfcf2ccf8c2fccf2efc81627716508c3372e7b1f351a3bc9ea31227a455a403c9b3d134984cd2412e3e1b2718b0d70a22e75adc90c38752d9f8fb3ddb7b6d9f40220f545078e42c33d7ff835d7d1b8c5fc186d2c32039a66aa6779343c907c83cd16b44743600d6fe96d3d5003f7e909df210a0eef3d3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 053d800bcbded3eab4b870362ff8f14757e919950afea77e8007233cdc6a4b77902e2487f9788b76d9354eb28d4f8fb0091ea1a1fb499091a3ef24bf92d3d1dd86093dd58905990da914a9529cd063deffb94690e8128002420dc61c94bdefe894602c408c4d3773d545393fd9fcd7367cbd5ca29fa88179a3159a06aeee2b264b275b0d49b666ee99834a0c5c1b484d99	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = c42cd2aea4de0449b0430de1e0bd936b465410fdba36acf6820d7044f5d64fb21b9ad703652beb5fd89143ba45ec4701e0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = a75b1f399e53ec683a37b792959775f020dd685acd67e601f443764dc25b6e4812b060fc98608f6ed2fb529cac813e9f38	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = 67b32dd9bdfce429b60b9d8840c2fe562304af7072bb3aed31c552b16b72316a35786905398e58e45ffc9b40595ddc92e49f168dcc40e2b8c97af4fb1fd29cf060	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = 24cb9f5929bff1e9da512e70ef4bf98aac9ee31d064c86e3b66264c3ee917a29fed5bf7d1fc20a94fdf698d584262b54bd8bb1511c7d11b89c70eb427f95e852827f4a23d2976225a491475e834d12ad011c9543b4c31c895db6be2fe3b9f2dcab78c126c5f6d8d52148ccca8b216f40aa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = 87691bc8cd83adf7e97ebba3ce81fa96b91becf449da445848411477d8d0f45aaa3c92ee3984e57e5b9c7e0f0c03fb0ab63b744c8d6816dfb9b3ca3957536987617670293a1711354413fdb2952b3ce6b3f898cc6b01c9c5a8706b8f6e2facb475aca719954237f3ef8688c26052e26405a8f06d39583ce384d7881943a2f24ea5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = a682940014eb80f3766fb7083045c0b2b49e6b67ccb2d504b95bbcfb3fb5027465bc4651fb3e520b4f287cce3977c2f8de6198ad0856ac596ad2b3af72f70eb2bb4b2ae5a561a3bff8030cd805a491a46457c701839f003c34be87ead22c79c0e19ccb6e6316c5f5d81066965c479025abd16c37bc191027bfdc1de3068029d4da	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = 843135aa9ccd2ab418b86adbccdc0d8059f1a4fd1e5d4be3a71d875930603515ee050611bd7779135ad6544f89ac391d68e1316651f55e2893363c3f09e7db3906219e1e805a8eeca98ac5d3b3116a27f4982cdf2811cecc5bfa6ffec5ba4dc9dc150092e22a87168edeb55213c5983b81f8ae3d16011d61f33c6d1eef96eb49c1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = e46cef52b92eb0385dfc416e21a5d7c7ced92b76826d904fe9fc616d6dc8af5c97f1e78617a6d2016bcfa172dda05c7892	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = 864e943075741bb52fd44a540c0191dbe5770b8e204923854d6d0266bb7932c190d4aa02ac5fab707905b7205de7d7550d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 6795cfbc8a448f98bce8ca27ae07eb8038da70ccb83dc7f3efd40358fdb9537e324d6173db2cff55e167a82ebf827c4c38bfc23575ee7bd7b154685d1c5446495a1e6412e8bcfa933fa54a48f9868951065deef66bcd5c1f94902f052e1a1cced23475dcc34353c5a49642b09d76aece95b171592914b14b6d509607ce44fc8eabf9748e95178bc3a9b18f9a05eaf418e0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = a761ec490e3a0e1e3ddd3baced3742bf92e91aae8c7c7a1f630ed601c80d8e19bd3f0df08617ca4b795d0ba1b8c52b239d19316b34ffc0d5e2377f4398c08b2d2bb947efe8d271e129022af631cb5999f8674d5067ec7a9d53e94f6e9e3cbadc37fe8ef1713fecd505f3297f7bb240eb053a6a8b00072450d603a3b8ed7dc9003bb39fabac0a7755393aa1b48b4e81042b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = 27160db4a33f5ddb11c472a87320a16ac94d61a88856570f453e0906c979f2fd537affb39da783f2b8c362ce369a62a098c2b172ce4f661c58f6f77f3d2640ead9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = c7024cbd5d06b7eb2d93c8810fc7d849f8acf204d10cf5805509bdb70c0db88db8c45aced89d71a3e5afbf91009eb289a4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = e4f1834f7b1fd5a8c1955bc33f0c49df958bd5800a8c2196c32cd874537cebccbcda5649d613fa6b5d82dadf8ad8eff34a83a451711ffdd72d93eb9763597e75724a3579e21f1490120e2724e57391de8b4cb2cd86ef2a51c4042908272dedbf84b34f57b4d55da0932154665358bc90ac	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 27f7e101f8bd4565fb20fe6b8206b79d411bae8e9236ca637e44352deaa0dc0c1ce4220fd5e96cfcb30e86019a32160a4b06934455db9d8285156e4739c50bd865d851877be5d88aee1a7eb6bf87124ec6d6b9be8e43d43a49ffaa3b6eadaa4f5123bcaf5e09bae12e5127a604509db7a868baf46e3466f75a9080b5080a1fa37c201c738306167f0057881a2634bd8842	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = e62c26dc62f89872145f1e667af35e3cf2e47278e499065fbd3b81530226798966609c9bc01d95629c808e356529f5048e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 268329e0a7d3a70486ba45695579a0a5706595e2f9cc6ec6980a1ecbc1c83e1e20051320ca2642510dbea02adf7acb0d0500e843f9b8ab789aed57ba70825de4a9222677f57f866a6b7aedd9e445cbc1d380b6a1903d9d5505b39009e8639dbf38e513dbb87631b01a537509d26ed2131d0ee48b88acc16840c6a18ff2a8397dffc27153abcd914df167408cda11d2b66d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 86ef0363f4a9e784bb07156d463d2106a57a6c7c8335076170d0c3ea48357a1503512d13388aa8112a7a845b749c1d77cca8f5eb3a8bb908af79289762cd1665b0b9d7c9c27adcd46d6e2df15912dc01bad1ac2930034fb47fbb4361ec6e74abf1fd5302d404eb9396fe0735e319db6aac77907e671e3a90fff14af43732d4e0fc746848ec4af6af90d67453cacc56e909	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = a5218b3012e0ca6e4e47b9b223a7af0581a32c5db254b3eeab127a7eca7a474d691fd71d1e922815b7b901e7efff207ead	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = 044733bfbbd9fcab2d3aa65da5710c499a0fa2733cf0de9d5e4cf113a433a094bfe7ccfee39b615951ce317fecb306d874d483084fc6f7a5da3f0c719916bcc498	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 26877d19500e9d3db2d2223d0a6f4baadc519a96640310a75f0addd1b96367ec851b297a367dece67b2e5dc4a5eba6591e6739e0e95e7f8d315c909f9c5121d01a52efaaf6500c87e25d9049cf24a9b128a04ed84b86f959c014afa341c34af5a9ef8f69d84d6e9f0d3eeebf69853f8396c953ad6d812db35a1cd6eeeb49cb7261cedbf9b4d1f55fb361bab29cead42612	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = 64faa39efd4e242ea092790c086a1955b4fe8bd99935289fe360111de6ab02f938c7b90dce391897a830393df03bd292a562f0c009475213ed7ecf6230fb9e4bfc3a98b712ba2f1340e532529960f83736094b83c8e1536daf9ea00a50e7e53d978b237c28e9b521fa08099ced321c1ca5027113e25be96e02dc481d14b80e248a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = 47f13b651176ac4833db2eafea0b463152f6132ab7bbf9ba69361c50b2d5779ef82ef567415bac9a818dc4153165952162abb8c15128cc8276f514d5d96fb3edab	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 273bb84484b77d0f57ad84057cd0104887a3ef98e77fa4c344e772fccc3ef59b0a93c5a4f6ea61c5d2b42cf1aaf2aa1d58615d693b093047d5e018ad805b290893b5dcb01841b183c33f6dc415ab73f05872aa1e7da6b385542079952267f44128c5003dd16e0e11a0d81297bfd8e0ecf7a2b460acbe0323b80b37f8195b8342f80ce9903d61e195b85f150ba1e6c95dec	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 473162d8fc5752a4f6b46370791b7c309c721fa5dde303e905ce3b1b624f9c5ac9c9f9775e39476e23f8cd2bfd92db0f4de2243720a3d6e7118755b650ac948b139f66d253bf39f24b0594704163f6a3402b2041d76a50b27a3190e35a7772b2b5782e62b91b2cdad7a48ebde1f01fd4d1fb4743ce3c95f0177daa88ae204dd93b2d78bedfe534b8ce7e7bdf78ab9260ad	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = 06f8774fb7feadb59979884a4b17d65827a2a9732a023623accd69f67ad0e6ce5f37d42baa13448ef3aeee06d72cf6397db0d21b8d16d5b0ff7fd51607b40c0db6e151b2015da888daa3c49de3026bea0650ef14643a6e7cc54ddc05d964e6ca262205670db9d6692f801dd80ad24ac02f8d82bf776d65206fb7930646092f4e2845fbac559c0e8d95270c11593eefe337	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = 86e2c34674f069c5e340efde4f762ec6715f2b595eaaa52349519810a2d5a1f09c103e6f2cfc81e2599e9be261f6c83f81045b9457202d6acab60ba85cbc58eaa0c3174c9162eaaaaf1a77fa271ade61772057f6c26dd457a52f3e569bf5f541e0a48b5d02796124150ae34e2a310ff20845ce01cb7a36d71fb86fb43ce8bff70e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\ee34bab2 = 26b6053805af09b98c86d87ecc6d8696bd2fdf58c42f9f8db74aaa78c9fe61614755b9d5fb9fcb41494e243f11813fa056e853542d70b9bb3af3c09353a493a28c4378afa3ece5f6372c6669e7b47b9a23f725464d3c61e7ea35fb0f634bad1961abcdabf1b02afafc7362451373abb3f328956fe6ae74f35965b223d191ba436c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = 848f58aeaffb11827678629b9d5d6d4a0251b391eab7244c0c6ab3a18b4a22ecd5031614c4dc53d32f538f8721bbefb26286cec3afb1b1f854b56c304355956bd8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\60bbbd51 = 04545931ffa21345d64a7f6c6cbcf46d882cc3550b5f6d1440aaa051d7a8e7ece6073b46af34c17ab35f73d23ef586aa69	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = 06894517cef5134fc9116a027e736a44a670b1446d9d3fe7c261c21ee68cd12b7e94f32542f5822019e92e5803098a98bd27a002499bcadbf901815601d03fec69909c61350f12d9a77904bc70df3c4be9c44b649e0ccb6d47fd92282c23b0fa231283ece2ef82269879c33bf3f6b7ecda	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\7ff4a67a = 06fabbe1ad7b168a1a8ddacf2b304166f8eef288270411804ce9808d8d92fd7315f45e45bc5a9d7a8ef91c28dd9cbd0ea8da7c2be1e7937233a175aee6c9496c14	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\99cddf07 = c49440c4ed7995e4d4e4039c4a412cfcc76e6357f9738cb634a0f9c68c78b364b982799df7296f72bb48e256e66be3c738c21ff75dab3a2a802bca3bed823b15f5af9f652437683ca1eae6bc1118025a59bfacd1fc26ad704e3bb25f431904d8a035b2a5f7292fa7cef5adc45d041047d6e3a0644bc4096357e9e50b498e1ec246b611d1d12623564e17bea6e8077edee9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\bvaakpayeaxut\8682c42c = e5ba5dce0b754b59b6eb05f504f8c44828d904c5d3f5b2d6efb4e993387d02229e2f524d8b31afdcc0312833699c6efc3a43d7dc3b90f72f447fdfb2f0be89d51591f5f0bcf0d43fc59b42f6a75ab4dd171dd0d91dc333798915b1478695f664ecfa2ea31864487ede97f5a58f8af7a3d6	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	rundll32.exe
3016	rundll32.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe
4072	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeDebugPrivilege	5048	whoami.exe
Token: SeSecurityPrivilege	2080	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4072	3016	rundll32.exe	73
PID 3016 wrote to memory of 4072	3016	rundll32.exe	73
PID 3016 wrote to memory of 4072	3016	rundll32.exe	73
PID 3016 wrote to memory of 4072	3016	rundll32.exe	73
PID 3016 wrote to memory of 4072	3016	rundll32.exe	73
PID 4072 wrote to memory of 2748	4072	wermgr.exe	75
PID 4072 wrote to memory of 2748	4072	wermgr.exe	75
PID 4072 wrote to memory of 5048	4072	wermgr.exe	77
PID 4072 wrote to memory of 5048	4072	wermgr.exe	77
PID 4072 wrote to memory of 8	4072	wermgr.exe	79
PID 4072 wrote to memory of 8	4072	wermgr.exe	79
PID 4072 wrote to memory of 1200	4072	wermgr.exe	81
PID 4072 wrote to memory of 1200	4072	wermgr.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\userapi.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\System32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2748
- - C:\Windows\System32\whoami.exe
    whoami /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Windows\System32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:8
- - C:\Windows\System32\qwinsta.exe
    qwinsta
    3⤵
    PID:1200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Domain Trust Discovery

T1482

Permission Groups Discovery

T1069

Domain Groups

T1069.002

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-9-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/4072-0-0x000002408E5E0000-0x000002408E5E2000-memory.dmp

Filesize
8KB

Download
memory/4072-1-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-8-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-7-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-10-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-21-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-22-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-23-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-25-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-24-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-26-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-27-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-28-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-31-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-32-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-34-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-35-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-36-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-37-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-39-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-40-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-41-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-42-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-43-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-44-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-45-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-47-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-48-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-49-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-50-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-51-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-52-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-53-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-54-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-55-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-56-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-57-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-58-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-59-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-60-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-62-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-64-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-66-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-67-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-68-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-69-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-71-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-70-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-74-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-75-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download
memory/4072-76-0x000002408E5B0000-0x000002408E5DF000-memory.dmp

Filesize
188KB

Download