qakbot | 59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35

Analysis

max time kernel
1202s
max time network
1208s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

userapi.dll
Size

167KB
MD5

ce75519a7d251a187dbd7e72b53b093a
SHA1

fa103591148ab8478a84ce25db28ece2e678bd02
SHA256

59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35
SHA512

d40da7049f41ddb6b2e6bb751405385256fd9465101ebcf7af8441f8ffa4733df8528ea6312ca6c3d7e57b1365c4c472215865b978f17ccd11deb13b8bdbf5c8
SSDEEP

3072:GeWBsy+tW4we6Ygz5vEEFV6Q+S19N+sqoi7geA7y9utB5t:GeWBsRE/dYw5FMkj+sNiTA7ptB

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 53 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4488-1-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-7-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1972-8-0x0000000180000000-0x000000018002F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-10-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-9-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-19-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-20-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-21-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-22-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-23-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-24-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-28-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-32-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-37-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-38-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-39-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-42-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-43-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-44-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-47-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-49-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-50-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-51-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-52-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-53-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-54-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-55-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-58-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-57-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-63-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-64-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-65-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-66-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-69-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-70-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-71-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-72-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-75-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-76-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-77-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-78-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-81-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-82-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-83-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-84-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-87-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-88-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-89-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-90-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-91-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-94-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-95-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-96-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

3152 ipconfig.exe

pid	process
3152	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 675de068f91d6025841f65140f1ec150f63a883809790cf00bf301ce63a3ab4a040bc6212d853c87f03ab181653f3168fa901139cf462e912da6d309c14388c3ba2ad46c1bf6a59c106adf4007b170676324c4775a9e3bb9e34685b0e7b2f87ba071c579fb56d18fab430ed4ccc1c18312	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = c5c9d92da1b82b9ec9e830906c15d19258d3ce238894b9a9b23f5a47722d41f033ac4671b2313822ae58b323bdfc3a19a3070d0b4985735ea40999c157ee089d83637eb79a181658c7d4778ab47b3525645c105d187b0109e46811952d8c833d7e2564d8e1da2f2cf3a99d6940a2cf29af	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 458620728d44de72da35d5e8cc5c53a28e529020bce36e7b84239f7850af9695b316fdb4a33a0511d5d08a11c70cbff4d2e6e63a427b4f03fb0b5f5a480c3948c886d050445c6a1181f218ab118dd749ab29dfe894c4b8ac17c02608f866a5470ed277c58a1ee77b250ffa299af908495ee9db1888143ff739abc3ec35429bac3a9a7b00fa4a5209b92a21a4f3adc15c1e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = a43def75ca628375c5d7792ffadc6aa9ddb649421498f6b874581911fcc0247d319c5f934b451b0fbe70a897d582207eb4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = e63a6e68eb9884be3be7a0fc8a34d71abd8a323cf0195114ea7f5cfec86c23b14c712d980a8f21c4a4b0f90ca142ed0dd0cc8e6e271ebdaaa2d334cdabe9be5a1cc8e674ee48ed4aa7a9eab0ed13acb75d860e8b2932b08329c31ef0faf65be7346f0af833b20ac7fc8f4f9c17bcc900ba	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = c42175af548df766c392d42b3e8ee502aa172172091f373ecf51bc48ebbcd3c3a2726827b05c4f69f9dde20ad97de68ee2ad903553d2f426d2ae61b5358870243f5baa183fe402491b205a0a8326d0ddb998ddd06296774716b7fc2d88cda97a4f9eb75af4d4189053bd0eba6fa248b691	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 676583110052eff56c50328455c8fa214aeb436c40e68d75aa6cc5bdd84766fca15c746d84a5241212fdade554364760d3cf80a13672614acbbdeafd411498d1af06c74e48724913ba46b46ef05392c2c5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 87836e0335949986ac8cd448d99da9bb221eeb03c28ce14d434e655ba52d67fde7dcf420328f96ff136995f090b1177cde	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = c4b044a8c2256be0b19afe8770d46cdcfd44e89f594dd6d862afdf9fc79535dc372362c67604938b5e3fd1996102f9129a35326c8f67b66f639e535c1540957378aad2e69e617122e693e39e4a7e706a3e9b43d496844abe542ce860c585aee2f01f53c86c219e6e7a8ee3f092ac74a2a91237204128b57ac8c60effef9cc9ba325e66b68cee8f925b52280cd54b4e2ae5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 24b7f83518e761cf83ac8b40993ce70a203aa8dadd42e9d30a66b31ecfe0ff1da9ba0b84f58ad22a4db0c788a2a847a944b787df16ba98ed474e79fd3120b473ea2337833a89ab6b8ca01150b776e345cd32751d944a078de905628cf637a976a95610123d3bca1db3c2a4b045e618da735256aab2be93371d8ba9dc65eaf27cbab0cf956e58ad2be7e3890fb1eab2af74	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 079b9182fc40be98b31c1c34bd39ccd6a16ee533822d7c4fa18b70c5c4b9b74b22f0ebab911a53fc73c3c214933ca51d06546a5203c8934535636e5458be5eb806ea52ab8193e4e4b804bbb5a274ffb6f3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 460e5b6c819be0d3f7440038f749ce4e64f7a61b2a228c5ac98bd457eb95a7abfce1758176d06fa443035c57f014ad3f80c7b97ef2a79badfc062ba3db53379e8db0af6ae2f61089f3a26da6bb048a41f35d82eabd183eaf35ddbd7f5d5db8ed56950c21f8d87aea4f7411aebc8e1a68868ae9bb53b1cde2296f620de7a0bf743c8fc26408bdb5a50a05bc5e0ce7c85a1a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = e5093377a8d9a1fc42265580820d8bd1ac1f28f557524e8f522a2da815f05e76af270a6b20254a7c92b3950eba41dbb54189245a067fa3b00613b928ee02756947780a0ccf45230ea7361082fcf5c43e15df1e5a35402452f29963f0ee67a7a0d7bf9c30bf26881f6021313a429308c1e1f77f9c28795842963b5443482d433a7fffa74f1826ef4da3c7ff3c2ce9096e3d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 04a0efd916b7a0b3f052ec2f791551515a1871cc5b78c05fa799979d4b1ed78616c6c4a684af79449806bf80ed560f742ca0c08d8c0bc74294727eabf66cd1b4d49d2dbe7b2f7bfdacc8e0cc5dc9f3c5ca13a79a0aed025c67cb24925e7542e847a19c8fd8e268cd6a675d591af1c94515dd2bb1e2a116a883ee72afaa0c9fff96ddae452aeb6d61d9a0d92bd9af1df71e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 06fc3d5500be20de86036236a626c3b5d3e936c32ed29ed60ae459383358bbe5af8e0805050f88ffb2a61ef3469d24555a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 47f3cdeaf638a03afe9919fe3185fe1c22cd70c1630140a7279d4d339935c22cce32d3576976830588275de3fa81606f9c043d487cdbbc195f7b0ad29c0a573e01e6a405311f48612568eb709308dfd3d0df3464a8932616e15418b1aa66f1851a8359a669b55f00bba8cf9089df6bc4a9cecee49283077bf0003a3bea2fc313c25c48738c504ddef4501a6d352387970a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = e55678ca9d52cd4def8a4d734e10826010026b85f6c67f89c358b009e0100a376b954dc83b42623a65a49d04b397fe1b5a890f520fd7358fddf137b1ea993b40d9bb9ade60b6bfdc6f6556dd4989f5a0acd16039b063c017622bc7848de6a10769f38e96efb051f03002c134ae2ad4f47b5cf48be99f3d428c0eae5e80273f45dd035ca9707979085cdf7af66b4900fbf6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = e7de12a1a96e08352478c9f196c875bc8124fccb0111ced9b062a224057770e39518c5e3dd71d8b60686ce657402b60a9f1813212488cb89743dded70e956837a73cb2d920140fdca5a8d97edcc2ad856f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 04b630533c366291ba0d3320abf811a85509be6e13887df6bf7b87e38399a9ba7178fe8adc06054b7f144c17ee5f45a290a6e6a0205fc2dd50f72bc341dd33455ecf53c5484269d03cf0b8153254442346da1bf942c4783c649a48a623fe15ff488e17f227253a911ccf8171bfae83e70b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = c5cf5171671fc2c413b59a747ea2a6765482111f523904ced63d62d141df83b0b7373181b57d5dd0e5b0b1a3aedf2414798748493f13f5cfb4eef67bf2e58ae914b48faec81b84347cb0c73a6b8d162c9e81651a4ea9ad9a78c2edd4c661a6ebc7abc37653a6014036dd112cdcd01572ef	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 8434aec0e4c69700241c413eb7467d937eb3a91a35b1571156e0e028183b63ede32c9839c5fe08b90af75d5a4bef4d818e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 45cb8b71a88da0ef221ceb4e7b0f36d79940e10160e8e1584c9b27f02ebcabf9e9b5ea40db43b044c9a0569e330ad01a8ee0934271212c959981dca1b99303238bc8d0df17918e5a542db1d4d2abfedc1a7ed55b2e642410e28275962e5f5923aa2c73ef79db8fe2530d52cbb19fa57f5534d1692471ad7c778eddb6a43023e62b850dcae57f0ff50a75e16e22fadf1c03	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 050237c81551a28a6bc14c0f8f2ec379da4622df954a6cb3755a234b94dce4532822e9c496e7a9623cad355e5315c44d59	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 874c8452ed6f12e5f75b87575962898d723f9ca0f3c6ce48a1522286b135f0834a3fc2e18ac13a743f46b28c1e4c90b90947de017ce8c0ad7821d848b352b7fd77935a13926f1634e0a68290c0084a68ae94ec89af49ef0a1a7b806e24f3e8a10acb7bd88a9c0357670fd3b21ce8ede2bb8284dfb057c43b6ed208919266d632170dff447877d1a6ab5e38479efef72779	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = a7882386e7c104c43c7f6abf1d3d1d10011311765ca517c90dc79baf57d7c2a5cc6c97d0b8fd1fa068c55ead262030524e83ca4490e1b54e857c85b076b09ffb921552c1270fb66f166af623f584227267a6924a028e0e75457a05f74a2c3bf8192b62deba750dd26e805c6e557fa729b51aac4c1653fb0f9fb9e0363e3e234575f59bde13e07b3cdd99dbfed05e018440	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 66f4aa3eed57d469ae63ab78f2ccf44ff8266723bf4a8ee18d901b97f531afa327ac245a8f80d04205dd9dd4aaa57d32449a4f5ad6138c8f0aceee6ba8024d58a2af3ac36bdeed660103b6da93b08473a12d84abd57cb9e21ca5a6bd2ebaf9d034bd1b83769855fe3a7126ad8dc79d3881189aff8617a298a08d59dd8e05d8027d9b748541c5be7e6148ff7037925b5e26	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 25a0e61a9f312d6379e265bc28d2c86695ef295a4e0142c9b526c2e49fd25f6e9c66831a1643e4806cbcd3a7a33cdd13d9ee0f1ec30cad4d7d39cf91c99061f89c0af409b28d5db35f1ea43d74a0f07977a874e4aeb2fcdaf78121b179c8baaad45d91146d344f4bb1db62b3df2a2f232d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 868ed4756255eb42a5be012973957202d9f86cd72ade1cbffd367729c7bbe198203e25a24e3d4a06f6c12dc57064641b7421941c78c585599ebf53603d648e94ae8a045001d676385bf7c71e3c8d4e7f70b1de3199b9ec137fadbcba4a8518102b534d5ce962a1fc96d2b012e616c589da15c53b95954aa4b27ba758bbbd01cb6b36c2f4690f32365f5bd03507699f8caf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 45ab8309c39bc8eff797a46d22d2caab5cc7ac1fbedd02ac1aa8b89babf500598fe3d8d1178d3a6895c7d44be8bfcd26bc223e103402fb68ae885f6e03f9159ee1f7eb541261f6eb76bd3e5d7032f9248b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 27e25bb330dab1eaf61c2f265ac5700626937ea034562d6e9541e8e6d6f45837fa0df3ecc4b937779c8added27e05354fa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 6645b3126a4ad48d7249441233c16f3f17918a98db786ce05559ef18d2162af8700aed730fa2c68b23fb4a76c24dad44851fc04581b737ca3aaa80dcd63b505008ae10d432849ec7963e0555c71e60aeb3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 8738fd6539d36eb3d5a58e20e25757b53df98b83f66cbd49f83c2b0b078eeb04bf99bf3c87a09f723ca4b8c914f2817116	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = a64cbf2d3288823f75da89dfc7f507a59718860348adef9226a6fb11c5ce1e697b9c95492a738fe2a94378caac622ac4d6421bfa5395eed8f24ef1e842e3a8cec28326396bdc9e880f5553b5bb4c5a91b95eee82b5db3beb037eb1c8581b95ec5c6547adee580951687adc6585f62d6f73	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 257b4918b26e11b4237c90141886f8b96cc3e541ad453e3fa5f9211c1f690208f160d9a295872e0829cc43cbb66a9a725b87dd47ff4e253acd271c6b101f37d96df5da59a97f06aa8269460fae5cc208661302cc8d999e69ab8332ea8dfe118e7ca03d8f59c1af2610435c90eca57e0af6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = e606f229c71524328b23631bd09257703d81ec461d2c382f70751126942feed6967976f03fb8c97c0e8e39415a468de70246f6b70cc24ef682f35a3499ed9decc8ece0b3e8e3319745130b47bfe84d7aad1c084ba657c85b5a3ff9bf27c1676172f092b8f223244644de2a8f32e92d68e7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 264d56e3fbcf71de52e485fd46e7cd63e9036a950a1d190fe968558a84f8ecf4124ebb450d74e9ac209f4f0ca610f1e7cd0aa7e7a757145a71dfb593e62a61976c15c1c582eb70c3be28dc61a2bf1483fcdb07a5d65bb852fb754cc6900635dca1d250ab13ac0cdc1f0b7ea08a23ae6f9a2b2fa7329276521376fe678b5a1d001d771e7b39dc845213be108ca4ff2e6c6d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 67c3268651aa88b246c37fd9713d3d9726858137c863b618a297f4fc535dba28cc6d8caa2ecc4b49f8a6e8e63a3abf2f8a8dcccd6a8e698e403b981839b4069f0bebb4e1c1b2c955fa7198cab11d3a37aa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 05ffe43c412750f327710cad2048e91a533d6f4e53088889731d59eb0ab36366b44213190b5c5120ce6df39b181d330c8b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 47ee941c049921fbd36c7e58cb8149634e35de1f157c62607c8cc3e3dad979721e22cb411f44702cb2fb0e331f563adc3b13b893bfc9369f0a7c38bc4e9161cc52a3021bf64d8cc69433cb5461e7a394c881ae18d0a2468c1deb08ab043c2446c831aa34ca1acffd83fe9c79f4058ffdf7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = c5a9b65084a153c8996a8e5d15eb988598a0fb23721af67ead8747014c51c0656f570bb741458809e0a00a99be1099c733a069057090bcea372c770baa0c9435fdc5f0137e379108226612519839ab94cc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 6572c98613021acfa6c2e1fc9af532c4808eb614ca2047b7cba9f0e339ba2a7aa8d69bb435ca73aa232ae46d3649a32e37	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = a67f35aea7e691b7c54522a261f2953cc097a120e216729bb8432b61ed9f0920887888874aaaad1b15e429bfb1b77d2f89	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = e411bd7a4f1ee0baff88dde4fb9b90a014a2ce85ec05a89640bf60058e10785a8817d5c57b805644bff0971b4dfc235f9995df5639952056593bc5877537ab79c1e6f58e2ecaba1f85c6191bfbdb456a51665798564300d92f1ea763b550012be90dbf728db3fed195ef0eeeec5d51a2f3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 26c89606f40f4b644024a1efe2375dfc9a0cb8f598e4250c4335e5a185c87bbbc74541791f742fccc2ba43ce5c1f4a492fefdc890001de90374b9306e444db874781984ed10f2235a62420bc334ab6a3dc9050bdc16850943689e6765ee8f140236a82d5ed794a8a2eca49af2f1df2e02e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = a50ea6fd85558925c3ad6fdfaff835e3662f6294dc9c4fe13da3f5fffb2fbe18d9617500812862fe1ca45efc40b6305ca8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 24af71365b411d0443c0fb0d81c64e097f3f74264a48bf4d2c5b913aa79f3fbf3b5651891ed8f4d74d5553dd4023d97e17159d877f0eedad3c9accb70e89d4d6c157612faa9ff5996c58623637e9f03affa5de85ab2802d6ee52e03e531e3c9c933b67ac24375e1f1b8a90eb5d065f25ce	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 44538d4e6303eee87e7ffed30d1586324a103ba3c0c2de1b6b1d3eed5b70f1445996ce6247c3b9674359b6eb942651b0bf33dc11d44abd233ecf3a8cb3f95d7551fd40f4530ae638c9a381259962b356cdaa60e54d3c1e8714a35e6f90c657752b87a29affa211f0a371bfe473896a1c95209d12307dd56d2ccfb448d668e949b3c15d3372b8e19b1b454e60d2dce521cc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = e59a19a76704411cc8a0dbf11dc0a567c942e311e22a3e074a4afed2edd4c0793cad921c76dd8d08b4ba63db923ed4bd05eb02321f21d5c34cb18809581267d282fe97d04f0e78636682cc2c2da83b2dbd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 65328ff2b12f2541e42a39b5251e2a0b6885b117702256819c4c3b38ed979e83570a1bdfa809e532bbcfb7349621ef3e0dbeb6a83437f4a0f923d050ab62a32e9128d3aaf086d80ddf367d97177b4ae5f2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 47b2be9676040cdf61a3982b93ee92510299dc3806f585d81df103cd8f8b0e898867a421a960c4d6bf07dc3708c8ec507b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = a75bdb79700570dae6bce86ecc2aed64312f075c002a048b3eef5eb39eec1bc64c5d5057bad86bbdca9dec9b3d6e57a07f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = a7575be4ab443caf105b004f5b712c4bf3984dbe428324cef689d1693f3093a43e0236435b8ab1ddaaf1336d47a791c0c88b9135cde6a7d164f5f285ae6c3a6121d5c6096577a56eac840369f9c38e1b66428ac4f8a9cafa562d94f597354049471dc3050e9542ada1f782f9e3b5ddedc597796911c0de42ebb6704479706a865f7d49449d90b9eaaf9d3f5b20bbdbbe93	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 6453f6067998fdc8ac9a09314dade5d9afa812784b2ef8faaf71890125e7be4055db15a3f649d17fbc96a81e538afefc41d152c2fbdb19cd6a48a15b06a7d576bd27d4285689c0189914bd60d2e6ad4e05	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = e49adbb7a2054e80aaed1e16a9a4e245931825eeee07354de29b3a521009d8b3b98c600bddad9b55be4dc82e3df86e59afd27a110385182d4feef026e49327983f6db8a4582b47af40195de04343ea9fa997b7dc3901eb13348b9cc7c5734627c8158c31f24b3233509fa586955ee39cb5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = e4d2f5ac99f0a79ccf2b87a4045bac16163aa2ea801415740f7c11ab646ec583c72bc98506a3f11cee12641f3ac02d50da60f38d45e317051d3bf23678575be47ee030f72321bcc1353e9568c09f705af17c87acc210a67c49eee53f4afae3f1072af9788831cd9a9f8c69c4c0b152f1c7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 875ec64e0405d2edc9118986d1d033ff06533ecea580d22e0e9b1a697a656b1000b441ebdc2920f34a400f0ed9515a9cc88b339203bd25aada2c189f02755a265d6bf80cdfa009ebc0ff56dc937f0cb4d408662816abbdd30da6a356766f6ec374b51ea01d9c2ede8fc95ad8cdf8f1f201	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 46e4759026d6e716b40b3da08c600698fbab04b737a6178d0664f894f5cd12ac9782e98938bd7184dc99c52c51a05c6c7c0910589a066134598e245ce2450cacf86022f521d4056da3199b43378e34fa877996ebd8b50fc08591b4001d2dab315061776d84fd6249b32d096980cb801abc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = a465b58bfe7391d1575e59e33e0c92679e70c4aa5bd46aa1509deffdbba5439bd287a88b732c004f823a7f38691161746c2be49fc1169783cc12fea6b8f6f9d8221e98e027791b90b47102a99f65f7dcce9001b257af21d1c595b40eca482987b9a4ae41f155012a08f6bd2af8863d81f5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 65dc628704dfea58fede7f26c0390eccee85af1c81c2fece936ace8ff1280ba92b295ec7a2c10b1778916dc76eefae997693f3c2d7cbca4b9a3bf658dc4ca0c46a4aa85185a7e8ba58eca9d81e4a0ac6cd9a0b9a1a071f7dea134f2df5ff9fb15c3384fcfa26ff88772cca24c0e3019d62d7b300298ce794536076a65350f3a0a653715d6f3b427e5748b5a3844a3a4291	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 6575ab66fe3eea534383a7b7df3f598d6b12491821cbad3126e8a4eaaaa9a6a8a2fa0db08eae103640ee49519d0a47de39	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = a4244c5f774af83b3c253d25fb0636fe2e474342b5d82cd922c4f3240e7dba0fffad52c759333335e6ea9b3858139da78c7bb356dd01569b29bfe9ce6eaf6ab0e9ec9d09900e4666764194160550b1ed1f068f25dbecd80c0ed6376c8630795fdaa7db6c03b50a5c71ada20035ad106490	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 456b4c42fccc6b97e63b2282c9ef615bbffe7bfa0882a083d7b9b7d2524e7c2548e4515a55f8ec54f01fc52ce96b0cbe7b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 848dbbcd607597964757d629a66f165e4ab9ac2e8d48ef2fca7162f5a917161c608cf8c368da5b7aa593e42125f7f7ffdb487445b72a2307167da1d5026464ecc6dbfa4d01213ed7f4711b25ced12a84dd55849773e254618e1add6314b38d2944d77ca9f7205d4c95e1d1c2e6c1f935b6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 450d69706fa34d6a6183ec1a3181b51f278fcf0030ed0c13754dea061905757828eebc05b6bcbb3ee6dee0b864a117e95720d46c8b65757fa978d06dc0bf04774821bc79bb6fde1a6f98ccf97dbc299423c0d62cf912375372e299740bfaec221405a0ca7249a72823de2b13cb11cb3398	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1972	rundll32.exe
1972	rundll32.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

whoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeSecurityPrivilege	4544	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exewermgr.exe

description	pid	process	target process
PID 1972 wrote to memory of 4488	1972	rundll32.exe	wermgr.exe
PID 1972 wrote to memory of 4488	1972	rundll32.exe	wermgr.exe
PID 1972 wrote to memory of 4488	1972	rundll32.exe	wermgr.exe
PID 1972 wrote to memory of 4488	1972	rundll32.exe	wermgr.exe
PID 1972 wrote to memory of 4488	1972	rundll32.exe	wermgr.exe
PID 4488 wrote to memory of 3152	4488	wermgr.exe	ipconfig.exe
PID 4488 wrote to memory of 3152	4488	wermgr.exe	ipconfig.exe
PID 4488 wrote to memory of 460	4488	wermgr.exe	whoami.exe
PID 4488 wrote to memory of 460	4488	wermgr.exe	whoami.exe
PID 4488 wrote to memory of 5112	4488	wermgr.exe	nltest.exe
PID 4488 wrote to memory of 5112	4488	wermgr.exe	nltest.exe
PID 4488 wrote to memory of 1636	4488	wermgr.exe	qwinsta.exe
PID 4488 wrote to memory of 1636	4488	wermgr.exe	qwinsta.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\userapi.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\System32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:3152

C:\Windows\System32\whoami.exe
whoami /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\System32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:5112

C:\Windows\System32\qwinsta.exe
qwinsta
3⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3968 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1972-8-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/4488-0-0x0000023D14CA0000-0x0000023D14CA2000-memory.dmp

Filesize
8KB

Download
memory/4488-1-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-7-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-10-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-9-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-19-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-20-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-21-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-22-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-23-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-24-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-28-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-32-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-37-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-38-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-39-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-42-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-43-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-44-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-47-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-49-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-50-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-51-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-52-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-53-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-54-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-55-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-58-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-57-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-63-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-64-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-65-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-66-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-69-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-70-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-71-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-72-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-75-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-76-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-77-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-78-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-81-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-82-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-83-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-84-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-87-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-88-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-89-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-90-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-91-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-94-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-95-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-96-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download