qakbot | 59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35

Analysis

max time kernel
1202s
max time network
1208s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
submitted
24-04-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

userapi.dll
Size

167KB
MD5

ce75519a7d251a187dbd7e72b53b093a
SHA1

fa103591148ab8478a84ce25db28ece2e678bd02
SHA256

59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35
SHA512

d40da7049f41ddb6b2e6bb751405385256fd9465101ebcf7af8441f8ffa4733df8528ea6312ca6c3d7e57b1365c4c472215865b978f17ccd11deb13b8bdbf5c8
SSDEEP

3072:GeWBsy+tW4we6Ygz5vEEFV6Q+S19N+sqoi7geA7y9utB5t:GeWBsRE/dYw5FMkj+sNiTA7ptB

Score

10^/10

qakbot tchk08 1710958492 banker discovery stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 53 IoCs

resource	yara_rule
behavioral3/memory/4488-1-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-7-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1972-8-0x0000000180000000-0x000000018002F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-10-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-9-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-19-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-20-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-21-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-22-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-23-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-24-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-28-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-32-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-37-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-38-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-39-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-42-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-43-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-44-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-47-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-49-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-50-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-51-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-52-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-53-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-54-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-55-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-58-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-57-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-63-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-64-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-65-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-66-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-69-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-70-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-71-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-72-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-75-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-76-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-77-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-78-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-81-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-82-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-83-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-84-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-87-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-88-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-89-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-90-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-91-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-94-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-95-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5
behavioral3/memory/4488-96-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp	family_qakbot_v5

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Domain Trust Discovery 1 TTPs
Attempt gathering information on domain trust relationships.
discovery

Domain Trust Discovery
T1482
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
discovery

Domain Groups
T1069.002

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3152	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = a58ad59697d13f69472f6e01ef8241ee8c493e1a82bfb8b5df6bb4ccaf266177755e2ecff619f90e63afb54b66afd889679bbf2347d5ba7a5ac3a312855af622c0a64b6c5c7e13034a3c417df5a5ef985caa4186f45384363f3b98d24f10e54f1148c6f0d6fa46908b823950452413cfdfb2c51162f872618c9cf3d33263c821e55a03d7f7e1b0b6dd84fa79fcb6c504f0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 8696fe864d49422f8b56052b363c0d8b5170fa9d50e9482171d5519b8f40a1e650ef0bb8f24d55eb91cd8633f91239cb556a1cf197ce2dc38596f9c3d0068fedf97c6ce71fbd7d0ae45952b38542206d66	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 87420120cf611102ef8a2683942d64094906882b26e6870374810b31588fd3e535cdb146005db8da5933dbc2a13452f667c1c1cf9fda6ccb439bd8841cc89b80b6600d19e096bd846c14f63301ef61aac5ba805f1ab842294c6a33de625259ea248f002ec228fd8e945c4ada4cfed2da69	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 65fddf12cb9b2719b2020e9050bad25194dea091839d8874403eb87462e5b0a209c7b2f4e6d691b405c6ea6adedefa3176	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = c5ebe58605e2cbb3fe3498cc34f7523f55964d07ab702acf6dcfd32b3a1401fbd44bcde96d180bfb976c0b6a45fb22d9c884f6c78686708cc0f814890fd0cd1298525756b802411f076b60e591d6df15fb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = c527ae428f4196c3be37883b6183c66462fb345f38443d0a11298369a612ffa984bbe301ba350d17806e0d64ea40b04f6ec41afb62974e9060b50d246cc3cbc4c5b54be62b7b672944084cf6c6108a09f2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 07c653bca54a28f66def4cf2765db8c93b49a0a3e45a84cde9719e65955414705ef4697f9be963d639bfd65d875235fb50125a1cdc2ccdf7b30cfd01d6f2c054bec99ea9b3e345ed4295e1236a889ea5ab327db35987b2566ffaae9b71a8fcd72c1aa9ca524591402d6bed02184975fa9a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 659af737a808d2147d5572615123c40190821d8600128dbdf4afadeb11ae38d744d9abc3bc3df38ca6f3d61781bb32dccc1d746e431c5a136ebaf0763110ad3608f85a5a439821b6bd335d9e88f36ee657	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 44cb34cf4348d15c439ca55b3d6e9933a0aec381c8db06d60dfe6e2f8a4410b84d833d20ab9b22c10c40bf80b8e266665d4217ac20b4d6f291d7f9bda70df61281a0fe7bc8d6a7bc9f6ef95abcc53b36b63e47ff02f02e05a9c02bc970683bbd4c00d59b35d317bd4b8a2197773e2073e1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = c6cc238b5e07a093774122ea783fc03a706594fe199bb6ef8b05254742cd60a09523b5ac180fa054bf9e94307cb44d2b0a55bf7220609b79219837dd81a45b6eede8bbc72864c973361899df9374a16f69e59802df43877954f01b4612941380afe76086d1ab587105be58a96fd7ae86ea	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 6648e6295ab35085c494fd507d21f972e42b3e991e72d15ad5f5bb848a6ccee7a0686f83f7879360f11780e954e670633bfbbd65b7d52830ac87c773183fb60a17c063f8f8fd3504d8a625e3acc6ba29ceb1a076cb7370d942a7f5e7c2b8ae5567492ee7111e4c629fd6a4a33075829a079e924f6ca8f465e25814bf065b8c68411e877907dd6da15401cf12bfd1d843c3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 0709f31c4477c4b0916f07979a5bc25a7d8e198bb525b4432e1f871570f58b37710a96ec051a32423a519f72e2e5eeb922	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 06590dda263f69a881715f7c3131a024afa57f274483b1b222dbe453ce651c2b2fc3e7ef3576362704ea8e479af237428647bd47dcd9a144c35cb538b3f66f132b3be33ce70fd78aac2790f6601d3ff900	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = c706d5f13152563aedd1ec86d75785850e873ecddf6ff887546bca30bdfd7a8b99979c8450b1acab9ce7eacc510cf152dca4015bb4d059cec0395f10ae6406d160fe534aeb9da298c9c502c7cc4ea656b9656d80278a6999692f3abd823e6cae984ba250a9e25d8a7cf9747684d4341c0de1491a9906287b88453c5775e058b95636ec91d3a3773d0e90788a7560bfecde	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = a5b1dd0d172e0cc4e0446a3559582e0c62c02fa51a4e81dcb60202fec3e3e719937c574c227c9025fb79183cef07641f3c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 26eef5e36b798ea434c99e45c3773b91e3d19d8492af12cae53e454c1f0545b461ae5ab75a82aff073476a34e65e53e2f8247330981bcc997b6c0728003be326a345d331583b6b1e4a822e9eefbbaf62dc5c2475d765595ddc0786fa2b69c36f01d590518ff8d4317cfef992b0e1064673ba4241c8a01b6b0359fed7d3102dd4c68b812967bc32081b61708d33aa9cfe73	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = e7dc8c335206e933eb8440cab2df5b4f4630ca651d7f1f1f99c5a61e88ad871a392b1a13dbe86aea0614c68a296adfd9eb19a3e9959d90de0c82ebd32092b199d3af83e48dbf4234255ac5baf298b0c8a3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 874c8452ed6f12e5f75b87575962898d723f9ca0f3c6ce48a1522286b135f0834a3fc2e18ac13a743f46b28c1e4c90b90947de017ce8c0ad7821d848b352b7fd77935a13926f1634e0a68290c0084a68ae94ec89af49ef0a1a7b806e24f3e8a10acb7bd88a9c0357670fd3b21ce8ede2bb8284dfb057c43b6ed208919266d632170dff447877d1a6ab5e38479efef72779	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = a4244c5f774af83b3c253d25fb0636fe2e474342b5d82cd922c4f3240e7dba0fffad52c759333335e6ea9b3858139da78c7bb356dd01569b29bfe9ce6eaf6ab0e9ec9d09900e4666764194160550b1ed1f068f25dbecd80c0ed6376c8630795fdaa7db6c03b50a5c71ada20035ad106490	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 241b63a84bcb33238a1e35114293bc839153e889a136e5e483e720ed851fb4715beaf9f2bbb317dd550430cc9d51cd792dba6203eb32641ddaa9af537d59807b534e1a449c60763f8812f038213d7acab6a6685f0e5eb9921195311d7c3654ed1912460d74be493d7200058233b5bb28bf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = e5596f275f106405eb95809e79b75a70d67d0474f4cde699bc4919bdeb348a1d0934fecaaabdcb9afbe301f8c0d0c07c6c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 24c518459bbb2ed98a57fcac566f21835c9bf6ef939748c0e18d5f893d8bab58663e212aafe2f05032ef3b3b993ed0961aac79067c7a69b5857e6ab491cf8df0ef119d1327b5b04a21d2a4165721199e66	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 267d9cee20102258d9a8720e18f2363759467d881ae87eee7c2f0fc56378cf4fe0c03a63987c31859fd95bceaa14afc02bedc286bc9911faf256cb3ffa27e40e4a2c3ddca24f24860eff3fbcbd1a1c47da5b8236919d27321b92593afec35304d546bc1ed9657031d0a96903c432d90ecc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = c58b021b328f5284a4afdbfd5bc30425efdbf14cb4b2f05bdd86c6e943ecc4195f068241e7396288a3bde1c5620438e3f2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = c405919fc590427cc92e680ec40370aff0dbc3828993f68e595a024d151b61d861292c4b8dd66a82b7e5d79d8dd812d8f3f425c0905dbf8743050f8b6472fd5b63443c39e50341a6761352befe17ed5273d648f56dceb1c79b586ef423f65b847d4334cd2da68f90af43d2bbe309ba1bca	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 87aaa5993942ee54f2120bdf409e9983f078adab80ba5616ca9af99b0135eca06b1d7b344dc6a3c3259a8a816225be69aa59208e61ab333ee8e56c167a783a2a673c563d02815468c24f88a01dd6098101	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 849bb93a013e48752660d8fc3d8694e6af74646604ded68b88ae2346470086b22121d73bc469de1dd378f837fa723620a7e8c87fd294c8fafc5d369d8f3bf98db8b2af4ea1bf231ffb331fe7c644aece30d30747bf2a7bbe2d551ee282a03ecc3dc3ffe260991acd90991b87986fef7245	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 04c6f11153afd182f91325bf215eb18803eb7e959e0c8a1de16b4d90b37ca64ddd6bc003b26b686b76931e0de5bdaac90910fafdd8ed1aa7f7327eca1e5d7d91d21bc456de3a3a19f3bf9f1385f91e9d6b0e1e144f4c674d340d816d8caa223a6834aa855010bd8472db6a2c4db8e736e3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = c6d8afb261b1a651d4d61143a6fbce63086289dc8763307139dd2eb41d470214cbd4ffcd831f2bcc513968ce55ca609109a15ac659bcc63e6507e902c29fe45b0c044d7e91d2e2ef8432d12e55cdc200b7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 86e89fe63f3f58069a906b531a8ce39b03483aba08feadfd1365e6a7d3dbd965927677542f077319638edfa204ccccce653b4f9b192c5140b55bb1c999ebf2046e7416a10a5cc9103f3ea3d34b389200fc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 2576f6797e3b9aca3e5f45d8d661ed432e5614df55a57632e3d35a4a31801bd7bc255fb08a91af6698ebeedb5305b52343eedbcb4dbafff2ab8e33daa8a54b706f311baa51a5fd93bab806954a0f4ef28a9b4df9435b364f37944d5681077e7ae365fdf10d22647c34a85574fa122e17ac	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 2568e9c72cbfb34f78462264ddc4cac3f41d4a48b9c0e5944447396d26a27c3528aca208d85c46e9aecc14830497e35992ae4e51a00b4ff248b2ffd7a6e82c6cb2eb01291435c3aeed45ed607be46b54ce3424822e3e701a7a16e26663485084b96501f37fe3398bd2f985f25dbf295933a45a3ff723025353318c089170c093b17652533f8989c7f90c3f15bc1eb9cc39	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = a4df9cad04a5a8c2ddabb2f70dc7e4de5be9f8d76588cd5b187fc5a7b55ce405ff1c7c0d28ae5929c06361f7c7373fb1bbc5e0903b17797536478ec343038f07d23dce6ccfc3aef790da8bfc51e58742870e54f6300240480ce6077b8b7edea861a9e5ee7b79e5662ffacc8ed69f28ddb8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 06eb47dfd51c3a8d47edad4d917087c8c96d8792b36c319afc1367ff788625b25de4684728122d85b95c958f2ecb0c92a21d043901cedc865dc70e6f99552985839787f72bf57fc0dbc56fe386a07d0d16d31e7c279acb90fb0da6e3258bbed7f6a5b842be25875ba9d998ddd579661ae4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 64c56ac09942c2e6d4169ade279649d4eb4510db0b92b51071cb64966f61e099e3458296b5976b5067a7f5a758a94346b9b06409799f031b2f8263dcdfc44eacf920c2e455f35bd8cc1f4b1f425d4417c147b2d4b13fe2baeacc1d221f3dcd1a7849674e10ddac9809ac03c534545cd2cd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 061a50f25660f295601ebd335c6f2ce37e1a3ebbb27963f967c6433327a0647bec2950209878f6c17cc27cb3f392f1fe2006aadc754f0a5c94b732d886df18c70f303682142e87d3afaf8b8ac1ca416ee71a515d4967c2e959f4d21ffb479a356b2341ca3a0e5d336f0725695dad8734b3c294d5127f9311a7c560805c99e3fe2db028bee97179f9c97e2e6fb97616f19b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = e59a19a76704411cc8a0dbf11dc0a567c942e311e22a3e074a4afed2edd4c0793cad921c76dd8d08b4ba63db923ed4bd05eb02321f21d5c34cb18809581267d282fe97d04f0e78636682cc2c2da83b2dbd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = c7a906da760139b275c51fb5f3f9618822834524727eb9ee950c4bb37924dd7204a1c3ab2de217edb9144e57838078e8515838db5689cfe68e65088a6e9a28f154366b99de0e3726e5851b107f7a3e95b5a723039eb6ea550a7c9d94663e4e3ac47ddb8ce426cef18e5304a04f3e363321	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 86f199943a6ff1160f1712349bdbea00971e8f1c1ec5b90da28f95c15f3fd6ce652e52f01f4a2af23288ce053d7de91b65	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 870ff086ba771c92a0a9b2415d9d116bfb4e19d581bfc0c7af5329034d989a83760d4a3fe20e1c3541fda968e2fa40d1b8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = c7ee9b15bd58a62ad92048153a605ae6ee07fa923c47ed2f69f6ad2faf428e7d989e5b12ee116abe79a20b231696d75217dad5a197365cf8d1a7ff32cb0ab5848771dd502378817a7bbfee626d5b10f39080baef7ee93c9c2a7f144e0ec4eff87090ba39d858a5b5ddfca000240530863f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = a43def75ca628375c5d7792ffadc6aa9ddb649421498f6b874581911fcc0247d319c5f934b451b0fbe70a897d582207eb4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = e5a08e4b7b6dada03df756bfc73d942cba23abfc5c19e9d2637b3badf97958548071eec9e4c4930ca03e3898e08fff607b2b81b3b3d3332ea2e2063c4fe013018fac194b7c14d8358d744a7dfc9ae9445e5ac6acd6556832041c942b96d9d711b038d2d769ed5275540f0fe77376b6f424724f0bafa9f2bb01e0a1061367f96463e1090ac6418161337ae5425bd4574c89	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 24b96a8675a013a3ca72903c59553d1e8732640bf83fa13a525ada1b9c811c978ba0ba306cba5538619ffc84b862e10cdfbaf7bcffd3615c2153ac82dd2e96b21a7117ed357efc987ff77a2e9aff7df0794d7e89a7dd584400e838d8135916c954fbc1435477776be0892ac6dbd97ba9ee	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 46e4fe241210f53e6c5bbec84f7bb514872b754a4a79e082f31316b429cec5889bb032bb108041f5b6cb70e469648d7b2d82a52853d0e33a2e4d6caf729f0dbeef81fb73fddd55957ec11df42a2461f83bd82f38d016ef92344c769cfb289b3829da4ff4a6fe2d076b1b541cdfae67badc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 048d479f734b6bc605b8b083cc3051be0e3a5836ee5e84e1197f9f45dfec024975f2099fcdf045deae3a32664b2f2e6f096f66ee3c8cce3ca1f2623e5c0654f7445390ede4a05b50d57d1cb5faed71c92f9b8c244bad69811bbafb3218cefad526144911249af5830ee9348a9529fe9347	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 071cd38466390c3dc314de8a8095683ee34899e336ab30c3d1a8ea1468c2000b20da22bbd3c13b1dc1904c073669105e10	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 26f078527d693387625530dc7f6c247e1834c7277ccf45e9161f031de05e4f9400b406adb5671caec17508e975ecdbdd5c2f292028a82ece410f4ebb329718b5817aba88c0537d5946c8c026525c5aefdacb1ec2a5c859860c84edc84d17dceb0234cdfcfdc1d3d871a416f98263f3a6b2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = 0415e28e0094e20d3cc468644055216af7a592ee9664747fedf03886a02932cbb31e2c028aa4af85e7739b56776f36c118	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 86effa103813fcf3efed62f526a5fb259215245716b5d41bfb97d990f985828d3b4f834033c6db10be8070bd37b4f99139f19da902ad55cba9812508a228c0c7e24ecffcb1ba5b9e4a3d1702cc8a56e5ea1bf0816d169bdcec700ff3e53dfeac3715a8ddaa6220c1eed907565174e1a9f7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = e5a026b14af8fe66c32a73a9a81508d73970a09304c60e15dcf5bb3863cceda2de0d9024ca1d7b1acb82609f6a535c90fdfb019704ebf82018bd22794e84d809553f7116f1bd3c42f1b9cde39576fff2f9fd36d84cac02bd7165c2f35d10347090d10a22d4f85aaf41b33f960b03ab467281a324b697e41c107e17a22a1e0ed6284488d768f6d4577e9b58bcf8c65896a6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = e7a6d03d79894241dddd2e54392a95f60f275ead6d5fa841cb39f9afe09a01f2edc24c9e96bd4541558d473bb97b463c92abeff58040238f8e1a97e267f3c014f4e578e5ddc028b88b1a039afec02755af6eb7f7f7ad003a99e6226e2798856e09cc9d56f8d744630de11cd61560a835d61a063190414d03280c0a34466543c86b66c7125a091db285a9b468b6aef6f44b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 6495f28286217369649f137de2145587306b3b8a05d3942a1977eaeffc1f9172308405054003e69826e1b37a6c85a47e19bcf7c07783237ba1cc4ce77693bca98c5340cbb96878291f49640da67fc741d2c9d3d5d2b07914672d5c0bc957403c298f8312d2deaa1ab3aee8f2437c2febcc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 253170992833ba9579c0819f2f42e99524331a353052e48060a9547e987a015c23d2ddfdde99b914fde2b19848acfe5d06926ecb57b0e47b955cb25a97f9d5226e0abbb23514ec3df752694baadfc2324c3a416db53414c7d64078ed86b7233b537b27ad3f3ded9a4ec9b2e4877a9eafdacdf6c7396f5946ab955f121e0226fd4af2fa0e5bf6d6e07bbc7b8ef60ee8d8a2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\2240641f = a6c06b6039958624ab8c59ec4399404d4242a5dbaac9cbd7206f080802e91d69db2f62ed514df90b4fba0a0d4c3e3f279d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = a5cc86b4da11d54449eb6d95f9e654e99ab6fb23b02e209bf9d20445165914b3ba4fe9e7d5c3f8a48d7435f519ebcba78d8ce0c72d0660b20750903854a9e7075b247253e6b76ce350179f6ef440331c7c521a58bf54ea5ebec57103c027369dce201309cd1c7c452e35b16ecbc85abaaec7bf3a501ad61ee3f55c9cbed4e6ccd0979825fbd1e16d11de7f3a36f05a8fbd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 07f8c2e98ad04bac66248b60f6b80ee41e9f2928120ee28bf0bd87386cf040b6c9f6d9b79cf59702360f1a09a3858d3ac76467fabe7abaa5898485460d75a0527dcd0bf6699327329065f7af83222be2a7361df61424644723850830dc0ba4775f187ca9aef8c0c1d3eb1be708287d09de	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 46e4759026d6e716b40b3da08c600698fbab04b737a6178d0664f894f5cd12ac9782e98938bd7184dc99c52c51a05c6c7c0910589a066134598e245ce2450cacf86022f521d4056da3199b43378e34fa877996ebd8b50fc08591b4001d2dab315061776d84fd6249b32d096980cb801abc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 04780dfc893d5076059692209c171debf6876340bc12bb6a97b7cc78f743b51bc53a36f1806f67874803148c328cd703cc383070e00efd68d79ff12ac0a7e1bae7a5a18f48a91b5d4ea0e46fffe17a0c941cef61c1840226494c911e398eba5df71dac5929b617af60c5dd31f97cb2346fe914ecd94fd4534e831aaa07d1a8cc5168db905cbd888b3e5bfd9891ea73f320	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = 458d59aae993744c37ca87f8da12004874fefa460b72720fc1cd2eb97521c89627e40172376879b3911d8c92c951e4ebbfbad29cde099b10978ccc0b20600bc5336ff70f9a3a830858074ca541614678ce8f51416fe79636287d64449fdab6c116205f20c52829acfea96109960a9f6c20	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\55b901aa = 8533552f772c982998fe6064686c24206cdba65ea9925b7e8d43e48fc364ec2def942d961f751180cc339b66ef2b54f59db1f88a43629cefde0e0ea7a01258bbb2dfc2186c3d6e8dd0cf3e60c2aac112dcf59fdd3ae3ef0824615ed9eb8319105d0bf6eb5bfea1448cdb03830f83c68d31c6a924033b04434536338606410db7ab6d2884dc130813b3fd4635226c1c2407	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\4af61a81 = e7c9c004dee266b98da7bd0adf15a0f6f2d2a4c203b712ff4c03d39297ca46059afedefe8b0d881522cf140cb5189b3031d0e3a9af6a58394e89d2db3134f2d67a53c664fa1a7fd487151750d019c6864b3baf58520be97cb5378c74f4c398ea537bfb48884bd69e0535d94a5d203a4716	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\accf63fc = 042d46ea7244e036ac8e528e63cbefd48ede3156fd5f91e42e0cdb00bed8517fbcc8edce73791fe6cb697025dd9048c6e9badfdad5c77c525bba70bd00987306553b4f8ebe95f8ce374489a8f82a02fb4e930d9572cc5ddd95044e6ca801bdd1c54aa7b542f8bb670a2af70835c9ca0c96	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pxyyafbvbydf\b38078d7 = 875a8338eb744f8ca490b620247c12d7b3a24de122cd0425568065ae58fa935d36df02f8ebc2a3e185aa984b7f260160d21a0b681d543ea1ec733a9f4c5725189a9ecaf60312210d2036525124f4b8becd	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	rundll32.exe
1972	rundll32.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe
4488	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeDebugPrivilege	460	whoami.exe
Token: SeSecurityPrivilege	4544	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 4488	1972	rundll32.exe	91
PID 1972 wrote to memory of 4488	1972	rundll32.exe	91
PID 1972 wrote to memory of 4488	1972	rundll32.exe	91
PID 1972 wrote to memory of 4488	1972	rundll32.exe	91
PID 1972 wrote to memory of 4488	1972	rundll32.exe	91
PID 4488 wrote to memory of 3152	4488	wermgr.exe	100
PID 4488 wrote to memory of 3152	4488	wermgr.exe	100
PID 4488 wrote to memory of 460	4488	wermgr.exe	102
PID 4488 wrote to memory of 460	4488	wermgr.exe	102
PID 4488 wrote to memory of 5112	4488	wermgr.exe	105
PID 4488 wrote to memory of 5112	4488	wermgr.exe	105
PID 4488 wrote to memory of 1636	4488	wermgr.exe	107
PID 4488 wrote to memory of 1636	4488	wermgr.exe	107

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\userapi.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\System32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3152
- - C:\Windows\System32\whoami.exe
    whoami /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:460
- - C:\Windows\System32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:5112
- - C:\Windows\System32\qwinsta.exe
    qwinsta
    3⤵
    PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3968 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Domain Trust Discovery

T1482

Permission Groups Discovery

T1069

Domain Groups

T1069.002

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-8-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/4488-0-0x0000023D14CA0000-0x0000023D14CA2000-memory.dmp

Filesize
8KB

Download
memory/4488-1-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-7-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-10-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-9-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-19-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-20-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-21-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-22-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-23-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-24-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-28-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-32-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-37-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-38-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-39-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-42-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-43-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-44-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-47-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-49-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-50-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-51-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-52-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-53-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-54-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-55-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-58-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-57-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-63-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-64-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-65-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-66-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-69-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-70-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-71-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-72-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-75-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-76-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-77-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-78-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-81-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-82-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-83-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-84-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-87-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-88-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-89-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-90-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-91-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-94-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-95-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download
memory/4488-96-0x0000023D14C70000-0x0000023D14C9F000-memory.dmp

Filesize
188KB

Download