qakbot | 59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35

Analysis

max time kernel
1199s
max time network
1201s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
24-04-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

userapi.dll
Size

167KB
MD5

ce75519a7d251a187dbd7e72b53b093a
SHA1

fa103591148ab8478a84ce25db28ece2e678bd02
SHA256

59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35
SHA512

d40da7049f41ddb6b2e6bb751405385256fd9465101ebcf7af8441f8ffa4733df8528ea6312ca6c3d7e57b1365c4c472215865b978f17ccd11deb13b8bdbf5c8
SSDEEP

3072:GeWBsy+tW4we6Ygz5vEEFV6Q+S19N+sqoi7geA7y9utB5t:GeWBsRE/dYw5FMkj+sNiTA7ptB

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 53 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2416-1-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-7-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/4564-8-0x0000000180000000-0x000000018002F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-10-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-9-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-19-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-20-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-21-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-22-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-23-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-24-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-27-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-28-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-29-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-31-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-32-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-33-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-34-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-35-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-36-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-37-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-39-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-40-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-41-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-42-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-43-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-44-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-45-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-47-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-49-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-50-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-51-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-52-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-53-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-54-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-55-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-56-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-57-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-58-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-59-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-60-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-62-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-64-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-65-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-66-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-67-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-73-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-72-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-75-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-76-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-77-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-78-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5
behavioral4/memory/2416-79-0x000001B6A8370000-0x000001B6A839F000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4708 ipconfig.exe

pid	process
4708	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = e70f72ed505690bd4dd550e03ceec55c6997251c6598cb62fce3edf67303d12902b01680595063d4cf3bfff5c06ed837a19d3f339ecc7dcd604883c6371d9b7bbf723e11c9c905d71a292373c0404f69b9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = 261d42f8bf3d67d16f0bef94261b7db9330a8e0c2703be3bd1401ebcb25ebabc86cccdad2e02f52977016d0c1e7cf48c9483dd1d294c13be612ad46db292eff5cb96991925bfd11cb4cb2c2931773b6254ab23de5be3a58a36b402b23dda99f125	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\8fcc9077 = 854bd7352e96d6d29b32f05eb31e94fd70a974854fb6eb5e03de8f6c0d923df53c61c6a43c4b7811a2b91d9abfd56fca82f98c7ceba31e8fb76f96237209dc489da0fc867676eb7b936c665f0f357e0626	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 845b154aecca8cd4864f572ca2a4996188128bc35e1182459842d878a8655477b4a4e7dc8280eb8ce31deac66844ed8a2a10f9906a52e8e594d09486792f388ce3854d2605e7ae2e110452c2e16d8d251f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = e7e1674c5e483bcc37ef0769123149c659d308a4ec394d5d561bda104a5c46380e42b172ece2aaed4244cbaff57097cc2cfef666c89d10da5740b16411240f170825158cfd53eaf26202a9e4278379fd5f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = e60fd7c58e707b8abc6e89ec6918b22347aa52e7afddf86d334786737af32e8d455977c49e8e16aed477a7ff0256c23868f17bd06c1b18591366514e6cb512dbc82283ae6e2ef25873954cdf950ca73838	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 45cd700143c9fa3bed5e9972a41ed2308a214f90c96a591ebae0c1128f57dfd0a93def87e8e72b10bb1597b7a191aba6c1806905a75c3c172eb2843377710c802493adfb6080b83f405bdc690f9c21091f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = 66f07c18108fd7dab105e8f2c666f9e9fbe5de79f046f0ce19653f8f51d9797479cd7499d1a7d95a0687ea39ed013a3b8053e9c49771b39d07b99c778ce36e526813bbee0cea34b2e7c7374a10bea2c478	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\8fcc9077 = 262494287696547db3f99593297496406341ce90b7e9e15c4d6fbda03641cb9288750379cfc82b8e89ea45c1f3aa6e33a7c5ddfce089782b0e74a6c72fde7cd6ecb8de5af2af6eeaaba2bf32e1120ca2ff	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\76baf221 = 6580d9fd1163e4d8763791a209bcf5009cbf145c44a88e4fb6593fb12901a138746c985a8ac86aa4ab03a0a60e1720a8e4b09d67151464deb497f64ccf33de8f1e41cc5e4dc875a7672d4d6509ec6fac8970079447fe143c2ec472fb2b65f3c7e8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = a441a5e08601c933cf93a41a67bd34c69e93ae50c87e32405aff1332f2b747668d1ab274608ec97f4661a5dca4aaa8d68ce73f618a38d9773883e556b21beb06839e2a254a4024f25f44944ba3951f79c3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = 2740eed8df985fa6731acd8fdc73dc4ee71b22586a66a8ffe570a12ee542d0bef0309d80ff845bc10bb789c54284e378a569d8a50f7f049155c67fda31827ae8ed54b20ca36e16ad788d3387afa63960ac	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 874c731b3d4ab9e0641d3696358902f7ce1b7d08752445b611b57d6f7676bdda1346cb162d8586e6f5235907768ffa41d0b12c1c3e06d6fa29079a460a9210e1149187887dd8f3ec5be0d290d3f439a353	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\8fcc9077 = 6647132345e6a903b3d3834562006cf1f9e0115d55695ad340c6524a312b92b0bbf4ac98e306265ff94e873f0bf60663c1052f3983c44f508039218340b6736c1f006e76c315db8d95bfcfe92f0e2ff6f5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = a7780bad1f4576b0ffe254bcd5cd2a66be269b95c0fb2ccf494118bf7d9613c1f0e511a10bf32cb839d92ff706da1b0123135afabf65f04f17bfe9e700dcd74302663aae356f9748c7446d896f1a078999c2d425f600b2c4c02bb4ac308190ec2f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = 275d337e1274bef9fa4ba24e04c52dbbd3ea950aa96813143b6a727a148db0ec3683003cb9040711f389f665004c064bc364193e2ec274517792d45568b6bed95e6154c2d1d33fbb11626c93e42095d14cefbfd766076206057f55588f8d66bfdc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = e7ff3126a2bf83385f07a8f9cdffa5d524f09d1465c49c7dc09b3fb73a21619c4c009b0d76af7432bf292438301b273ea7bf5b7c9f7abd955913193607c99ec4aa5d9821878692fb1949a624109339f9e7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = 66450641ac0f0685988a217c2d393b20a3054f0b21b488c4d8c3a211348fad4b4dc41e6d0bfea4bf16b98e76c3a9e7f2381e6edcd4e3865a316a2066dbf8918bbf577193034fc28c3aa4812774b9dbe6c5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\8fcc9077 = 84588524ffd74daf0a0a7dc08cd516156494a4172938b7d517ecce911ed184fcf0b257abde4a5c14384ee288f0f9376011cfe05fb8b76a4793cb066e8a3e99f439ff80c08476fa2e06c8c6261a5f1b0af2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\8fcc9077 = e45bda55ac9f6cb846dbaeb131809fc02f5798d15255acf617c47332623d57b93eab991193c292bb105311d7e22488aedb57f364998f100401b431f958ac86ecc43384d9bb4db96beabfcbfd75c2c5c354	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = a7222831095d4f419750f2635538c9d97a7c4627e0f36f0694080dd51d858e5f23978f2a48e1c8d9a786f56f6569ce3f4e892e1c890db0bd64a2a40663f82769f421c22acc6ac0a9365415428700875d20	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 851939bfd503a0d35b8121b6a31487b82a5feaa6b1747e062d1992414fa4c6334205f9e1d81cc98b9238744c127a4b54044ebdffab149de27f5ef57d9f424df0ed1a7d6b341499e47407cb1af83bef098c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 262e0436b7309150b34a867033a9631e7f8b59db8f53ed2686d75a4d21bc59ce3126dc13bdd4606dd5ebcb9a7c23ab87f996de84c15a2a8cbcc6a5604df8536381a40c57b8f87edaf62db1f0af52c0f318	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = 27867ee8d3f0a487760c41244229461b5849b4cc12aadcb3b6564f7c3f06d6fd2d19b26708ce9c896f44cbdb143defa0859bbbd0aab903f0cb93f95ae7b72612ecb8cc1faa6dc166c7b185ebbe3c4593ed	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = 6640dc05d3a4ee19c3dac79dcbe375ceffd137a34c1572cfb7a68339f2c9eac073b00e09194f0f1f3fb1f8c329c61cb5e2d1210b81c993c86468500a69ea6f90e6bd71bd9a2ec1f97d99a078aab3d63ff2db6927bb9ebe43cbe16741ff5920fdac	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\cc6eca8d = 25b9fdb34addfdf1afc3f0460ffec343edaa92388217703799e1a143d3ed9d46eb9501a6642b3acf2243fcee9974bc967e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = e732540ecf71b46bddc596b30c65849e928ceab4af461eb7cbd91a250e5bbce095598d2136e1d1b97301ba7cea28e85ff4466255331199dec94518398fb0be023fe76d777cf7ee29a7a0b15487f50f333caff17c3a5b914c7ea995d8f0a108faf5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = c56d3f17152639678fdfb5962daff9a65c8d141a6e0062cc8ab30f9fa1dc7d4fc9a0d50b43373d47eba1cff501877358cbf85d11e86856e040cbddcc0ca45940feb91c5ff6e83f513ef79d091a694085c40a653b31e0392ce18425856c5d63eb77	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = c4460aa92a33dab3e9f26f66bdbd9658c25e479352385d318fe4e93f9dc0643993d8c015f588733d5d4098d1b55d074d4afec4d93100c00f8bd35b0ed92b97ee9cb9598479e75041b2bbfa30d43813bcc3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\76baf221 = a5117bb46105f31867af175be4e62b18759b45119997a5130bdd735484b0f43d01a87d1f6baae224aeac7cc02b8556980531336e0eca6de76d832666b96bfea52833c2bf12177582f75c43a0a388d02ec70d69d67d87cba83c04ea2331bb518ac5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = c7532265b7daabcfd45731cb825aaa24f014fac8a221037c434499ea6efdb356e0d72e3b23a084b516b121f5d929cdb7d3b72a3a1f67f0b9c7f5bdad8cab18cfaf37d79066ff81d21c48ed3791ef8e3187	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\8fcc9077 = e4df00380a4829dd117ebb6bf9c2e66efa91540b1148b940856d6865f0a4062d48824d6c2179cc6744de4020ac41e6eea4ec7c3c6fe94ae81f3e1e1be434a962f6b009c3c41709f60885749301166d66d0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\76baf221 = 46cf920d7c7f098fd3194d87f8097bf9d3ae50a61536a8334d4b69ce1f1b7c544ee87a8ec5b4dfc2562f126a7892ee94dde045704f58584b102b6a481ea48b066bc490f0d26ebd422b6255b25b5176afa43f325658684907d1ada58ee5cd0fa00f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 47f6795b14375e6951ae6e68a894b2997aaeb40b63203f5d5387fad45785a528598e51a4e9a551dfdcf05166eae3829e82a84032b18055f8720b90d1b9821e1a17179bf6a23a0e0ffaae050899a0c776e6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = 66aa3cae7a1d68cc954d961f387405c84e1d17dad39b570251acb7307e3d9c0379dd5d201a75fb2efcc6a43930150910d7688ee6ee1516e3da3166a2ef74807ba98b1693d37dde405589f14ae41df77e531210c91b6e32c144325cf8b73ed0f126	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = 2708eda9210a34e069683da325d89fa0e624ee4b11dcf0dd7da3d8e59f3db0fe6b038ebb28b329f542bef188fa82306e5da175a9e9ee3a185c485002ea6efb823f7a5ccef48b0fb6013238d146337de3bc5872a8341c170903763db375fd0f5f26	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = e43952077d6d0a9b71a06fab1c4ff118ddfdb99c49872f38a3d55f88027be2cafa29b02f998637fa8bd19cdf8f4dc02856d8eacac7c90805f811b02f0b454bd08f0ec785b0b29bd6bff4384fe0a131b368	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\c4ca13 = e6b37b3174f4cb757731216101fa9c4c7118d47c8b37a7cdbcbeb9adfdabcbf7b49926a701bdc0f22b5609960d2b557d1d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 474ae64ae924947ae33baa36fa74e97a4c0e734fed4b05a7eccbac3675f8fbd46354381ca701958d7014e2ced999e62b2ab2a04a21a20de593a8f937f8fee23a6d16a5cde4334910bcfa29641ccfbdedee	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 45915a7a5aa6ab61eecabb53f3fa52977338949040c48bb698d3a7976a91e8c22dc011beadf712a20f2d355fd566786c0fcc6ece125dc66ee05eb8bbef56df9fee83b281bb49a9a6b1d549b94f7bd0f22a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = c6d1b3614e80da32e51154dce83b011dd328205c3ceaf33b86684c60325497cffa77efc2380d852cd760470b087ecaafdb930c3a959b1a40816ba9216822b78dc4b1fca985f39140088673506ee15c9b616a5ec91518ab6dbfb4dfadf41eec775e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = 847dc95032325e7a18f63cb72260943cf721c0c5de66b7a44a779ffb045de107fdbf50a87cb480a543062894ed281878d9000cf95ee1e3271949ac69c122c6c7fd30b5910d6b849b461b6346cfe80c9267abc6784dfad5cbc8850f5e4222e583c9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = 67134a5f2d9ff5a2af7bc1787aa2d4f8ca09c83ab605beef8e794243d28197777f038cb17916100f54aa1d8ccc6364a9ea5b3dff12b38b02014126ed17d576cef0113a6501a576fa8f1fecc315fc998dc3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = a4914e178f56090fa14212e1e0357c041752374213311fdfc4eaccebb0c6fdaaf529b087a8d99779f3e55dacf185145089caa3f3225a02fbc10f86f72e1a98f0ccaaa36d5d28698bd36005b8073238d597c9cbf68551a4a9d820451f5e1717b672	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = e6b66a8d6a448442e06b5c4ae14ddf532a7db4538e446b0a7aa86e378f1b704df808ab1aae5aab5a9113167660cf34ee718304fd5bf1945f0e671f1746632cc3afc474c55a134ce54511048699b27a87cd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 449d5662bcdba4111ec4f1560c6bb04027d19e6eab06686a50b4c2fbb649e92c18ea7be6fb844a3d718be30868eeeecb89338251daa1c1910b4d2d40c373dfe3f506d28fc5b0e8941722b61012d8d63b0c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 46592e9c1a78cfc9310cea4e1c61362eea41d29f91160c04c50d05cfd60ba84ae4670ddf0b2c0097639558f02d849e6229a2c7705c2200795f18e57dbf3bc50cd6d67a62a4d21c22866e3ac133cbe73c5d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = a71f50a7bf3e898177aae07b67b8873e070b70b59e36cac27ff955fee3d19f9bb9da3aef9f545155e3565851cb02c9fd1cbbeaa94c7d145b2f40f5338a28173a165169e471d1cb9ff0edb88563c342be3d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = 455c9a1befecd969858b10b5f151def1114774994dd51f81dd33eb18c566dde195ce517afeefa546026383eb2947ed869eaf9e36489bfad12ae429dbdd2dd1207b1b37d0ebf969077c1c3f627044cd9dd903f6e5f03ecffcef9b7240a1a8416628	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = a6175a4472b7e4ec985e166d45d8c2a6ca524a37631b84ff921e08bd26a5aa955b2e0b400862576f2e69d92c79c5a43cd6324dc3abc84fb28ac56b81faddbe81659741532ce0301a4defab9b597037b8ba	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = 2526ea096d0c04b42ec2814646a7270ad049dcba9425f4a08febd1978d91951f68c74994be56f3d37b0c0f7c958fedf158ed63a37a102668f44d9c43afee4c8eb15d5a0fb230595e89213cec0ae1fb11c7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = 24f195e5f4de282037fd45f0b05510344b54c101ab6c0655baae80679801ff2ff6ac7879157a8db61e91c108b7754526dc31db943d97c47de17519620ec0dfaa2f2944a74327dc6cc6b80a4f5449b198470321877d9cb7a8dfc12275233c7d3ad1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = 6649e605fa11257fb42d81e93a026c2b5dc3afc6f8af1cb73cbeda036719e4513c2a0c686420209ac6339df5dc23916cd326bd674bbf3b2187e2598cb93c91869b05ce14f26342cbe4598de92a2c0741a0b11772c8160247adb357930b8dc783ec	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = e4f9665e999c3abef22e5e8b8ff84ef324853f03b1e40fd03fc44b33c65e3b632b54e20ae11ccc8fb96c2d9e90bcad0005987f73e201f9c60e9d8cc807cd151950a4e91db87527a11a71f4cd834b55b7723814db32742399bf9d7f03fe95c39ec6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = c588b94f3b8f76ca2d252c999aa6a0569f55a959a6c97dc677fd95a1d0aa8cd41e81c569f9f4f0103f0e212ffadeaee4f746667b314ebc5cccd53b06c9f20b4533043f783c001309e89246bff0805502a221fb959f53a09b4b90f4d8f806ef8cda	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\8fcc9077 = 6426bd65bed0ee449b585c13cdb980814f0527cb02dc7d9afda78f504a1d6a60dd8629aed17ff78510ba84e84fc0680940e60525652d593b0d138f7304a95bca3cc4d0c1113629abb812929b235a1be59d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\90838b5c = e5d1d9467b5036c9df2269f82463238d2e5f738e56e681784cb655b143c07b2907231d77481d681cfbc41021e8cd83454f33b645714e80679f30d8ae9c652068a90a4a4f8e7162b3eb3c36156ea7e62a9c124d330a15721ade08114eeb9006ae66	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\76baf221 = 64974979cd708aced8e942943946a58760ac4d2aaddcd384e197a2c8ffd222c571694d4ebddb346cbb096742bbc31d02a746a4b042ef22548f7f3c6441f8d606fb5acba24616865337f6565409e7ba0869850d7e8ce70028376cbe2b8555141cde	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\76baf221 = 8463311b0720002ac7a2fb424bebe3bdbc3291f60b9cf376d3941ee4df45b0e4745de191a0f6419f201a9a390d62edaa9e5c3b91b3f05f8902c8dd14b9c3fc5bb1f5e37b3512060ca838ca4578b6c48c024c0da3fa160958c84fdd336f65a75e0c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 2687394c9afafcc81fea471ed28827a3e263d1294ee623af6e77dce7e5a2f6698e78a11522845e2604b7a28c6d782fb902a95ffab051c26207ac832e2ca3300a4686b175c57c4a24a2d6f0ed76e4c633fd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 2610b64fa88888b14d917837eb651b326483fd152d0eaaabc78bb7e85f4ce05042ac27df957e4d940c4f3488c3a505ef190fbc12a4c7925e19b4ea7b498d42ad0a67bc7943039a06b4810b4ae1b617233a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\e77aeee9 = 67a61c8a27593e4e0790cd81bb02154a6695c802a2febd32fba88095c84402845f410aff37f3c170d819d3b4cc98d8c8e7c5147fe4eaab377af3211f4459181da22ec6cd36c5e13c9652f2c11933e9a8d4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\69f5e90a = 460cac8145b1609e852089af0d11e68d567a8675db529b1390df1fb4774be16a473cbd5d01b64df55de85779ae8a8215f8b9073c398c879a5d28f64ae7f1ddf008740d427386bbf5e6a3b19908ff801ae1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\twmxqiakh\8fcc9077 = 26df4ae3fcffd3b94ae82d4bf74e712930f5c3dde948a143f1c4c0ec127de4c112e47cfcfd773bf52fa0f2f2111d6c232475e4e9ffc117196b1121347aa7d9b238fc7adea292d64b1befff1d54ddcbaae4	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
4564	rundll32.exe
4564	rundll32.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe
2416	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

whoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeDebugPrivilege	5008	whoami.exe
Token: SeSecurityPrivilege	3292	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exewermgr.exe

description	pid	process	target process
PID 4564 wrote to memory of 2416	4564	rundll32.exe	wermgr.exe
PID 4564 wrote to memory of 2416	4564	rundll32.exe	wermgr.exe
PID 4564 wrote to memory of 2416	4564	rundll32.exe	wermgr.exe
PID 4564 wrote to memory of 2416	4564	rundll32.exe	wermgr.exe
PID 4564 wrote to memory of 2416	4564	rundll32.exe	wermgr.exe
PID 2416 wrote to memory of 4708	2416	wermgr.exe	ipconfig.exe
PID 2416 wrote to memory of 4708	2416	wermgr.exe	ipconfig.exe
PID 2416 wrote to memory of 5008	2416	wermgr.exe	whoami.exe
PID 2416 wrote to memory of 5008	2416	wermgr.exe	whoami.exe
PID 2416 wrote to memory of 2216	2416	wermgr.exe	nltest.exe
PID 2416 wrote to memory of 2216	2416	wermgr.exe	nltest.exe
PID 2416 wrote to memory of 2496	2416	wermgr.exe	qwinsta.exe
PID 2416 wrote to memory of 2496	2416	wermgr.exe	qwinsta.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\userapi.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\System32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:4708

C:\Windows\System32\whoami.exe
whoami /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\System32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:2216

C:\Windows\System32\qwinsta.exe
qwinsta
3⤵
PID:2496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2416-0-0x000001B6A83A0000-0x000001B6A83A2000-memory.dmp

Filesize
8KB

Download
memory/2416-1-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-7-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-10-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-9-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-19-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-20-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-21-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-22-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-23-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-24-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-27-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-28-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-29-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-31-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-32-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-33-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-34-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-35-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-36-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-37-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-39-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-40-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-41-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-42-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-43-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-44-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-45-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-47-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-49-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-50-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-51-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-52-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-53-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-54-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-55-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-56-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-57-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-58-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-59-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-60-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-62-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-64-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-65-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-66-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-67-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-73-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-72-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-75-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-76-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-77-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-78-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/2416-79-0x000001B6A8370000-0x000001B6A839F000-memory.dmp

Filesize
188KB

Download
memory/4564-8-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download