qakbot | d832c8f49706ff93871a111be8fb280caedbad5b368f801dd720c7786f872e86

Analysis

max time kernel
1199s
max time network
1201s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Run-Malware-1.bat
Size

64B
MD5

4a5c0851841d5f1927ba79b7307a77f8
SHA1

624765f7ddb16d57ba10b053d06c720d304c484a
SHA256

0e4e4ad7098ea7deb02d5ffaa3e08c89e44fa7083caef8e7ddcf13fada1e2f9d
SHA512

64773939e5545c896a82fbe1629e7eaa5592b1b99e28aacc28666f073b48c743376dd3a1be6d9cba70f9bf19cff72e5c77869def524bde4bf050c593d9ef3016

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 54 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2152-2-0x00000251B6C80000-0x00000251B6CAD000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-1-0x00000251B6CB0000-0x00000251B6CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-6-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-7-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-8-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-9-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-11-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-13-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-10-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-19-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-20-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-21-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-23-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/2152-22-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-24-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-33-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-35-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-34-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-36-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-37-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-38-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-45-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-47-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-48-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-54-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-55-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-57-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-58-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-63-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-64-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-66-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-67-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-69-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-70-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-71-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-77-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-78-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-79-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-80-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-83-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-84-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-85-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-86-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-89-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-90-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-91-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-92-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-95-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-96-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-97-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-98-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-101-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-102-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4280-103-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3480 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2856 ipconfig.exe

pid	process
3480	timeout.exe

pid	process
2856	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\b09ca708 = 6471bdc883399a911c9b5e7bb8d3198494f815036f2e03a4f5e4b4e6ddc7d7ced6b60ea9420ff889579632ace509ad82d8e7b50d2de2207ce5fb1f35cf0fd23a3ced23bc257450816aef1758e75ce223c73241483478ac6f8e2a6a7bd6eef1b1a2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = e73051c3c4fb3e3112db03d880f0e9af4f31e19572f4ec4fe17f5e44f924c79dfc42db6704098ce4b3c044890066de1be38d1916436d1af71448d42f1f9e0931d2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = a60c2f878fc5b86b8ab1b3fc4bc68fadb47e2c2092d1aab558dca0ad0a8a22e9a4b8a385d918e1f2983f1febe795a9e21c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 84c4b10a5df08b030ea0ee122673b2dcb277d078662409217b31d96e96332a623ba4efd685d81c3decf1d50fb5f3632837132e8cb56dc9e6b79b41c8e6c51a39255e8781a759ffe61ff96a8f375fbf0ba8517378e6de6bcb1a82328f12782d2bd3295d10057b60082c5390e19af4b4a7df0a48d5c3e6a83c42d81c59d4c705997b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = 04fee5dac7571bdcc797511da51c3a272c10fce36a20ffbc5d219096b6043e5f5618061588451a1fe128047d2fe50a62ce24279612b08ed3c24aadbb5b2a78de4e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\56a5de75 = 84f0d962a18bf8f546065f770ed16028fb5dec7a8dc26430c03890f161260ab9fa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = c70b710ef27595a9507a52f61228f0f949fea68b25997bd598fba65b4824b569f226f333b36242bf99d549deb9d0c77795	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = e54aeb4f1944c8fd7c03ea9ca5d8f2870e5bc290064d6440deccf237722850af0d269ac2933a04ad5302e0b73542d953cc620cc064650639e45526c8bdb5c2e4b744eb60b3ea7094a951a34d3eec2df5b08a6e301d37e9702b94dfaaf2ee6bf59248a0b3c443632603e83eddc7383414a3c2a50cb69148bcc8717887af41d26177	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = a5ba39b05268141e15c64e75a9b3e127a0f20af1000eb25d52bc95e87e53ef94156c39c14c05cd997e4f51935ba1c4872d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\b09ca708 = c65b9d6b3f299602acc5bb449c5058094539ca1356e3cfc3d1c2634179902b352fc088fc56dd11ff2794ea2430ebdb1296b71d4300b8a654e9d52a48638593eaae3c7175f44c579a4bd11736b86c3adba7dbf15947a645e7932063e62f57260370	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\56a5de75 = c7d8e8bcaf4c47b49e1b6ba63988b4f0655204dbdaa357d37a18986904ee79e2ee	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = c51c1a664d7363fad35f0cf2fdbdf1506c00c3324a0cd752cc4cfe7e7d7ba9cdab43be95f44cad4b57b8961f6dcb1c65b3bb44ba1a07963d54b6370e0802bd5dd31225fa5b26d924e1a03e9857d92f2dfdbb17c350b09c450a18dc489c63df2cff4f26f13557c809389df3c1f9b0724542310f360dfd8a49e05ac770acb252dc3c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 079e87b9c8b3af2ec9227f885ba7219e0fb3645687f1c80e1c6e6078b477a857041bd030ba6c037f932e59789f5f787e818c16f009c68e299368589104eb4cf631158d8c48ba5c1481bb5576d3d60d40b53c02b3a29d327b01669ac70b04f661d12815a1cd89e013b53361fcadd4eaa8c1ca900ab9bc992a2162c72e5d746b2867	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = 07200b9e0c63dad9ee2848b504c6b007ea352dc7891e7dd04933e155206290b3f55a83c851b9b898d95d2db601b50db918640fe7939d16c646a0dfaeea18013477	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\b09ca708 = 07535dd67ae8b9331ac8491975c62a984c40eafee15e4a30627457e64141695dd8abc458ac8a1a12a4f7ae82806369750884c2a9242e9de6d2d5bb44127d2e0babfa0b0ecb0461c514faf4edc5ace944d34ee7b3b1ba892565d4cae7f4f43f8331	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = e4c838748cd784c1b1c8c4c98eedbd2e5c73d971e35343a5d692510b946acd318b733a9c0f13bc659b1f1ba19e4d9aa84a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 642b982add6a2a8c29970b38e5a9a2045ca0019cefb6ad636c1bd302d4d0cbbc1a6821fb35d96b76ec85a67102c55face4fd7f7f3e4dc5c6627f3452391b7543f5460d860dcbbcb5cdcd328d22cacca6e681da8d34fc5ce2d58a8a7f1c9f3b92c84c48d7d690dbf9e78e1c2454a1339203493ebe8f866764774e25f10ec6298961	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\56a5de75 = c7c5863b33bdfd12c9217b759ba8ce484ae65a92e78b99144ca735a8e521ecb8e3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\56a5de75 = e614b05eef54869c6315e480f96dd717aac4f9161551553460bad629a901b2733b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = e7ccf7f36b92478719493ee2f89e126a915cf351bb82eecd9065f9eadb88251eb99fabf40b585270bdbd1002c59aac785a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = 66b0440470f3e9eae8d28eeff418c0d02a73fd4a04a4b43344dddf50a0e417cbfd21330bfa1cf3cdb9ad391777483ef7a0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 048c399242472910d8883a123ea9c8a96e957c36b1e802ed75344d29c3af76fd1963e49bc4190c1a6b66d6c4d1d0e49fd6717a7b81a459cc3b21af781093d988b2b974d8ef6f7b13ca5ccec802696e74b9d3e0593d0bdbda96ba03a536f2a0f1d573500977abb712485a9f6f7cc359066d9ee5346305f75584973459862b2a5af8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = 460fd0c38f7565743be7c3f2354612ff30644b8b2381aec867c11928ecffc286b618192f8e13109b1481e3bd073f8f10156db43576e8dee3a4d88f678497cb5e26	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = c6270bc19dbff18ae2c617f958078b8c259fc8bf045b06d31c3bef4a32f29855b046d3d2ad6da855abd0cc4ad079e6a2d4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 66f171e5603d0f3a8d3cdead8eba457dc7d6c44eb0c350d67f6d30a99a8bf3da549cc938fbcce5d100a0c8760a98b55b25ba77cee5f6624ff2752ed8266be8e5d16135a480ff4e257f8be0cc84fe730c9b316221b5a5e8d43eedefd95563ce9f8798591772074a33c6fd3018fb52a825c9c8b9b2f1b99480afe6efcfdc1c6ad911	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\56a5de75 = a4abb5803bb3c5d35f3f438c354c7fc9677f09f0ae6d536e11dd863da3f6435030	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\b09ca708 = e56d8d3c667bbf0a8bc674ec3a2f54765ad6c228695e7be7d68c71918a4080c907547bac62e14e924fa2dd6ee765bce0b4a1385858c35a44f74eca28e424ef6b5679c23176c1640823688524c0c0917b2873820bcbecb4ea8f8f3852caa30d37b7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = 6626929031e443dd9413742bd7b3d9868b1b433c0a8339671b6ccc10ba1d39321d98e44d9d2ce2965fbc80f77e760bc4b86e993ca3526e3d48ec1fd3c857b3e994	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = 86e024c7876124c86b53e3d44667ecfee882de774b1f33bdc31f36e0b2ffdb9f764db7b4e9d399e62bf58358f36fc08838bf25d2a31dad6da438cc759402291366	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = 8569142584f2ca42ace4f99d9f2d3045b5cb6a840db601b958006e99b5f062a9bf59f80b9e4757a1073c2ce46d7acaa07b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = a592b3fbb92f38d941c80cc7b1c254f2018d039ecda006b79a8aa9c4b5a8c0addc4ffd4331253378172a2f1bb39f245eec	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = a7ca7df533d64c5a932a8fc30e9dda724f87d1a3891fb57b071e58bbda4d0c608dffcc9a16736faf6d5a3e9e5567bf9e07	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = a5ae94449265ad7366a3761944ca2ac4bde8f0fa0d16913dddc60f36c9cad3e037a620beb28a1964a45ae7b9507db6a22b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 662d1c95cd0b9ac479085a9d2d7ecfb9478ae2e815f42d17d57e85c954c662fa408ecad8f8a6713ff0acdc55e1868060c83128dafa697437e7d7fa7f36fc8678c9de6721f26b16754d86e1307f48c893a998f3fb0715ef5bbab492c951e93dfb82230b0db376fbc43629f29095f3d328574dbebfc856e705cc9c42590ac6c8cbee	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = 25477cb899f8521fd3c20ab5530638a4aa717fffa23fb64f0ce73e2d01b8d0af1aefae20e19cc7264312c11670f9ec0d33	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = 66f5c2b767c80a4f94747e8f275c81c13a48ad62d76bd7ca771d1ee482bf25215a179c2fa7af52a52008261d21567879a2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\b09ca708 = 270d2976e8170862645d1f1d83d626350c7c8802c70bf92d843e9cf2d87ce39de26a01da7ad59b2d6c403b456bbf7365ec9e4be7ae61ab4ec97e021f6713d46ba04298c128b4e8f960becd6f2f9c466fa15441318861ee671bd5c8c9ecc4423677	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = 6716cf26a81613768bec870c362cf2d4eb789b17bfbb14f855e4133b8ad5d4246498c14dcea72c75f45e910e1677253b5746543c388787037055f688066c04e4f9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = 66556823bcdc2eb0cf9969de7278150af8e94e550a317c14b211c0c9c09d09e093539bdb05f4825adbbb8d4f5b9b606d3b677c15aee54afe21dc9be17dae9d9027	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 46fe8cf6b723427849d72921a6052f4f32b843c4e5034078307dfc7f44daaa2037bd381b51968ee9a6a5e02523f719ca35382fd4c6098433761cf5d22b5cef9f1e31b825dad9eaf0857127f3e80406975e1ebc5361254c2e85468126b8ed79f74086578fafca0d56f63b555ec900860e59340d71fcd1c8a0c3558e120db87f90a7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = 665faf8e7a0870f322e8499a848b9aabe2bcf25f53f3650c5ab18330d7969fd6aaca41c7712222a377f5fbe388f9263020	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = 26a4995fe492ffb1fc9a96d81daaab0b30ad2cc82940a4e6828d289ad24b52eb5a6ed8f20ba7a6343850cef29bfa37f20a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\56a5de75 = 864962b7d879e24e8ff8390724dcace8711895ad234309824edbaf39d41c932d62	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = 446353b060a01388f78261abb723af81a025e3218d91cd6e4e578660fe1ad2d2a208305f3762d05c154727fa4e91e4bec1df32a20eca40743d7f4fda605f3954d1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = 669da7041dfd1a8993348db34f04e51cc44d94a885b5e7b96fc06b41c9bff8a1bb15656168390791e4f8ec48866ed2f05e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = c418210e7e5c13737cb7d47071ef763d8458ac7b7ad9cdc525eb327dda4caa36a3bd5140f9b6ce1f97e5a7811f5231fa0c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\b09ca708 = 8524ab10f9a39024dfee9b7c18379bbe09aa1063f0c0089625369ce1a427cb1e9c85434ae93e1f11bbad4eabd3bfff309be23865c0ca047a571fb9d09d7e201aefe63ac59643452ab151b1c78b9a903312855b34e36bbaf5bbf550a30eff9255ab	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\b09ca708 = 45faaa1c634765c8164aa5e6091e522eb594631c9b7b94c10d0bc2620232f227572000fc003efc4fe009cf9858cca7214df38b0230ff97a8ec21eb3a54ca5938a20776ba9e0e6c8877e413eba185b460300b4e52ced2b0fcabd0bbb97bac626aff	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 25ae93fc50cb134f0665b051eeef13c99c70033f14b1eb1fe35f68d85f36b5d9ac00f83cb3e560e6d4e0b0ed077ce5e8d1a47ea5041f28061f17b9b05e646672ae05fe4f5dffa50b2e12e8ccbdf9d21ae4e427cd3a69de96a424e49bbf813c0557cc0f8e9d885a2a2165c6c9e1cc9e500b3b9e0132dd7a68622bf1e548969b754e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 64995fae1b5a01437ad5b3ac733783c125d7d79fc339199b07a27f24b4858e596b01cb4d4e0f6365b0781a30bea6b37749f309b81e508c39b8d58418ca091bb09d8394096cee550cd50aa6f0eb681d682bab54ff7c37c40daa989e3d7a3dddf424f07ca613fa32608244f14461ed7f9a0367dbd49e9cf4c42b18e457ab56e7c17c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\b09ca708 = 659a594c1aa9565be055ce92d44800904a4c24a58876dc95a87d232d05a926810714e96f616d8891fde9f93b2cc62e60ee77fd06d41fd56912b538f048e9a36585eaa7d0047cd9ed16fb8decb808f1a773f6c1e58bb6cb03ee7d0952731d8ebe38	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = e6dc246d6bac5a9f0ecdf48e1d60bd292baf1a039d3d82cd25237e97d54dc109cee8b3fd397a74dab08531ce9f44c11aeb727188596304a7328e60c34cbfee6cf4ed5dedd9259cbb4d1059d4f2254a8313b9e90d1952a78a631c6c235039408bd1814bf8136fb29d893cd7a4d36a0f5ba1fef9b4a2d6b8dda28f7611bf0f830a49	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\d9ad8411 = a6e6cf0b2d519ba4c3016c1209b1898391ea4f3aaf7a8576d60a0f60dc85ac6609071e6565de7067404316605a891d3463f479ee2dd30e059671961225e973fe4eb2c746adf980d4bf9e450f5b3f1f9bc1177feb9dab3943023ca83859ed7cad4a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = c758a79b72cccea639188af908de106d090afba6941cc51f64c977db2c737106f2a5269e861d94132e7a961181230e3d60bf7ed7b0f4a3cbfa4785d930ec763dd6d3f937c8f9f4200a36cd947f2442533838b4b31ba91ebbe1007027b7ea0748986be1b7599c682d04bdf53aabcbac4834983cec52fff5617866efd80d1e6e3b17	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 66ace6efa0cbb5572cf254935021dec353c2469a78dfd90dbc47529cdfc397e9522fc5a00be0064a1bbf61e612e94ff633ac23468b33ef27d70c03597ff9b55041a25d976325a4e3bf7faa830b3c048036eb16c5bcdba3bcd02045d3726079c0bf8c581048dcccae9cff23a08501641db5e189dcff70f99a24945478bb44409b1c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\56a5de75 = 05c98b23ee6b10b172043b2cc49a34f8907bd403366bd76d181275f926fec5673f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = e52fa32623a639fdc21365c407b5d7f4098d6ef3b3d636a1982378cef97c16dfed0d4fc88cdd96ce25a48ff425d22b9269ba1102e89d3b83005f0c56e836524cda	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 67e069651d228e6f47afce66605ebd3a6f5290dac1b127423d99a5261aa145dc0fd5a1f0aae55ea4baf17a12839ace3b3b432d41af189c8797aef8bf0ca2f89f7a7e6f867d4f9df90d797a15d82d52f947000a1d007357c58b320145022bb095c92de8c8c3ae9cf1860b2859b8c64ecff11b59de17d8c8e7058a9942d337c1e7cc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = 47303abef01c67bd8a056bfde7900ed94f80394168098fdc2e2ef90721b5ba8456c5892841bc3dab8795233765a6ded28dbb985f7b9fee37aa9a34dae3ab1cff11664b1f34676ea76d72bbdb447774dc754681203a379749da71d1bb9f90cc373b0876e9aff1c1cb13d957b1845d01caef98c10a9685db80a6e690be9bea423d93	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\49eac55e = a628eb8274cd19bb55c0caecf276df0eebdfc7d72e43e1f6d4d8a2c492855744ede45a121953c118932da04e7bf7c7f5e59b1fa1e857f9d1beb9df494dc2844bf21a841e3cd05b9263c9b898880739e05f660583499cc539066be6a6434e6c49d61469590f552226dd0d4fc219079b8e19b741dab934c983499a68fef04ea7498f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = 064e62f8bba63869dc55abacd618636daf256cda42d630f54635f126a0752e7b3bdb089aad184840a57092fcf8f88be0232adc4111e66c7d0c74b733ed528acbb0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\afd3bc23 = 862ba0d90b1ff9d071384e0c4e7d87e20be8c7f0bccb68886eaad5614595684b6bb1e77132305de2646b7944d6b6832aa4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\56a5de75 = 247660086b01aa6128cbc44166062a0373ff63f72bcf4d935189efadfcc0706468	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\psghaeljueblxi\3e13a0eb = c788436204207ed08ec7627fd3b1b9c6931c9059d935945a993e478ddfdd27e921e7f8e87487482c1792b805adbf56c0d82edcdcc228f7867c4d3f92b9ac7b8035	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
2152	rundll32.exe
2152	rundll32.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe
4280	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

whoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeDebugPrivilege	2464	whoami.exe
Token: SeSecurityPrivilege	1468	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exerundll32.exewermgr.exe

description	pid	process	target process
PID 3708 wrote to memory of 2152	3708	cmd.exe	rundll32.exe
PID 3708 wrote to memory of 2152	3708	cmd.exe	rundll32.exe
PID 2152 wrote to memory of 4280	2152	rundll32.exe	wermgr.exe
PID 2152 wrote to memory of 4280	2152	rundll32.exe	wermgr.exe
PID 2152 wrote to memory of 4280	2152	rundll32.exe	wermgr.exe
PID 2152 wrote to memory of 4280	2152	rundll32.exe	wermgr.exe
PID 2152 wrote to memory of 4280	2152	rundll32.exe	wermgr.exe
PID 3708 wrote to memory of 3480	3708	cmd.exe	timeout.exe
PID 3708 wrote to memory of 3480	3708	cmd.exe	timeout.exe
PID 3708 wrote to memory of 4720	3708	cmd.exe	qd_x86.exe
PID 3708 wrote to memory of 4720	3708	cmd.exe	qd_x86.exe
PID 3708 wrote to memory of 4720	3708	cmd.exe	qd_x86.exe
PID 4280 wrote to memory of 2856	4280	wermgr.exe	ipconfig.exe
PID 4280 wrote to memory of 2856	4280	wermgr.exe	ipconfig.exe
PID 4280 wrote to memory of 2464	4280	wermgr.exe	whoami.exe
PID 4280 wrote to memory of 2464	4280	wermgr.exe	whoami.exe
PID 4280 wrote to memory of 1176	4280	wermgr.exe	nltest.exe
PID 4280 wrote to memory of 1176	4280	wermgr.exe	nltest.exe
PID 4280 wrote to memory of 2124	4280	wermgr.exe	qwinsta.exe
PID 4280 wrote to memory of 2124	4280	wermgr.exe	qwinsta.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-Malware-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\rundll32.exe
rundll32.exe 02.dll,checkit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\System32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:2856

C:\Windows\System32\whoami.exe
whoami /all
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\nltest.exe
nltest /domain_trusts /all_trusts
4⤵
PID:1176

C:\Windows\System32\qwinsta.exe
qwinsta
4⤵
PID:2124

C:\Windows\system32\timeout.exe
timeout /t 10
2⤵
- Delays execution with timeout.exe
PID:3480

C:\Users\Admin\AppData\Local\Temp\qd_x86.exe
qd_x86.exe -i
2⤵
PID:4720

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2152-9-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp

Filesize
188KB

Download
memory/2152-1-0x00000251B6CB0000-0x00000251B6CDF000-memory.dmp

Filesize
188KB

Download
memory/2152-6-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp

Filesize
188KB

Download
memory/2152-7-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp

Filesize
188KB

Download
memory/2152-8-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp

Filesize
188KB

Download
memory/2152-22-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp

Filesize
188KB

Download
memory/2152-11-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp

Filesize
188KB

Download
memory/2152-2-0x00000251B6C80000-0x00000251B6CAD000-memory.dmp

Filesize
180KB

Download
memory/2152-0-0x00000251B6C80000-0x00000251B6CAD000-memory.dmp

Filesize
180KB

Download
memory/2152-10-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp

Filesize
188KB

Download
memory/2152-19-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp

Filesize
188KB

Download
memory/2152-20-0x00000251B6CE0000-0x00000251B6D0F000-memory.dmp

Filesize
188KB

Download
memory/4280-57-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-67-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-21-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-24-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-33-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-35-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-34-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-36-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-37-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-38-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-45-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-47-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-48-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-54-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-55-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-13-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-58-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-63-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-64-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-12-0x00000284B0CE0000-0x00000284B0CE2000-memory.dmp

Filesize
8KB

Download
memory/4280-66-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-23-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-69-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-70-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-71-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-77-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-78-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-79-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-80-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-83-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-84-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-85-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-86-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-89-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-90-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-91-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-92-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-95-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-96-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-97-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-98-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-101-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-102-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download
memory/4280-103-0x00000284B0CB0000-0x00000284B0CDF000-memory.dmp

Filesize
188KB

Download