qakbot | 9c4807666747c9befea4427e5b9791193fdb105d53400639e8cc401d92463be2

Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

Analysis

max time kernel
598s
max time network
611s
platform
windows11_x64
resource
win11
submitted
01-11-2021 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
Size

1.0MB
MD5

10c150a949585ba3603cce27707331f0
SHA1

9eeb1747902951835245545b7b3b1e6408c708c2
SHA256

260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840
SHA512

668ea267488635b88ef6a929501f8f6b34a02ccb2fa01a311caf89f5c683f0dd6877d8714ddf8b6b24e7a447c40f2cf5c42698638a52ff7b27e6c47ce4f4578b

Score

10^/10

qakbot tr 1633334141 banker persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

Campaign

1633334141

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4056 schtasks.exe

pid	process
4056	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

WaaSMedicAgent.exesvchost.exeWaaSMedicAgent.exeWaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

920 rundll32.exe
920 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

920 rundll32.exe

pid	process
920	rundll32.exe
920	rundll32.exe

pid	process
920	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1872	svchost.exe
Token: SeCreatePagefilePrivilege	1872	svchost.exe
Token: SeShutdownPrivilege	1872	svchost.exe
Token: SeCreatePagefilePrivilege	1872	svchost.exe
Token: SeShutdownPrivilege	1872	svchost.exe
Token: SeCreatePagefilePrivilege	1872	svchost.exe
Token: SeShutdownPrivilege	2564	svchost.exe
Token: SeCreatePagefilePrivilege	2564	svchost.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe
Token: SeSecurityPrivilege	2284	TiWorker.exe
Token: SeBackupPrivilege	2284	TiWorker.exe
Token: SeRestorePrivilege	2284	TiWorker.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exesvchost.exerundll32.exeexplorer.exe

description	pid	process	target process
PID 2212 wrote to memory of 920	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 920	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 920	2212	rundll32.exe	rundll32.exe
PID 2564 wrote to memory of 1244	2564	svchost.exe	MoUsoCoreWorker.exe
PID 2564 wrote to memory of 1244	2564	svchost.exe	MoUsoCoreWorker.exe
PID 920 wrote to memory of 4032	920	rundll32.exe	explorer.exe
PID 920 wrote to memory of 4032	920	rundll32.exe	explorer.exe
PID 920 wrote to memory of 4032	920	rundll32.exe	explorer.exe
PID 920 wrote to memory of 4032	920	rundll32.exe	explorer.exe
PID 920 wrote to memory of 4032	920	rundll32.exe	explorer.exe
PID 4032 wrote to memory of 4056	4032	explorer.exe	schtasks.exe
PID 4032 wrote to memory of 4056	4032	explorer.exe	schtasks.exe
PID 4032 wrote to memory of 4056	4032	explorer.exe	schtasks.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ewvwcyddvg /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll\"" /SC ONCE /Z /ST 07:54 /ET 08:06
4⤵
- Creates scheduled task(s)
PID:4056

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d24bb2d71bcbb36c2a75cc2dfbe6920d zpztTPQJb0KSdWS/IXZ/5g.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
2⤵
PID:1244

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d24bb2d71bcbb36c2a75cc2dfbe6920d zpztTPQJb0KSdWS/IXZ/5g.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:2604

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d24bb2d71bcbb36c2a75cc2dfbe6920d zpztTPQJb0KSdWS/IXZ/5g.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:3416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/920-152-0x0000000074A70000-0x0000000074A91000-memory.dmp

Filesize
132KB

Download
memory/920-154-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/920-153-0x0000000074A70000-0x000000007547C000-memory.dmp

Filesize
10.0MB

Download
memory/920-146-0x0000000000000000-mapping.dmp

Download
memory/920-151-0x0000000074A70000-0x000000007547C000-memory.dmp

Filesize
10.0MB

Download
memory/1244-150-0x0000000000000000-mapping.dmp

Download
memory/1872-149-0x000001A23BA10000-0x000001A23BA14000-memory.dmp

Filesize
16KB

Download
memory/1872-148-0x000001A2394E0000-0x000001A2394F0000-memory.dmp

Filesize
64KB

Download
memory/1872-147-0x000001A238D60000-0x000001A238D70000-memory.dmp

Filesize
64KB

Download
memory/4032-155-0x0000000000000000-mapping.dmp

Download
memory/4032-157-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/4032-158-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/4032-159-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/4056-156-0x0000000000000000-mapping.dmp

Download