Analysis
-
max time kernel
118s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 13:35
Static task
static1
Behavioral task
behavioral1
Sample
73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
Resource
win7-20240221-en
General
-
Target
73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
-
Size
5.8MB
-
MD5
483b57478ab379546ae9fbab1c0185fa
-
SHA1
e76211f214c1bcd7eb4ab21478d11a50c31d5da7
-
SHA256
73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3
-
SHA512
a06f6a98831454f70413efcb6ca97a96440c07bc65e42a8bbfa6c2a6ae7d5dc666d3b96455acdd98089867b9f5ed0cbd98c69bda1c088eb6f3a6c7d702bcb9c4
-
SSDEEP
98304:mihTySajXEjCVXrepfrULCZf7ACNQB0zmlwXU8ern7beyN:OjjIzULqpQBv17r3eyN
Malware Config
Extracted
qakbot
tchk08
1706710954
31.210.173.10:443
185.156.172.62:443
185.113.8.123:443
-
camp_date
2024-01-31 14:22:34 +0000 UTC
Signatures
-
Detect Qakbot Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1888-65-0x0000000000310000-0x0000000000340000-memory.dmp family_qakbot_v5 behavioral1/memory/1888-69-0x00000000002E0000-0x0000000000310000-memory.dmp family_qakbot_v5 behavioral1/memory/1888-68-0x00000000002B0000-0x00000000002DD000-memory.dmp family_qakbot_v5 -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\MSIE6F5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2447.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f77e6a7.msi msiexec.exe File opened for modification C:\Windows\Installer\f77e6a7.msi msiexec.exe File created C:\Windows\Installer\f77e6a8.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1CF4.tmp msiexec.exe File opened for modification C:\Windows\Installer\f77e6a8.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI2447.tmppid process 1992 MSI2447.tmp -
Loads dropped DLL 11 IoCs
Processes:
MsiExec.exeMsiExec.exerundll32.exepid process 2580 MsiExec.exe 2580 MsiExec.exe 2580 MsiExec.exe 2580 MsiExec.exe 2580 MsiExec.exe 2580 MsiExec.exe 2084 MsiExec.exe 1888 rundll32.exe 1888 rundll32.exe 1888 rundll32.exe 1888 rundll32.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msiexec.exeMSI2447.tmprundll32.exepid process 2340 msiexec.exe 2340 msiexec.exe 1992 MSI2447.tmp 1888 rundll32.exe 1888 rundll32.exe 1888 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2516 msiexec.exe Token: SeIncreaseQuotaPrivilege 2516 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeSecurityPrivilege 2340 msiexec.exe Token: SeCreateTokenPrivilege 2516 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2516 msiexec.exe Token: SeLockMemoryPrivilege 2516 msiexec.exe Token: SeIncreaseQuotaPrivilege 2516 msiexec.exe Token: SeMachineAccountPrivilege 2516 msiexec.exe Token: SeTcbPrivilege 2516 msiexec.exe Token: SeSecurityPrivilege 2516 msiexec.exe Token: SeTakeOwnershipPrivilege 2516 msiexec.exe Token: SeLoadDriverPrivilege 2516 msiexec.exe Token: SeSystemProfilePrivilege 2516 msiexec.exe Token: SeSystemtimePrivilege 2516 msiexec.exe Token: SeProfSingleProcessPrivilege 2516 msiexec.exe Token: SeIncBasePriorityPrivilege 2516 msiexec.exe Token: SeCreatePagefilePrivilege 2516 msiexec.exe Token: SeCreatePermanentPrivilege 2516 msiexec.exe Token: SeBackupPrivilege 2516 msiexec.exe Token: SeRestorePrivilege 2516 msiexec.exe Token: SeShutdownPrivilege 2516 msiexec.exe Token: SeDebugPrivilege 2516 msiexec.exe Token: SeAuditPrivilege 2516 msiexec.exe Token: SeSystemEnvironmentPrivilege 2516 msiexec.exe Token: SeChangeNotifyPrivilege 2516 msiexec.exe Token: SeRemoteShutdownPrivilege 2516 msiexec.exe Token: SeUndockPrivilege 2516 msiexec.exe Token: SeSyncAgentPrivilege 2516 msiexec.exe Token: SeEnableDelegationPrivilege 2516 msiexec.exe Token: SeManageVolumePrivilege 2516 msiexec.exe Token: SeImpersonatePrivilege 2516 msiexec.exe Token: SeCreateGlobalPrivilege 2516 msiexec.exe Token: SeCreateTokenPrivilege 2516 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2516 msiexec.exe Token: SeLockMemoryPrivilege 2516 msiexec.exe Token: SeIncreaseQuotaPrivilege 2516 msiexec.exe Token: SeMachineAccountPrivilege 2516 msiexec.exe Token: SeTcbPrivilege 2516 msiexec.exe Token: SeSecurityPrivilege 2516 msiexec.exe Token: SeTakeOwnershipPrivilege 2516 msiexec.exe Token: SeLoadDriverPrivilege 2516 msiexec.exe Token: SeSystemProfilePrivilege 2516 msiexec.exe Token: SeSystemtimePrivilege 2516 msiexec.exe Token: SeProfSingleProcessPrivilege 2516 msiexec.exe Token: SeIncBasePriorityPrivilege 2516 msiexec.exe Token: SeCreatePagefilePrivilege 2516 msiexec.exe Token: SeCreatePermanentPrivilege 2516 msiexec.exe Token: SeBackupPrivilege 2516 msiexec.exe Token: SeRestorePrivilege 2516 msiexec.exe Token: SeShutdownPrivilege 2516 msiexec.exe Token: SeDebugPrivilege 2516 msiexec.exe Token: SeAuditPrivilege 2516 msiexec.exe Token: SeSystemEnvironmentPrivilege 2516 msiexec.exe Token: SeChangeNotifyPrivilege 2516 msiexec.exe Token: SeRemoteShutdownPrivilege 2516 msiexec.exe Token: SeUndockPrivilege 2516 msiexec.exe Token: SeSyncAgentPrivilege 2516 msiexec.exe Token: SeEnableDelegationPrivilege 2516 msiexec.exe Token: SeManageVolumePrivilege 2516 msiexec.exe Token: SeImpersonatePrivilege 2516 msiexec.exe Token: SeCreateGlobalPrivilege 2516 msiexec.exe Token: SeCreateTokenPrivilege 2516 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 2516 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
msiexec.exedescription pid process target process PID 2340 wrote to memory of 2580 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2580 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2580 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2580 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2580 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2580 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2580 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2084 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2084 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2084 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2084 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2084 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2084 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 2084 2340 msiexec.exe MsiExec.exe PID 2340 wrote to memory of 1992 2340 msiexec.exe MSI2447.tmp PID 2340 wrote to memory of 1992 2340 msiexec.exe MSI2447.tmp PID 2340 wrote to memory of 1992 2340 msiexec.exe MSI2447.tmp PID 2340 wrote to memory of 1992 2340 msiexec.exe MSI2447.tmp PID 2340 wrote to memory of 1992 2340 msiexec.exe MSI2447.tmp PID 2340 wrote to memory of 1992 2340 msiexec.exe MSI2447.tmp PID 2340 wrote to memory of 1992 2340 msiexec.exe MSI2447.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DCC0E9A4FC388E5724EB85202427AAC4 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0B7DE24814DE163A7122EC1321C56A82⤵
- Loads dropped DLL
-
C:\Windows\Installer\MSI2447.tmp"C:\Windows\Installer\MSI2447.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B8" "00000000000005B0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f77e6a9.rbsFilesize
1KB
MD5d1e42cfd65875a8f877e73ef7cc1f20e
SHA172730dcb8c394b93c2b7bf40ec30d449686707a7
SHA2569722e6b4b74474d3a2668f76834001cb12baa7eb239e450603fedeeda063e10f
SHA51200ed6ad0f0145ffa6ed653d343225a694d07ca90d9dca9ad4bc3ced3a270a6a7125e459cf5788a2b07e96cfd7a9c1a884ce72fbef822b3f4223e14e8cada06f8
-
C:\Users\Admin\AppData\Local\Temp\MSIC33F.tmpFilesize
721KB
MD55a1f2196056c0a06b79a77ae981c7761
SHA1a880ae54395658f129e24732800e207ecd0b5603
SHA25652f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e
SHA5129afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a
-
C:\Users\Admin\AppData\Local\Temp\MSIC65E.tmpFilesize
1.1MB
MD525e52c5776a81e0c5ccb9bdd4c808c90
SHA1e42104ef61ae4760a41552292091eb6a5089ced4
SHA2560831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2
SHA512746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292
-
C:\Users\Admin\AppData\Roaming\Acrobat\MicrosoftOffice15\ClientX64\Acrobat.dllFilesize
922KB
MD5af7364f14a56ae4234d449ff89a2bb7d
SHA1ce261d1f31bed80417009fbeb5230be37c34e374
SHA256a59707803f3d94ed9cb429929c832e9b74ce56071a1c2086949b389539788d8a
SHA5124c6982a5a11578cdd1b2789628787a8a7f08c86e814dfbe717a1e9cb43060b3f9b888948bdc97bcf207d5dd06398a955cab46f2cfc28761b3be15ef40fbc14de
-
C:\Windows\Installer\MSI2447.tmpFilesize
397KB
MD5b41e1b0ae2ec215c568c395b0dbb738a
SHA190d8e50176a1f4436604468279f29a128723c64b
SHA256a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca
SHA512828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1888-65-0x0000000000310000-0x0000000000340000-memory.dmpFilesize
192KB
-
memory/1888-69-0x00000000002E0000-0x0000000000310000-memory.dmpFilesize
192KB
-
memory/1888-68-0x00000000002B0000-0x00000000002DD000-memory.dmpFilesize
180KB
-
memory/1992-59-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB