qakbot | ce80bb3f99f496156c06ec2a2927497279e6a3b52460c5951ae879d911a4bde6

Analysis

max time kernel
139s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CK_19617_9585862810069.vbs
Size

2.5MB
MD5

8d658117310b8089242c9e9c572dde73
SHA1

6403b791f6d07b13900fdc2a921feb19fe3daf29
SHA256

5b0e3944fec83a8d868a84247ed664764ba213a1c22bf7618240a4c995fc6c74
SHA512

2e62354b9259629b94978cca95ffd8c3d1e4fe5fea79a7efe5c14fa378e8f7ae8c630d9805611d9bb71aa40433768a88b018a13040fbdd289c395fd59d3fd77f
SSDEEP

24576:NC4YmLjKcMR0sjeZavuZ+Ijp6rc6/zo1gcHpXZtJ1f/IiF5dvldb6gyCUrN7YFc+:F5Q/bfdhJFC

Score

10^/10

qakbot spx16 1569917382 banker discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.91

Botnet

spx16

Campaign

1569917382

71.93.60.90:443

113.77.242.83:443

203.192.232.72:443

98.186.90.192:995

172.78.47.99:443

72.213.98.233:443

76.184.141.236:443

12.5.37.3:443

96.20.238.2:2087

68.225.250.136:443

75.110.90.155:443

96.20.238.2:2078

96.22.239.27:2222

123.252.128.47:443

70.167.72.28:443

2.50.170.151:443

2.177.115.198:443

96.28.229.218:443

67.10.18.112:995

70.183.155.118:80

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits = "0"	reg.exe

Executes dropped EXE 7 IoCs

Processes:

aNkxbUo.exeaNkxbUo.exepuogldjs.exepuogldjs.exeaNkxbUo.exepuogldjs.exepuogldjs.exe

pid process

3012 aNkxbUo.exe
2736 aNkxbUo.exe
2628 puogldjs.exe
560 puogldjs.exe
2812 aNkxbUo.exe
496 puogldjs.exe
656 puogldjs.exe
Loads dropped DLL 4 IoCs

Processes:

aNkxbUo.exeaNkxbUo.exe

pid process

3012 aNkxbUo.exe
3012 aNkxbUo.exe
3012 aNkxbUo.exe
2812 aNkxbUo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\lbgya = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Pcabxeits\\puogldjs.exe\""	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exeaNkxbUo.exepuogldjs.exepuogldjs.exeaNkxbUo.exepuogldjs.exeschtasks.exepuogldjs.exeaNkxbUo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aNkxbUo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puogldjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puogldjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aNkxbUo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puogldjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puogldjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aNkxbUo.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2432 cmd.exe
1248 PING.EXE

pid	process
2432	cmd.exe
1248	PING.EXE

Modifies data under HKEY_USERS 3 IoCs

Processes:

aNkxbUo.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	aNkxbUo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	aNkxbUo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	aNkxbUo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1248 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2788 schtasks.exe

pid	process
1248	PING.EXE

pid	process
2788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

aNkxbUo.exeaNkxbUo.exepuogldjs.exepuogldjs.exeexplorer.exeaNkxbUo.exepuogldjs.exepuogldjs.exe

pid	process
3012	aNkxbUo.exe
2736	aNkxbUo.exe
2736	aNkxbUo.exe
2628	puogldjs.exe
560	puogldjs.exe
560	puogldjs.exe
1968	explorer.exe
1968	explorer.exe
2812	aNkxbUo.exe
496	puogldjs.exe
656	puogldjs.exe
656	puogldjs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

puogldjs.exe

pid process

2628 puogldjs.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

1604 WScript.exe

pid	process
2628	puogldjs.exe

pid	process
1604	WScript.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aNkxbUo.exepuogldjs.exetaskeng.exeaNkxbUo.exe

description	pid	process	target process
PID 3012 wrote to memory of 2736	3012	aNkxbUo.exe	aNkxbUo.exe
PID 3012 wrote to memory of 2736	3012	aNkxbUo.exe	aNkxbUo.exe
PID 3012 wrote to memory of 2736	3012	aNkxbUo.exe	aNkxbUo.exe
PID 3012 wrote to memory of 2736	3012	aNkxbUo.exe	aNkxbUo.exe
PID 3012 wrote to memory of 2628	3012	aNkxbUo.exe	puogldjs.exe
PID 3012 wrote to memory of 2628	3012	aNkxbUo.exe	puogldjs.exe
PID 3012 wrote to memory of 2628	3012	aNkxbUo.exe	puogldjs.exe
PID 3012 wrote to memory of 2628	3012	aNkxbUo.exe	puogldjs.exe
PID 3012 wrote to memory of 2788	3012	aNkxbUo.exe	schtasks.exe
PID 3012 wrote to memory of 2788	3012	aNkxbUo.exe	schtasks.exe
PID 3012 wrote to memory of 2788	3012	aNkxbUo.exe	schtasks.exe
PID 3012 wrote to memory of 2788	3012	aNkxbUo.exe	schtasks.exe
PID 2628 wrote to memory of 560	2628	puogldjs.exe	puogldjs.exe
PID 2628 wrote to memory of 560	2628	puogldjs.exe	puogldjs.exe
PID 2628 wrote to memory of 560	2628	puogldjs.exe	puogldjs.exe
PID 2628 wrote to memory of 560	2628	puogldjs.exe	puogldjs.exe
PID 2628 wrote to memory of 1968	2628	puogldjs.exe	explorer.exe
PID 2628 wrote to memory of 1968	2628	puogldjs.exe	explorer.exe
PID 2628 wrote to memory of 1968	2628	puogldjs.exe	explorer.exe
PID 2628 wrote to memory of 1968	2628	puogldjs.exe	explorer.exe
PID 2628 wrote to memory of 1968	2628	puogldjs.exe	explorer.exe
PID 1680 wrote to memory of 2812	1680	taskeng.exe	aNkxbUo.exe
PID 1680 wrote to memory of 2812	1680	taskeng.exe	aNkxbUo.exe
PID 1680 wrote to memory of 2812	1680	taskeng.exe	aNkxbUo.exe
PID 1680 wrote to memory of 2812	1680	taskeng.exe	aNkxbUo.exe
PID 2812 wrote to memory of 1144	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1144	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1144	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1144	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1964	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1964	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1964	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1964	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1448	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1448	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1448	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1448	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1228	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1228	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1228	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1228	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1748	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1748	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1748	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1748	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 2596	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 2596	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 2596	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 2596	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 628	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 628	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 628	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 628	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1532	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1532	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1532	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 1532	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 2328	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 2328	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 2328	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 2328	2812	aNkxbUo.exe	reg.exe
PID 2812 wrote to memory of 496	2812	aNkxbUo.exe	puogldjs.exe
PID 2812 wrote to memory of 496	2812	aNkxbUo.exe	puogldjs.exe
PID 2812 wrote to memory of 496	2812	aNkxbUo.exe	puogldjs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CK_19617_9585862810069.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1604

C:\Users\Admin\AppData\Local\Temp\aNkxbUo.exe
C:\Users\Admin\AppData\Local\Temp\aNkxbUo.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\aNkxbUo.exe
  C:\Users\Admin\AppData\Local\Temp\aNkxbUo.exe /C
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits\puogldjs.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits\puogldjs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits\puogldjs.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits\puogldjs.exe /C
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:560
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1968
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wucjflrhts /tr "\"C:\Users\Admin\AppData\Local\Temp\aNkxbUo.exe\" /I wucjflrhts" /SC ONCE /Z /ST 22:22 /ET 22:34
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2788

C:\Windows\system32\taskeng.exe
taskeng.exe {66810BBA-C151-4FF6-84D9-B337710B5B24} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\aNkxbUo.exe
  C:\Users\Admin\AppData\Local\Temp\aNkxbUo.exe /I wucjflrhts
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:1144
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:1448
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:1228
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:1748
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:2596
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:628
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:1532
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits" /d "0"
    3⤵
    - Windows security bypass
    PID:2328
- - C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits\puogldjs.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits\puogldjs.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:496
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits\puogldjs.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits\puogldjs.exe /C
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\aNkxbUo.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2432
  - - C:\Windows\system32\PING.EXE
      ping.exe -n 6 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1248
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /DELETE /F /TN wucjflrhts
    3⤵
    PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AOYFZV~1.ZIP

Filesize
644KB

MD5
d606993aecc1b93d7fb400f80ac12880

SHA1
f9deb22a5a3c03b3561c731ae1e018cd3c70d0bc

SHA256
dfa1e62cee279a508fa4debc9c7584198e208b35b2dfe9adf3fc4bda0cde5c9e

SHA512
b913a4f3afc50d68429316e4c057689166d9c9faca91b1b6f0d8445df42751b31677fd7ea5bdc960c3f2b95da6527e5f620f3e74d3e93024a22edacc7d0aea5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aNkxbUo.exe

Filesize
821KB

MD5
71e0d18f5500800ac0688a2544a8279e

SHA1
06ba73131638e8a03654124dbc16906d15232a56

SHA256
70b395ccd4414a8c9a0d413cd3339035e970f90c04af92605deed72f35f8fdab

SHA512
794bc01ec4dfd53c3a59681748165b3ce7e34b27aa2bb5c2592ebf696aba486de90093e3315c78f87b11ea6f97241d7ab04757ebe360f7f917eaa415b7604307

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Pcabxeits\puogldjs.dat

Filesize
63B

MD5
88a0731944779e78d3499dc8fb7b4ddd

SHA1
5f11e5c4d8dae72ce5caf47d7289197f2488290c

SHA256
5df92f8663b1c32cab431c6ac5e6d173d2ef722247d1a263ba54695044eee50e

SHA512
9ed454caa3efb147654d2319a81018fcd7a50420742f931c0e8c24d347373d7908e8ee3e8e1b5387d5417b573429ec7888539ae782b854f4114348ebf6319d4e

Download Submit
memory/496-83-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/560-55-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/656-82-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1604-20-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1968-62-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1968-65-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1968-63-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1968-56-0x0000000000150000-0x00000000001E2000-memory.dmp

Filesize
584KB

Download
memory/1968-59-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1968-58-0x0000000000150000-0x00000000001E2000-memory.dmp

Filesize
584KB

Download
memory/1968-60-0x0000000000150000-0x00000000001E2000-memory.dmp

Filesize
584KB

Download
memory/2628-61-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2628-47-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2736-35-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2736-31-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/2812-69-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2812-77-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/3012-46-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/3012-25-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/3012-24-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download