Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2023 18:43
Behavioral task
behavioral1
Sample
sj.exe
Resource
win7-20230220-en
General
-
Target
sj.exe
-
Size
2.6MB
-
MD5
bce0df8721504d50f4497c0a0a2c090d
-
SHA1
2c5b190d19f0f58e156bd1b28434701cea09cc23
-
SHA256
112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515
-
SHA512
8eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc
-
SSDEEP
12288:qlQq2wwLHqpVxTp5WK1QAPPAV/Ykfgn6ggKh:u2wwT45xQwkfg93h
Malware Config
Extracted
qakbot
324.142
spx143
1592482956
39.36.254.179:995
24.139.132.70:443
24.202.42.48:2222
72.204.242.138:443
172.242.156.50:995
72.204.242.138:20
68.174.15.223:443
74.193.197.246:443
96.56.237.174:990
64.19.74.29:995
70.168.130.172:443
189.236.166.167:443
68.4.137.211:443
76.187.8.160:443
76.86.57.179:2222
73.226.220.56:443
67.250.184.157:443
75.183.171.155:3389
173.172.205.216:443
173.3.132.17:995
172.78.30.215:443
207.255.161.8:32103
75.137.239.211:443
68.49.120.179:443
206.51.202.106:50003
82.127.193.151:2222
207.255.161.8:2222
207.255.161.8:2087
24.152.219.253:995
187.19.151.218:995
197.37.48.37:993
188.241.243.175:443
72.88.119.131:443
89.137.211.239:443
108.30.125.94:443
187.163.101.137:995
100.19.7.242:443
45.77.164.175:443
80.240.26.178:443
66.208.105.6:443
207.246.75.201:443
199.247.22.145:443
199.247.16.80:443
95.77.223.148:443
68.60.221.169:465
5.107.220.84:2222
41.228.212.22:443
86.233.4.153:2222
68.200.23.189:443
201.146.127.158:443
79.114.199.39:443
87.65.204.240:995
71.74.12.34:443
217.162.149.212:443
195.162.106.93:2222
75.165.112.82:50002
201.248.102.4:2078
96.41.93.96:443
89.247.216.127:443
84.232.238.30:443
103.238.231.40:443
174.34.67.106:2222
98.115.138.61:443
91.125.21.16:2222
84.247.55.190:443
193.248.44.2:2222
74.135.37.79:443
78.96.190.54:443
86.126.97.183:2222
2.50.47.97:2222
68.39.160.40:443
96.232.203.15:443
86.144.150.29:2222
71.220.191.200:443
24.231.54.185:2222
80.14.209.42:2222
24.164.79.147:443
70.183.127.6:995
47.153.115.154:993
184.180.157.203:2222
50.104.68.223:443
67.165.206.193:995
200.113.201.83:993
47.153.115.154:465
24.42.14.241:995
189.160.203.110:443
188.27.76.139:443
207.255.161.8:32102
49.207.105.25:443
71.210.177.4:443
117.242.253.163:443
50.244.112.106:443
69.92.54.95:995
41.34.91.90:995
72.204.242.138:53
41.97.138.74:443
72.29.181.77:2078
71.88.168.176:443
2.50.171.142:443
67.83.54.76:2222
86.125.145.90:2222
47.153.115.154:995
24.122.157.93:443
47.146.169.85:443
72.181.9.163:443
187.155.74.5:443
71.209.187.4:443
74.75.216.202:443
24.44.180.236:2222
24.43.22.220:993
108.188.116.179:443
100.4.173.223:443
76.170.77.99:443
70.95.118.217:443
134.0.196.46:995
68.225.56.31:443
72.204.242.138:32102
72.204.242.138:50001
108.190.151.108:2222
72.204.242.138:465
50.244.112.10:443
173.22.120.11:2222
24.43.22.220:995
24.43.22.220:443
92.17.167.87:2222
72.209.191.27:443
72.204.242.138:80
71.187.170.235:443
96.56.237.174:32103
71.187.7.239:443
184.98.104.7:995
70.124.29.226:443
137.99.224.198:443
73.23.194.75:443
151.205.102.42:443
64.224.76.152:443
72.204.242.138:32100
173.187.101.221:443
72.179.13.59:443
208.93.202.49:443
70.174.3.241:443
96.37.137.42:443
76.111.128.194:443
67.209.195.198:3389
61.3.184.27:443
24.42.14.241:443
74.56.167.31:443
5.193.61.212:2222
117.216.177.171:443
Signatures
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii = "0" reg.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe cryptone -
Executes dropped EXE 4 IoCs
Processes:
oiggfay.exeoiggfay.exeoiggfay.exeoiggfay.exepid process 4944 oiggfay.exe 2924 oiggfay.exe 2256 oiggfay.exe 2788 oiggfay.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
sj.exeoiggfay.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 sj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 sj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 oiggfay.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc oiggfay.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service oiggfay.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service oiggfay.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc sj.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service sj.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc sj.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service sj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 oiggfay.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc oiggfay.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
sj.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ sj.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" sj.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" sj.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" sj.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" sj.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
sj.exesj.exeoiggfay.exeoiggfay.exeexplorer.exesj.exeoiggfay.exepid process 2868 sj.exe 2868 sj.exe 2992 sj.exe 2992 sj.exe 2992 sj.exe 2992 sj.exe 4944 oiggfay.exe 4944 oiggfay.exe 2924 oiggfay.exe 2924 oiggfay.exe 2924 oiggfay.exe 2924 oiggfay.exe 460 explorer.exe 460 explorer.exe 460 explorer.exe 460 explorer.exe 1160 sj.exe 1160 sj.exe 2256 oiggfay.exe 2256 oiggfay.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
oiggfay.exepid process 4944 oiggfay.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
sj.exeoiggfay.exesj.execmd.exeoiggfay.exedescription pid process target process PID 2868 wrote to memory of 2992 2868 sj.exe sj.exe PID 2868 wrote to memory of 2992 2868 sj.exe sj.exe PID 2868 wrote to memory of 2992 2868 sj.exe sj.exe PID 2868 wrote to memory of 4944 2868 sj.exe oiggfay.exe PID 2868 wrote to memory of 4944 2868 sj.exe oiggfay.exe PID 2868 wrote to memory of 4944 2868 sj.exe oiggfay.exe PID 2868 wrote to memory of 4184 2868 sj.exe schtasks.exe PID 2868 wrote to memory of 4184 2868 sj.exe schtasks.exe PID 2868 wrote to memory of 4184 2868 sj.exe schtasks.exe PID 4944 wrote to memory of 2924 4944 oiggfay.exe oiggfay.exe PID 4944 wrote to memory of 2924 4944 oiggfay.exe oiggfay.exe PID 4944 wrote to memory of 2924 4944 oiggfay.exe oiggfay.exe PID 4944 wrote to memory of 460 4944 oiggfay.exe explorer.exe PID 4944 wrote to memory of 460 4944 oiggfay.exe explorer.exe PID 4944 wrote to memory of 460 4944 oiggfay.exe explorer.exe PID 4944 wrote to memory of 460 4944 oiggfay.exe explorer.exe PID 1160 wrote to memory of 2676 1160 sj.exe reg.exe PID 1160 wrote to memory of 2676 1160 sj.exe reg.exe PID 1160 wrote to memory of 4204 1160 sj.exe reg.exe PID 1160 wrote to memory of 4204 1160 sj.exe reg.exe PID 1160 wrote to memory of 5056 1160 sj.exe reg.exe PID 1160 wrote to memory of 5056 1160 sj.exe reg.exe PID 1160 wrote to memory of 3264 1160 sj.exe reg.exe PID 1160 wrote to memory of 3264 1160 sj.exe reg.exe PID 1160 wrote to memory of 3320 1160 sj.exe reg.exe PID 1160 wrote to memory of 3320 1160 sj.exe reg.exe PID 1160 wrote to memory of 3424 1160 sj.exe reg.exe PID 1160 wrote to memory of 3424 1160 sj.exe reg.exe PID 1160 wrote to memory of 668 1160 sj.exe reg.exe PID 1160 wrote to memory of 668 1160 sj.exe reg.exe PID 1160 wrote to memory of 1444 1160 sj.exe reg.exe PID 1160 wrote to memory of 1444 1160 sj.exe reg.exe PID 1160 wrote to memory of 356 1160 sj.exe reg.exe PID 1160 wrote to memory of 356 1160 sj.exe reg.exe PID 1160 wrote to memory of 2256 1160 sj.exe oiggfay.exe PID 1160 wrote to memory of 2256 1160 sj.exe oiggfay.exe PID 1160 wrote to memory of 2256 1160 sj.exe oiggfay.exe PID 1160 wrote to memory of 3948 1160 sj.exe cmd.exe PID 1160 wrote to memory of 3948 1160 sj.exe cmd.exe PID 1160 wrote to memory of 3052 1160 sj.exe schtasks.exe PID 1160 wrote to memory of 3052 1160 sj.exe schtasks.exe PID 3948 wrote to memory of 2688 3948 cmd.exe PING.EXE PID 3948 wrote to memory of 2688 3948 cmd.exe PING.EXE PID 2256 wrote to memory of 2788 2256 oiggfay.exe oiggfay.exe PID 2256 wrote to memory of 2788 2256 oiggfay.exe oiggfay.exe PID 2256 wrote to memory of 2788 2256 oiggfay.exe oiggfay.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sj.exe"C:\Users\Admin\AppData\Local\Temp\sj.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sj.exeC:\Users\Admin\AppData\Local\Temp\sj.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dwjjzcfcwv /tr "\"C:\Users\Admin\AppData\Local\Temp\sj.exe\" /I dwjjzcfcwv" /SC ONCE /Z /ST 18:46 /ET 18:582⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\sj.exeC:\Users\Admin\AppData\Local\Temp\sj.exe /I dwjjzcfcwv1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii" /d "0"2⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exe /C3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\sj.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN dwjjzcfcwv2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.datFilesize
63B
MD5b74db07e8b4d6d306d2eef2c61541b62
SHA1d0e0abbd2e4f50606bc3ce2b9b153743efde744d
SHA25645a7a6ba03e1f93767b8a048fbb6cd49294a930ce9562749b81b57abe7827057
SHA512d7121bc5cec98b8232d324c270401602547f7dcf84a771ac39ea722944149e6d5cbc4362b1d25e00cbd3bfcd3203ea05430c7bdcbc68a65784461012789dd701
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exeFilesize
2.6MB
MD5bce0df8721504d50f4497c0a0a2c090d
SHA12c5b190d19f0f58e156bd1b28434701cea09cc23
SHA256112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515
SHA5128eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exeFilesize
2.6MB
MD5bce0df8721504d50f4497c0a0a2c090d
SHA12c5b190d19f0f58e156bd1b28434701cea09cc23
SHA256112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515
SHA5128eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exeFilesize
2.6MB
MD5bce0df8721504d50f4497c0a0a2c090d
SHA12c5b190d19f0f58e156bd1b28434701cea09cc23
SHA256112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515
SHA5128eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exeFilesize
2.6MB
MD5bce0df8721504d50f4497c0a0a2c090d
SHA12c5b190d19f0f58e156bd1b28434701cea09cc23
SHA256112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515
SHA5128eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahcmewpaii\oiggfay.exeFilesize
2.6MB
MD5bce0df8721504d50f4497c0a0a2c090d
SHA12c5b190d19f0f58e156bd1b28434701cea09cc23
SHA256112a64190b9a0f356880eebf05e195f4c16407032bf89fa843fd136da6f5d515
SHA5128eca2571399782952e984b4d7c8f525a9c0092396ac8dc592d98acd0efdf2b6959a4b1272bcfb7e3a38060d269deabfd676b1fef2e830df3baab43e206d2f7fc
-
memory/460-151-0x00000000027E0000-0x0000000002813000-memory.dmpFilesize
204KB
-
memory/460-161-0x0000000000990000-0x00000000009CA000-memory.dmpFilesize
232KB
-
memory/460-158-0x00000000027E0000-0x0000000002813000-memory.dmpFilesize
204KB
-
memory/460-162-0x00000000027E0000-0x0000000002813000-memory.dmpFilesize
204KB
-
memory/460-156-0x00000000027E0000-0x0000000002813000-memory.dmpFilesize
204KB
-
memory/460-150-0x0000000000990000-0x00000000009CA000-memory.dmpFilesize
232KB
-
memory/460-155-0x00000000027E0000-0x0000000002813000-memory.dmpFilesize
204KB
-
memory/460-152-0x00000000027E0000-0x0000000002813000-memory.dmpFilesize
204KB
-
memory/1160-163-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/1160-165-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/2256-167-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/2868-135-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/2868-133-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/2868-140-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/2868-134-0x0000000000930000-0x0000000000967000-memory.dmpFilesize
220KB
-
memory/2868-145-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/2924-149-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/2924-148-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/2992-136-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/2992-137-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/4944-154-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/4944-147-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB