Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 22:13
Static task
static1
Behavioral task
behavioral1
Sample
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
Resource
win10v2004-20220901-en
General
-
Target
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe
-
Size
1.0MB
-
MD5
0be2f1c22f5916d0cdb44ebccc39e18c
-
SHA1
731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec
-
SHA256
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56
-
SHA512
2e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5
-
SSDEEP
12288:EOvtwqTEXNkYIYt8+jmfimuZNXO9YM4Dg9Ni8zr0HCUGFiFRSFGM8Ji9up4XyopP:XwqQKYIYW6+18tOqMQcNKF3H2eqiGs
Malware Config
Extracted
remcos
Eric-Host
craigjonson91211.freedynamicdns.net:2011
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
wee.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-3CS7D1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
qos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2868-164-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/4804-165-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/4804-167-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2868-164-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/4804-165-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/4804-167-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
Processes:
wee.exewee.exewee.exewee.exewee.exepid process 804 wee.exe 1124 wee.exe 4804 wee.exe 2868 wee.exe 4584 wee.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exe0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
wee.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wee.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exewee.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\"" 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\"" 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ wee.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\"" wee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ wee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\"" wee.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exewee.exewee.exedescription pid process target process PID 4832 set thread context of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 804 set thread context of 1124 804 wee.exe wee.exe PID 1124 set thread context of 4804 1124 wee.exe wee.exe PID 1124 set thread context of 2868 1124 wee.exe wee.exe PID 1124 set thread context of 4584 1124 wee.exe wee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3384 4584 WerFault.exe wee.exe -
Modifies registry class 1 IoCs
Processes:
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wee.exepid process 4804 wee.exe 4804 wee.exe 4804 wee.exe 4804 wee.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
wee.exepid process 1124 wee.exe 1124 wee.exe 1124 wee.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wee.exepid process 1124 wee.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
wee.exepid process 4584 wee.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exeWScript.execmd.exewee.exewee.exedescription pid process target process PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 4832 wrote to memory of 3380 4832 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe PID 3380 wrote to memory of 4740 3380 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe WScript.exe PID 3380 wrote to memory of 4740 3380 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe WScript.exe PID 3380 wrote to memory of 4740 3380 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe WScript.exe PID 4740 wrote to memory of 3712 4740 WScript.exe cmd.exe PID 4740 wrote to memory of 3712 4740 WScript.exe cmd.exe PID 4740 wrote to memory of 3712 4740 WScript.exe cmd.exe PID 3712 wrote to memory of 804 3712 cmd.exe wee.exe PID 3712 wrote to memory of 804 3712 cmd.exe wee.exe PID 3712 wrote to memory of 804 3712 cmd.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 804 wrote to memory of 1124 804 wee.exe wee.exe PID 1124 wrote to memory of 4804 1124 wee.exe wee.exe PID 1124 wrote to memory of 4804 1124 wee.exe wee.exe PID 1124 wrote to memory of 4804 1124 wee.exe wee.exe PID 1124 wrote to memory of 4804 1124 wee.exe wee.exe PID 1124 wrote to memory of 2868 1124 wee.exe wee.exe PID 1124 wrote to memory of 2868 1124 wee.exe wee.exe PID 1124 wrote to memory of 2868 1124 wee.exe wee.exe PID 1124 wrote to memory of 2868 1124 wee.exe wee.exe PID 1124 wrote to memory of 4584 1124 wee.exe wee.exe PID 1124 wrote to memory of 4584 1124 wee.exe wee.exe PID 1124 wrote to memory of 4584 1124 wee.exe wee.exe PID 1124 wrote to memory of 4584 1124 wee.exe wee.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe"C:\Users\Admin\AppData\Local\Temp\0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe"C:\Users\Admin\AppData\Local\Temp\0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ytgytb.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\wee.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wee.exeC:\Users\Admin\AppData\Roaming\wee.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wee.exe"C:\Users\Admin\AppData\Roaming\wee.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wee.exeC:\Users\Admin\AppData\Roaming\wee.exe /stext "C:\Users\Admin\AppData\Local\Temp\rbgwe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\wee.exeC:\Users\Admin\AppData\Roaming\wee.exe /stext "C:\Users\Admin\AppData\Local\Temp\beuofqwxj"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Roaming\wee.exeC:\Users\Admin\AppData\Roaming\wee.exe /stext "C:\Users\Admin\AppData\Local\Temp\myzhgihrxvki"7⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 128⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4584 -ip 45841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rbgweFilesize
4KB
MD5952a930b9fe70f809a67cb4e765c9448
SHA17e6c235246cc1be14d8a01ee7688a2a2471d44c9
SHA256bd8156713974af3003c418302d3647fa84f62836fe83613c05e8bc40cb06a867
SHA51210d12f2412fd2cb9ecf47cccd0261b17d9a3323957602c06795c4b2244306837d0a979ec6e552dc023ee81719ebcb9455bdb6f9d44f07788664994d1498452fb
-
C:\Users\Admin\AppData\Local\Temp\ytgytb.vbsFilesize
398B
MD5f1536fc12b615b3b046757ce09cc2b41
SHA1c67cacdb7dd2a1aa58ec9d2f554a831935fea0a2
SHA256c03a7b60b1a4a6d06dbe6d1fc3444f68a64e1b9e48e1967b60003b0b02c78502
SHA51239d0bfce41381099628b3d7f184c0aa49a98a9eef90da3b4be953530f3115bb4b72f871c6cf5026cce8d760b088865b63bbab3d8911d3e4513855712a3062207
-
C:\Users\Admin\AppData\Roaming\wee.exeFilesize
1.0MB
MD50be2f1c22f5916d0cdb44ebccc39e18c
SHA1731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec
SHA2560ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56
SHA5122e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5
-
C:\Users\Admin\AppData\Roaming\wee.exeFilesize
1.0MB
MD50be2f1c22f5916d0cdb44ebccc39e18c
SHA1731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec
SHA2560ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56
SHA5122e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5
-
C:\Users\Admin\AppData\Roaming\wee.exeFilesize
1.0MB
MD50be2f1c22f5916d0cdb44ebccc39e18c
SHA1731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec
SHA2560ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56
SHA5122e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5
-
C:\Users\Admin\AppData\Roaming\wee.exeFilesize
1.0MB
MD50be2f1c22f5916d0cdb44ebccc39e18c
SHA1731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec
SHA2560ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56
SHA5122e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5
-
C:\Users\Admin\AppData\Roaming\wee.exeFilesize
1.0MB
MD50be2f1c22f5916d0cdb44ebccc39e18c
SHA1731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec
SHA2560ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56
SHA5122e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5
-
C:\Users\Admin\AppData\Roaming\wee.exeFilesize
1.0MB
MD50be2f1c22f5916d0cdb44ebccc39e18c
SHA1731b7d2929de2b7d9a1a03f4372f4c5553c8e5ec
SHA2560ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56
SHA5122e7f6348723e7d440df93e80bafa31ca4eb4cabf33d584466becce680ad3b596d538dc497fdb09060848b8514b2d9ec5d2b6a4d0d059344619885c334c916dd5
-
memory/804-149-0x0000000000000000-mapping.dmp
-
memory/1124-156-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1124-155-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1124-157-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1124-152-0x0000000000000000-mapping.dmp
-
memory/1124-168-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2868-160-0x0000000000000000-mapping.dmp
-
memory/2868-164-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/3380-146-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3380-144-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3380-143-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3380-142-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3380-141-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3380-140-0x0000000000000000-mapping.dmp
-
memory/3712-148-0x0000000000000000-mapping.dmp
-
memory/4584-162-0x0000000000000000-mapping.dmp
-
memory/4740-145-0x0000000000000000-mapping.dmp
-
memory/4804-158-0x0000000000000000-mapping.dmp
-
memory/4804-165-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4804-167-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4832-139-0x0000000009450000-0x00000000094EC000-memory.dmpFilesize
624KB
-
memory/4832-138-0x0000000005590000-0x000000000559A000-memory.dmpFilesize
40KB
-
memory/4832-135-0x0000000000A40000-0x0000000000B50000-memory.dmpFilesize
1.1MB
-
memory/4832-137-0x00000000054D0000-0x0000000005562000-memory.dmpFilesize
584KB
-
memory/4832-136-0x0000000005B70000-0x0000000006114000-memory.dmpFilesize
5.6MB