Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 00:44

General

  • Target

    66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    66caf603baa5fcce64131292a13afe30

  • SHA1

    7b8710d4c2a373f354d6b4dc1ad83422b3181ea1

  • SHA256

    0621355ac15ceecdedc4a2eb62db26b08643b3d52bed0275895abb3956cae3f3

  • SHA512

    b5185aa320fe3c65444520291a9cd9471ed3d5ce0828fb6ea709a65f3d0adf4adf0e04503049378d0807638f8eafd733e0aed8156cd3e1beff458f7f86230c7f

  • SSDEEP

    768:/h4AXKiTroAq0RB+XPPmNwQLNXEzTxideVASwekft5nEwe:/a8jroAbRB+XWCQLZeIdSwk9

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • ASPack v2.12-2.42 12 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3900
    • C:\Windows\babon.exe
      C:\Windows\babon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2980
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3560
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3624
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5088
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2740
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4712
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4420
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4124
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3184
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2544
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4784
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4192
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2952
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1408
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2912
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2972
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2592
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4580
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4544
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:5116
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1620
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4496
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3408
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1872
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2376
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4904
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2884
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2056
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

    Filesize

    45KB

    MD5

    afb8e457175b5c058d94bc5eff76dc98

    SHA1

    6f461c4c2af1ac9fc0ec7bc514ae5cf4362611ec

    SHA256

    f04a2661b427336fd8d5518349bc831b8e22e37c67b9d1e8bbd79a4548105dfb

    SHA512

    e35d0be66ddd5354d73b4ae0d9bca792267a9a39f93ff723f6cd2eda079a2316ca5a06d90e053355da153fb30fb643556d028565fcf95efe49345e41ca705d91

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    d23754a7f98afba5e6dba1072ad30206

    SHA1

    0667f2c80315b238e5dd750630d6819f82c71c6c

    SHA256

    9551ee43aaa3b7772b9c5c275db60ccd92d8cdd0d20ec4f4dbc2a756007a7661

    SHA512

    ed42a2795729664470fc2aea983eacc8994fe2e5a0dd4a895f7a2fc632b85b647c00b1c22b470d955c698717c2a4e8abedb3330285b3b6939ede318e6feadedd

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    45KB

    MD5

    a563b8b7d9853aed9bde72432a0f6f68

    SHA1

    8164f24bb37fde1b8b9425771367eb7e7d3f8ff6

    SHA256

    43ad02c5af95c4204b77601fdd558227d0729486ca63b35745af2a5eff2c6712

    SHA512

    954f4d67097900e0f825610d370b693b674cead181abb068dcf7f83e0b09f4b14f186f0937b794c9188319d0600e44ee368cc5e77f4c16d2ef97924efd6e806f

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    45KB

    MD5

    66caf603baa5fcce64131292a13afe30

    SHA1

    7b8710d4c2a373f354d6b4dc1ad83422b3181ea1

    SHA256

    0621355ac15ceecdedc4a2eb62db26b08643b3d52bed0275895abb3956cae3f3

    SHA512

    b5185aa320fe3c65444520291a9cd9471ed3d5ce0828fb6ea709a65f3d0adf4adf0e04503049378d0807638f8eafd733e0aed8156cd3e1beff458f7f86230c7f

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    39dfac887e4173a033f822f4b8d4e93e

    SHA1

    3f04f047f7b95c78eabcc05055ce780323f7df6a

    SHA256

    c77e678d46b1d114cb07bec90a5ec2dbe9407e24b42bc56da268fef43b8161ed

    SHA512

    55a7b74bdb775cf7771446304e9c8d295e1c7c92af4253f65ee37654bad12a6596b24aeb75a9905e1e0200b46a57c3cf144dd92b610bd9246bf83b92f67c8197

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    ec0585c48fc147eabc87fd9768044a9c

    SHA1

    616beb5697cd152e0b1c83787fd07c1e1e5fccab

    SHA256

    5ed6d231961220e5bc60298468abe44038f879099dbdb3e3601749b7ddd18901

    SHA512

    372d4bf9de873716e851e972f195b23dcef6cfd31881d63b0664fbe6ec1a53ecd3986e18d672d25fd8ea8d75754178b0a1e0ca7379b6a79d8b7910bf804451c4

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    a3c5002330ca778c741c75724a08c5c8

    SHA1

    9173e659d9bd309934969487c283670b3ad90816

    SHA256

    14209bff422a84e1f74794235801358a2a25f9bbb3296e8e6eed16fdcb33821c

    SHA512

    5fc5b4c0842b39c11e79ea87a6cd79892d9b400ba1713e31a2215719d5ed30ebcdb680b62651dd1f559be2a467d2eedc21e15f1cb0084ce9d588288d563cde69

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    44d63024f388f55d9846b5e03103d12d

    SHA1

    8f6f984824bd4ece5878964f8246a6c4520842f6

    SHA256

    f66038a1e647f2baa00f12984e73c54124ea85800036cf25987347b23bdd6110

    SHA512

    7cc31f6a302d68a84354375cafe62dd7318b9bc250ebc061de00d2e91ec6e9450d5d0c618c54baa99229d5db8ee8e60b1cd3c518350460d0a37c1af856c5a042

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    718731a4b35a1d4b5135ff52c71dc7af

    SHA1

    62b0c83e1e8b8ea826f5b2b00c4a61ee8374f9b1

    SHA256

    a6f6fa6287ec7ad64b7a23f69e601ae16d009d084878639ce023a285f9995d8e

    SHA512

    058247cd6104fd78db588417ca7f7c81a3d6078e868cf440d8b28118421db67f0315934e90b746dc34e0f0e3ed8b327beacd16a97ccfa45067211d0b6c8c26e8

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    45KB

    MD5

    ab9cdfb0834cfbf61695fd424186604e

    SHA1

    1d76a182235c0e029a8a405eef856e9e9d0928ac

    SHA256

    592d25f3a3018e87623e57e1fd7b0f16fdb0fb2c1a93e050102071109482704a

    SHA512

    2e1981a5d8ccf1b994feda61fcab152d6ddc663d75c05e62ae9d67194c87cf55e8a2456943d30c3f47955895f95a681c6a668c48bcf185c5fba9faed56273bba

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    c2f6b3f0e369b84f7b9845fb9bb9c70b

    SHA1

    9cedc11f8b4d8a11e7ecf492f34e8385c39920e9

    SHA256

    f93210c70f8d29573cf3fdda7bab8e2546615c3ebd09adf16a20af18a8d3e857

    SHA512

    438c6fa79b0edd3f3f5b8fca0c7a365a265b6c3875ca63996f0233b01ee4bef6f2ea47c19a2ef17aead603d38c810f3007bfef8a75ed36010ed2f07b2bab9ad6

  • C:\Windows\babon.exe

    Filesize

    45KB

    MD5

    7ed4daa96b427cb139e7838b8ffea59c

    SHA1

    b3c5ed0969859745832bc56290be9e8646a6e7fe

    SHA256

    6a1f8940d60d7672911b731ff7ecddea36cbbdd06ba8df8eb5319838f5978af1

    SHA512

    4d31f7b7b38c7422456a1d5c8d941046f97a306cacdc58893838401dda84a27f4db8d461fb4b42ed1cf56e30e6ab8a58e1e971d97e80d5e813766c4245c0a2b7

  • C:\Windows\msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\wangsit.txt

    Filesize

    416B

    MD5

    8c460e27a1949370d14f20942ef964c3

    SHA1

    fb1f75839903c83911b45b49956792d27db56185

    SHA256

    2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

    SHA512

    ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

  • F:\autorun.inf

    Filesize

    41B

    MD5

    097661e74e667ec2329bc274acb87b0d

    SHA1

    91c68a6089af2f61035e2e5f2a8da8c908dc93ed

    SHA256

    aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

    SHA512

    e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

  • memory/1408-339-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1620-349-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1872-128-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1872-404-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2056-391-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2056-395-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2224-399-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2376-371-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2376-359-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2544-295-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2544-261-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2592-375-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2740-238-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2884-388-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2912-341-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2912-351-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2952-117-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2952-402-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2972-358-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2972-366-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2980-102-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2980-400-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3184-246-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3184-223-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3408-378-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3560-162-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3560-168-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3624-169-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3624-190-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3900-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3900-132-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4124-227-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4124-207-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4192-333-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4192-328-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4420-108-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4420-401-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4496-367-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4496-357-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4544-319-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4544-325-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4580-122-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4580-403-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4608-386-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4712-248-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4712-243-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4784-302-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4784-322-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4904-381-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4904-372-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5088-198-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5088-219-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5116-326-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5116-337-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB