Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 13:27
Static task
static1
Behavioral task
behavioral1
Sample
cd906030d501ed3283a4547f2f988bc0_NeikiAnalytics.dll
Resource
win7-20240220-en
General
-
Target
cd906030d501ed3283a4547f2f988bc0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
cd906030d501ed3283a4547f2f988bc0
-
SHA1
b5ec05269948e47bdc086a1def3a27424a0e2b20
-
SHA256
994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248
-
SHA512
3949888e9206bd937fab465b5baf4e864f8c32e998ed83f0343eb66190137252d2dd71ec1817c8e3239026671f9ce6c79566f962cf8a2630fff304bf38d0656a
-
SSDEEP
1536:WPVoDmWBO9xx/EM9409gBgOrhQhmAPOVBO58RY5HJd0r8CGgo9obqRjjLJybRaxi:W9BWMbx/1ZmDwkvRMHMnqRjvSRaS1
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
e57598a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57598a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57598a.exe -
Processes:
e57598a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57598a.exe -
Processes:
e57598a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57598a.exe -
Executes dropped EXE 3 IoCs
Processes:
e57598a.exee575a93.exee5782fb.exepid process 5032 e57598a.exe 4352 e575a93.exe 4640 e5782fb.exe -
Processes:
resource yara_rule behavioral2/memory/5032-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-20-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-21-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-33-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-34-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-41-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-54-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-55-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-57-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-59-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-60-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-61-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-64-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-66-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-69-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/5032-70-0x00000000007E0000-0x000000000189A000-memory.dmp upx -
Processes:
e57598a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57598a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57598a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57598a.exe -
Processes:
e57598a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57598a.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e57598a.exedescription ioc process File opened (read-only) \??\E: e57598a.exe File opened (read-only) \??\G: e57598a.exe File opened (read-only) \??\H: e57598a.exe File opened (read-only) \??\I: e57598a.exe File opened (read-only) \??\J: e57598a.exe File opened (read-only) \??\O: e57598a.exe File opened (read-only) \??\K: e57598a.exe File opened (read-only) \??\L: e57598a.exe File opened (read-only) \??\M: e57598a.exe File opened (read-only) \??\N: e57598a.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e57598a.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e57598a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57598a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57598a.exe -
Drops file in Windows directory 2 IoCs
Processes:
e57598a.exedescription ioc process File created C:\Windows\e5759e7 e57598a.exe File opened for modification C:\Windows\SYSTEM.INI e57598a.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e57598a.exepid process 5032 e57598a.exe 5032 e57598a.exe 5032 e57598a.exe 5032 e57598a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e57598a.exedescription pid process Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe Token: SeDebugPrivilege 5032 e57598a.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
rundll32.exerundll32.exee57598a.exedescription pid process target process PID 4548 wrote to memory of 2100 4548 rundll32.exe rundll32.exe PID 4548 wrote to memory of 2100 4548 rundll32.exe rundll32.exe PID 4548 wrote to memory of 2100 4548 rundll32.exe rundll32.exe PID 2100 wrote to memory of 5032 2100 rundll32.exe e57598a.exe PID 2100 wrote to memory of 5032 2100 rundll32.exe e57598a.exe PID 2100 wrote to memory of 5032 2100 rundll32.exe e57598a.exe PID 5032 wrote to memory of 788 5032 e57598a.exe fontdrvhost.exe PID 5032 wrote to memory of 796 5032 e57598a.exe fontdrvhost.exe PID 5032 wrote to memory of 1016 5032 e57598a.exe dwm.exe PID 5032 wrote to memory of 2556 5032 e57598a.exe sihost.exe PID 5032 wrote to memory of 2588 5032 e57598a.exe svchost.exe PID 5032 wrote to memory of 2688 5032 e57598a.exe taskhostw.exe PID 5032 wrote to memory of 3480 5032 e57598a.exe Explorer.EXE PID 5032 wrote to memory of 3644 5032 e57598a.exe svchost.exe PID 5032 wrote to memory of 3848 5032 e57598a.exe DllHost.exe PID 5032 wrote to memory of 3976 5032 e57598a.exe StartMenuExperienceHost.exe PID 5032 wrote to memory of 4064 5032 e57598a.exe RuntimeBroker.exe PID 5032 wrote to memory of 1512 5032 e57598a.exe SearchApp.exe PID 5032 wrote to memory of 4204 5032 e57598a.exe RuntimeBroker.exe PID 5032 wrote to memory of 4536 5032 e57598a.exe RuntimeBroker.exe PID 5032 wrote to memory of 4616 5032 e57598a.exe TextInputHost.exe PID 5032 wrote to memory of 1444 5032 e57598a.exe backgroundTaskHost.exe PID 5032 wrote to memory of 3112 5032 e57598a.exe backgroundTaskHost.exe PID 5032 wrote to memory of 4548 5032 e57598a.exe rundll32.exe PID 5032 wrote to memory of 2100 5032 e57598a.exe rundll32.exe PID 5032 wrote to memory of 2100 5032 e57598a.exe rundll32.exe PID 2100 wrote to memory of 4352 2100 rundll32.exe e575a93.exe PID 2100 wrote to memory of 4352 2100 rundll32.exe e575a93.exe PID 2100 wrote to memory of 4352 2100 rundll32.exe e575a93.exe PID 5032 wrote to memory of 788 5032 e57598a.exe fontdrvhost.exe PID 5032 wrote to memory of 796 5032 e57598a.exe fontdrvhost.exe PID 5032 wrote to memory of 1016 5032 e57598a.exe dwm.exe PID 5032 wrote to memory of 2556 5032 e57598a.exe sihost.exe PID 5032 wrote to memory of 2588 5032 e57598a.exe svchost.exe PID 5032 wrote to memory of 2688 5032 e57598a.exe taskhostw.exe PID 5032 wrote to memory of 3480 5032 e57598a.exe Explorer.EXE PID 5032 wrote to memory of 3644 5032 e57598a.exe svchost.exe PID 5032 wrote to memory of 3848 5032 e57598a.exe DllHost.exe PID 5032 wrote to memory of 3976 5032 e57598a.exe StartMenuExperienceHost.exe PID 5032 wrote to memory of 4064 5032 e57598a.exe RuntimeBroker.exe PID 5032 wrote to memory of 1512 5032 e57598a.exe SearchApp.exe PID 5032 wrote to memory of 4204 5032 e57598a.exe RuntimeBroker.exe PID 5032 wrote to memory of 4536 5032 e57598a.exe RuntimeBroker.exe PID 5032 wrote to memory of 4616 5032 e57598a.exe TextInputHost.exe PID 5032 wrote to memory of 1444 5032 e57598a.exe backgroundTaskHost.exe PID 5032 wrote to memory of 3112 5032 e57598a.exe backgroundTaskHost.exe PID 5032 wrote to memory of 4548 5032 e57598a.exe rundll32.exe PID 5032 wrote to memory of 4352 5032 e57598a.exe e575a93.exe PID 5032 wrote to memory of 4352 5032 e57598a.exe e575a93.exe PID 5032 wrote to memory of 3704 5032 e57598a.exe RuntimeBroker.exe PID 5032 wrote to memory of 5048 5032 e57598a.exe RuntimeBroker.exe PID 2100 wrote to memory of 4640 2100 rundll32.exe e5782fb.exe PID 2100 wrote to memory of 4640 2100 rundll32.exe e5782fb.exe PID 2100 wrote to memory of 4640 2100 rundll32.exe e5782fb.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e57598a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57598a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2588
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2688
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd906030d501ed3283a4547f2f988bc0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd906030d501ed3283a4547f2f988bc0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\e57598a.exeC:\Users\Admin\AppData\Local\Temp\e57598a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\e575a93.exeC:\Users\Admin\AppData\Local\Temp\e575a93.exe4⤵
- Executes dropped EXE
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\e5782fb.exeC:\Users\Admin\AppData\Local\Temp\e5782fb.exe4⤵
- Executes dropped EXE
PID:4640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4064
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1512
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4204
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4536
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4616
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1444
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3704
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5048
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57598a.exeFilesize
97KB
MD593b2239926111d0bb1e6c59405c8ea3e
SHA19decfb123ec11d9cb1913c808bddf4fe7f28ee79
SHA2568ddc9f13a89c83a055b3e77a709929f0752ef0251bd821168e36bb18e6796643
SHA512d4bb4e4743e2bb29d45db49a389f685c1dd4aa1ea7b88541a21d02094fd27c94d0d79f1a5cf72213605ef2e2023d793575ac2dd172e4b46420a4f0f5dceff0df
-
memory/2100-17-0x0000000004130000-0x0000000004132000-memory.dmpFilesize
8KB
-
memory/2100-13-0x0000000004130000-0x0000000004132000-memory.dmpFilesize
8KB
-
memory/2100-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2100-14-0x00000000041C0000-0x00000000041C1000-memory.dmpFilesize
4KB
-
memory/2100-49-0x0000000004130000-0x0000000004132000-memory.dmpFilesize
8KB
-
memory/2100-24-0x0000000004130000-0x0000000004132000-memory.dmpFilesize
8KB
-
memory/4352-44-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4352-43-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4352-45-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4352-25-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4352-92-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4640-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4640-94-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5032-36-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-32-0x0000000001A70000-0x0000000001A72000-memory.dmpFilesize
8KB
-
memory/5032-16-0x0000000001A80000-0x0000000001A81000-memory.dmpFilesize
4KB
-
memory/5032-9-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-6-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-33-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-35-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-34-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-11-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-37-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-39-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-38-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-41-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-26-0x0000000001A70000-0x0000000001A72000-memory.dmpFilesize
8KB
-
memory/5032-21-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-10-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-12-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-20-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-54-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-55-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-57-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-59-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-60-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-61-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-64-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-66-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-69-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-70-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-71-0x0000000001A70000-0x0000000001A72000-memory.dmpFilesize
8KB
-
memory/5032-8-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/5032-93-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5032-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB