Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
3e94ca37c72a65fa6428992dd2826f10_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
3e94ca37c72a65fa6428992dd2826f10_NeikiAnalytics.dll
-
Size
120KB
-
MD5
3e94ca37c72a65fa6428992dd2826f10
-
SHA1
e5643029837525a0ab140e1411c1597af8299c83
-
SHA256
bab077766582f4f389b1283af3c506f320e57d35b118f249a9350d84925d0bea
-
SHA512
a75cae2b431f47bb7b2410e0dfa7b185c14f1efe4bfed1c205d12daf0e28eb4c9d601d996940ba174ef4ed9597dabbfc007a215d735443a6c58cf63f4ec9a233
-
SSDEEP
3072:kVYjjytHKJ7Wc5eMeuVJmFnI2TWUvZOiXI47o6r:kVYjjytmJzeuHuIOfOi4f6r
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
e574c0d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574c0d.exe -
Processes:
e574c0d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574c0d.exe -
Processes:
e574c0d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574c0d.exe -
Executes dropped EXE 3 IoCs
Processes:
e574c0d.exee574d26.exee576a14.exepid process 4268 e574c0d.exe 1572 e574d26.exe 1888 e576a14.exe -
Processes:
resource yara_rule behavioral2/memory/4268-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-27-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-31-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-26-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-25-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-24-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-34-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-49-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-50-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-59-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-61-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-62-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-64-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-66-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-69-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-70-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-73-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4268-76-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
Processes:
e574c0d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574c0d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574c0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574c0d.exe -
Processes:
e574c0d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574c0d.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e574c0d.exedescription ioc process File opened (read-only) \??\I: e574c0d.exe File opened (read-only) \??\J: e574c0d.exe File opened (read-only) \??\M: e574c0d.exe File opened (read-only) \??\N: e574c0d.exe File opened (read-only) \??\O: e574c0d.exe File opened (read-only) \??\E: e574c0d.exe File opened (read-only) \??\H: e574c0d.exe File opened (read-only) \??\K: e574c0d.exe File opened (read-only) \??\L: e574c0d.exe File opened (read-only) \??\G: e574c0d.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e574c0d.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zFM.exe e574c0d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e574c0d.exe File opened for modification C:\Program Files\7-Zip\7z.exe e574c0d.exe -
Drops file in Windows directory 2 IoCs
Processes:
e574c0d.exedescription ioc process File created C:\Windows\e574c5b e574c0d.exe File opened for modification C:\Windows\SYSTEM.INI e574c0d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e574c0d.exepid process 4268 e574c0d.exe 4268 e574c0d.exe 4268 e574c0d.exe 4268 e574c0d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e574c0d.exedescription pid process Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe Token: SeDebugPrivilege 4268 e574c0d.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
rundll32.exerundll32.exee574c0d.exedescription pid process target process PID 5116 wrote to memory of 3816 5116 rundll32.exe rundll32.exe PID 5116 wrote to memory of 3816 5116 rundll32.exe rundll32.exe PID 5116 wrote to memory of 3816 5116 rundll32.exe rundll32.exe PID 3816 wrote to memory of 4268 3816 rundll32.exe e574c0d.exe PID 3816 wrote to memory of 4268 3816 rundll32.exe e574c0d.exe PID 3816 wrote to memory of 4268 3816 rundll32.exe e574c0d.exe PID 4268 wrote to memory of 772 4268 e574c0d.exe fontdrvhost.exe PID 4268 wrote to memory of 776 4268 e574c0d.exe fontdrvhost.exe PID 4268 wrote to memory of 380 4268 e574c0d.exe dwm.exe PID 4268 wrote to memory of 2620 4268 e574c0d.exe sihost.exe PID 4268 wrote to memory of 2656 4268 e574c0d.exe svchost.exe PID 4268 wrote to memory of 2904 4268 e574c0d.exe taskhostw.exe PID 4268 wrote to memory of 3504 4268 e574c0d.exe Explorer.EXE PID 4268 wrote to memory of 3664 4268 e574c0d.exe svchost.exe PID 4268 wrote to memory of 3856 4268 e574c0d.exe DllHost.exe PID 4268 wrote to memory of 3952 4268 e574c0d.exe StartMenuExperienceHost.exe PID 4268 wrote to memory of 4016 4268 e574c0d.exe RuntimeBroker.exe PID 4268 wrote to memory of 4092 4268 e574c0d.exe SearchApp.exe PID 4268 wrote to memory of 4132 4268 e574c0d.exe RuntimeBroker.exe PID 4268 wrote to memory of 336 4268 e574c0d.exe RuntimeBroker.exe PID 4268 wrote to memory of 4488 4268 e574c0d.exe TextInputHost.exe PID 4268 wrote to memory of 5044 4268 e574c0d.exe backgroundTaskHost.exe PID 4268 wrote to memory of 5116 4268 e574c0d.exe rundll32.exe PID 4268 wrote to memory of 3816 4268 e574c0d.exe rundll32.exe PID 4268 wrote to memory of 3816 4268 e574c0d.exe rundll32.exe PID 3816 wrote to memory of 1572 3816 rundll32.exe e574d26.exe PID 3816 wrote to memory of 1572 3816 rundll32.exe e574d26.exe PID 3816 wrote to memory of 1572 3816 rundll32.exe e574d26.exe PID 3816 wrote to memory of 1888 3816 rundll32.exe e576a14.exe PID 3816 wrote to memory of 1888 3816 rundll32.exe e576a14.exe PID 3816 wrote to memory of 1888 3816 rundll32.exe e576a14.exe PID 4268 wrote to memory of 772 4268 e574c0d.exe fontdrvhost.exe PID 4268 wrote to memory of 776 4268 e574c0d.exe fontdrvhost.exe PID 4268 wrote to memory of 380 4268 e574c0d.exe dwm.exe PID 4268 wrote to memory of 2620 4268 e574c0d.exe sihost.exe PID 4268 wrote to memory of 2656 4268 e574c0d.exe svchost.exe PID 4268 wrote to memory of 2904 4268 e574c0d.exe taskhostw.exe PID 4268 wrote to memory of 3504 4268 e574c0d.exe Explorer.EXE PID 4268 wrote to memory of 3664 4268 e574c0d.exe svchost.exe PID 4268 wrote to memory of 3856 4268 e574c0d.exe DllHost.exe PID 4268 wrote to memory of 3952 4268 e574c0d.exe StartMenuExperienceHost.exe PID 4268 wrote to memory of 4016 4268 e574c0d.exe RuntimeBroker.exe PID 4268 wrote to memory of 4092 4268 e574c0d.exe SearchApp.exe PID 4268 wrote to memory of 4132 4268 e574c0d.exe RuntimeBroker.exe PID 4268 wrote to memory of 336 4268 e574c0d.exe RuntimeBroker.exe PID 4268 wrote to memory of 4488 4268 e574c0d.exe TextInputHost.exe PID 4268 wrote to memory of 5044 4268 e574c0d.exe backgroundTaskHost.exe PID 4268 wrote to memory of 1572 4268 e574c0d.exe e574d26.exe PID 4268 wrote to memory of 1572 4268 e574c0d.exe e574d26.exe PID 4268 wrote to memory of 1888 4268 e574c0d.exe e576a14.exe PID 4268 wrote to memory of 1888 4268 e574c0d.exe e576a14.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e574c0d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574c0d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e94ca37c72a65fa6428992dd2826f10_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e94ca37c72a65fa6428992dd2826f10_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574c0d.exeC:\Users\Admin\AppData\Local\Temp\e574c0d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574d26.exeC:\Users\Admin\AppData\Local\Temp\e574d26.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576a14.exeC:\Users\Admin\AppData\Local\Temp\e576a14.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574c0d.exeFilesize
97KB
MD5fceace990ba96de2842e229fbbefac17
SHA19102994afe48ff9343244eae5159bceb05209cfe
SHA256a4debb401e0016ac0cf783e13cc2c0e9502bad1e54d306bb18b13a1556d35844
SHA512cef5fff16fce0922eb68fcddba1be9439f04dfe159e7c4748ee621b1a442b9cd575a5bf66a318e222443960c949e2e7aa166c9d9551d123be789fb4388dcae88
-
memory/1572-54-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1572-97-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1572-52-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1572-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1888-101-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1888-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1888-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1888-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3816-17-0x00000000044A0000-0x00000000044A2000-memory.dmpFilesize
8KB
-
memory/3816-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3816-29-0x00000000044A0000-0x00000000044A2000-memory.dmpFilesize
8KB
-
memory/3816-28-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/3816-12-0x00000000044A0000-0x00000000044A2000-memory.dmpFilesize
8KB
-
memory/4268-38-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-9-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-25-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-11-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-24-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-36-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-34-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-37-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-31-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-39-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-40-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-49-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-50-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-33-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4268-27-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-26-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-10-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-30-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4268-15-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/4268-59-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-61-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-62-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-64-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-66-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-69-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-70-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-73-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-93-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4268-82-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4268-76-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-6-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4268-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB