Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 04:08
Behavioral task
behavioral1
Sample
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
1b11ee5ca27fe0d341fee89bec5fd940
-
SHA1
e63efe252c67f8f14f6fc9c42189c3e1c4175a94
-
SHA256
fc62cf145ef2bf693cf1f84abd30843a548d054fd0376473134e088c9c6fcbc2
-
SHA512
7fbe4e130d07d3050406cfd312c6a892161f20dc468f0e618228dec9625e625842505441556ef067d8a4675de3563b6a90d741ef263bd24cd74c30724b8b4b21
-
SSDEEP
49152:fXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVh:fXzhW148Pd+Tf1mpcOldJQ3/Vh
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
spoolsv.exesvchost.exespoolsv.exeexplorer.exe1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2680 explorer.exe 2692 spoolsv.exe 2744 svchost.exe 2520 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 2680 explorer.exe 2692 spoolsv.exe 2744 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1560-0-0x0000000000400000-0x0000000000A16000-memory.dmp themida \Windows\Resources\Themes\explorer.exe themida behavioral1/memory/2680-12-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1560-11-0x0000000003750000-0x0000000003D66000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral1/memory/2692-24-0x0000000000400000-0x0000000000A16000-memory.dmp themida \Windows\Resources\svchost.exe themida behavioral1/memory/2744-36-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2520-45-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1560-42-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2692-50-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2520-52-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1560-54-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2680-55-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2680-56-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2744-57-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2680-68-0x0000000000400000-0x0000000000A16000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Processes:
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 2680 explorer.exe 2692 spoolsv.exe 2744 svchost.exe 2520 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2024 schtasks.exe 1208 schtasks.exe 1732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exesvchost.exepid process 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2680 explorer.exe 2680 explorer.exe 2680 explorer.exe 2744 svchost.exe 2744 svchost.exe 2680 explorer.exe 2744 svchost.exe 2744 svchost.exe 2680 explorer.exe 2680 explorer.exe 2744 svchost.exe 2744 svchost.exe 2680 explorer.exe 2680 explorer.exe 2744 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2680 explorer.exe 2744 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe 2680 explorer.exe 2680 explorer.exe 2692 spoolsv.exe 2692 spoolsv.exe 2744 svchost.exe 2744 svchost.exe 2520 spoolsv.exe 2520 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1560 wrote to memory of 2680 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe explorer.exe PID 1560 wrote to memory of 2680 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe explorer.exe PID 1560 wrote to memory of 2680 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe explorer.exe PID 1560 wrote to memory of 2680 1560 1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe explorer.exe PID 2680 wrote to memory of 2692 2680 explorer.exe spoolsv.exe PID 2680 wrote to memory of 2692 2680 explorer.exe spoolsv.exe PID 2680 wrote to memory of 2692 2680 explorer.exe spoolsv.exe PID 2680 wrote to memory of 2692 2680 explorer.exe spoolsv.exe PID 2692 wrote to memory of 2744 2692 spoolsv.exe svchost.exe PID 2692 wrote to memory of 2744 2692 spoolsv.exe svchost.exe PID 2692 wrote to memory of 2744 2692 spoolsv.exe svchost.exe PID 2692 wrote to memory of 2744 2692 spoolsv.exe svchost.exe PID 2744 wrote to memory of 2520 2744 svchost.exe spoolsv.exe PID 2744 wrote to memory of 2520 2744 svchost.exe spoolsv.exe PID 2744 wrote to memory of 2520 2744 svchost.exe spoolsv.exe PID 2744 wrote to memory of 2520 2744 svchost.exe spoolsv.exe PID 2680 wrote to memory of 2600 2680 explorer.exe Explorer.exe PID 2680 wrote to memory of 2600 2680 explorer.exe Explorer.exe PID 2680 wrote to memory of 2600 2680 explorer.exe Explorer.exe PID 2680 wrote to memory of 2600 2680 explorer.exe Explorer.exe PID 2744 wrote to memory of 2024 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 2024 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 2024 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 2024 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 1208 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 1208 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 1208 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 1208 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 1732 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 1732 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 1732 2744 svchost.exe schtasks.exe PID 2744 wrote to memory of 1732 2744 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1b11ee5ca27fe0d341fee89bec5fd940_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2520 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:10 /f5⤵
- Creates scheduled task(s)
PID:2024 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:11 /f5⤵
- Creates scheduled task(s)
PID:1208 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:12 /f5⤵
- Creates scheduled task(s)
PID:1732 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
2.6MB
MD50d7fc944b938bbbdc2be334d04e4bbd9
SHA1ab064256cb29ed8c7157e54ba6784bb8e01a679f
SHA2566ecf8a2a32ab280ca5251bbc891236163cc06b9fde6dfb3dfe66b0ce3eb5f53d
SHA512127ea74cfdf8e6781b6e9731bfaf058ed380b63f79d6bf88ca90cee73369d484d20d4b9e1b3d0e9705f438a9b3a62234f7c556b6ddc24122e89076f34e1fe351
-
\Windows\Resources\Themes\explorer.exeFilesize
2.6MB
MD526dde0f13a7ac04c215919389296ea0a
SHA1fb1ad878889221258eeaed8f4c70976dc12e7fc2
SHA256288ac0386012ad9b8674830dbe57dfbcd67903471a268aabfb1a972744e15b5b
SHA51215b1f9ec990bc2e0ef04c568f38f9785f6bd3615678b299904dab59858af3a2f3d29cf01ae03c0a975a29431ccb8eeee20518d5e29a0b92c38d4ae9144f344f6
-
\Windows\Resources\svchost.exeFilesize
2.6MB
MD5be7a9a6abe47e418064b82d388746b5b
SHA135950397c543b199222561058e93f918bd421d19
SHA256a1b228398868a64da27686f0f7f92dc7051477b7cec2413f2ce7575e1d382f15
SHA512fbee82edf05f9d02dc3f59128aed8902637cab09f93a4e8f3eb70d16dfaa99a0aee84754c5c0708d4370bf32b798485d335859fb9f39dd20ec21e01fa33042c4
-
memory/1560-44-0x0000000003750000-0x0000000003D66000-memory.dmpFilesize
6.1MB
-
memory/1560-1-0x0000000077E50000-0x0000000077E52000-memory.dmpFilesize
8KB
-
memory/1560-54-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1560-11-0x0000000003750000-0x0000000003D66000-memory.dmpFilesize
6.1MB
-
memory/1560-0-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1560-42-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2520-52-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2520-45-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2680-21-0x0000000003700000-0x0000000003D16000-memory.dmpFilesize
6.1MB
-
memory/2680-12-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2680-55-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2680-56-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2680-68-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2692-35-0x00000000036F0000-0x0000000003D06000-memory.dmpFilesize
6.1MB
-
memory/2692-24-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2692-50-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2744-36-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2744-57-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB