Analysis
-
max time kernel
132s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:22
Static task
static1
Behavioral task
behavioral1
Sample
3eebe1d61de9cc9cc17a09a66dfe5690_NeikiAnalytics.dll
Resource
win7-20240220-en
General
-
Target
3eebe1d61de9cc9cc17a09a66dfe5690_NeikiAnalytics.dll
-
Size
120KB
-
MD5
3eebe1d61de9cc9cc17a09a66dfe5690
-
SHA1
1d17f2941241e2a8575163376b3761ff0aa9fa7c
-
SHA256
12fe9a9c9948885c92d0517d763f15e0083b7e7cd7389df082d4925bda8bf68a
-
SHA512
04e172c34c59b69910893b27a2e5a843063710a12ec781bd449a4ae5f054c8373220ed319bb473f412486f527cefb712ebdc443d28a59ad4ac9ec40ceee5bdc3
-
SSDEEP
1536:q5N6dWVb6qAomWGQ05aykMdC0qL0rXF0JQBZyPVmh5OMi6embfD1advfXmzJx6al:DWVZMgJMVq00AMI5OMzembY+VBAuG
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
e573a0b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573a0b.exe -
Processes:
e573a0b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573a0b.exe -
Processes:
e573a0b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573a0b.exe -
Executes dropped EXE 3 IoCs
Processes:
e573a0b.exee573b73.exee5755d1.exepid process 624 e573a0b.exe 516 e573b73.exe 3456 e5755d1.exe -
Processes:
resource yara_rule behavioral2/memory/624-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-20-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-19-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-28-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-31-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-17-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-18-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-40-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-42-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-43-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-52-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-54-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-55-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-66-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-67-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-70-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-73-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-72-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-74-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-75-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-78-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-82-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-83-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/624-84-0x0000000000770000-0x000000000182A000-memory.dmp upx -
Processes:
e573a0b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573a0b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573a0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573a0b.exe -
Processes:
e573a0b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573a0b.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573a0b.exedescription ioc process File opened (read-only) \??\L: e573a0b.exe File opened (read-only) \??\N: e573a0b.exe File opened (read-only) \??\Q: e573a0b.exe File opened (read-only) \??\E: e573a0b.exe File opened (read-only) \??\G: e573a0b.exe File opened (read-only) \??\K: e573a0b.exe File opened (read-only) \??\I: e573a0b.exe File opened (read-only) \??\S: e573a0b.exe File opened (read-only) \??\H: e573a0b.exe File opened (read-only) \??\M: e573a0b.exe File opened (read-only) \??\P: e573a0b.exe File opened (read-only) \??\J: e573a0b.exe File opened (read-only) \??\O: e573a0b.exe File opened (read-only) \??\R: e573a0b.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e573a0b.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e573a0b.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573a0b.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573a0b.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e573a0b.exe -
Drops file in Windows directory 2 IoCs
Processes:
e573a0b.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI e573a0b.exe File created C:\Windows\e573a79 e573a0b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e573a0b.exepid process 624 e573a0b.exe 624 e573a0b.exe 624 e573a0b.exe 624 e573a0b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573a0b.exedescription pid process Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe Token: SeDebugPrivilege 624 e573a0b.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
rundll32.exerundll32.exee573a0b.exedescription pid process target process PID 1224 wrote to memory of 2920 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 2920 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 2920 1224 rundll32.exe rundll32.exe PID 2920 wrote to memory of 624 2920 rundll32.exe e573a0b.exe PID 2920 wrote to memory of 624 2920 rundll32.exe e573a0b.exe PID 2920 wrote to memory of 624 2920 rundll32.exe e573a0b.exe PID 624 wrote to memory of 784 624 e573a0b.exe fontdrvhost.exe PID 624 wrote to memory of 792 624 e573a0b.exe fontdrvhost.exe PID 624 wrote to memory of 336 624 e573a0b.exe dwm.exe PID 624 wrote to memory of 2708 624 e573a0b.exe sihost.exe PID 624 wrote to memory of 2736 624 e573a0b.exe svchost.exe PID 624 wrote to memory of 2808 624 e573a0b.exe taskhostw.exe PID 624 wrote to memory of 3504 624 e573a0b.exe Explorer.EXE PID 624 wrote to memory of 3680 624 e573a0b.exe svchost.exe PID 624 wrote to memory of 3856 624 e573a0b.exe DllHost.exe PID 624 wrote to memory of 3948 624 e573a0b.exe StartMenuExperienceHost.exe PID 624 wrote to memory of 4016 624 e573a0b.exe RuntimeBroker.exe PID 624 wrote to memory of 780 624 e573a0b.exe SearchApp.exe PID 624 wrote to memory of 3792 624 e573a0b.exe RuntimeBroker.exe PID 624 wrote to memory of 4480 624 e573a0b.exe RuntimeBroker.exe PID 624 wrote to memory of 5012 624 e573a0b.exe TextInputHost.exe PID 624 wrote to memory of 2300 624 e573a0b.exe RuntimeBroker.exe PID 624 wrote to memory of 3128 624 e573a0b.exe backgroundTaskHost.exe PID 624 wrote to memory of 3056 624 e573a0b.exe backgroundTaskHost.exe PID 624 wrote to memory of 1224 624 e573a0b.exe rundll32.exe PID 624 wrote to memory of 2920 624 e573a0b.exe rundll32.exe PID 624 wrote to memory of 2920 624 e573a0b.exe rundll32.exe PID 2920 wrote to memory of 516 2920 rundll32.exe e573b73.exe PID 2920 wrote to memory of 516 2920 rundll32.exe e573b73.exe PID 2920 wrote to memory of 516 2920 rundll32.exe e573b73.exe PID 2920 wrote to memory of 3456 2920 rundll32.exe e5755d1.exe PID 2920 wrote to memory of 3456 2920 rundll32.exe e5755d1.exe PID 2920 wrote to memory of 3456 2920 rundll32.exe e5755d1.exe PID 624 wrote to memory of 784 624 e573a0b.exe fontdrvhost.exe PID 624 wrote to memory of 792 624 e573a0b.exe fontdrvhost.exe PID 624 wrote to memory of 336 624 e573a0b.exe dwm.exe PID 624 wrote to memory of 2708 624 e573a0b.exe sihost.exe PID 624 wrote to memory of 2736 624 e573a0b.exe svchost.exe PID 624 wrote to memory of 2808 624 e573a0b.exe taskhostw.exe PID 624 wrote to memory of 3504 624 e573a0b.exe Explorer.EXE PID 624 wrote to memory of 3680 624 e573a0b.exe svchost.exe PID 624 wrote to memory of 3856 624 e573a0b.exe DllHost.exe PID 624 wrote to memory of 3948 624 e573a0b.exe StartMenuExperienceHost.exe PID 624 wrote to memory of 4016 624 e573a0b.exe RuntimeBroker.exe PID 624 wrote to memory of 780 624 e573a0b.exe SearchApp.exe PID 624 wrote to memory of 3792 624 e573a0b.exe RuntimeBroker.exe PID 624 wrote to memory of 4480 624 e573a0b.exe RuntimeBroker.exe PID 624 wrote to memory of 5012 624 e573a0b.exe TextInputHost.exe PID 624 wrote to memory of 2300 624 e573a0b.exe RuntimeBroker.exe PID 624 wrote to memory of 3128 624 e573a0b.exe backgroundTaskHost.exe PID 624 wrote to memory of 516 624 e573a0b.exe e573b73.exe PID 624 wrote to memory of 516 624 e573a0b.exe e573b73.exe PID 624 wrote to memory of 2012 624 e573a0b.exe RuntimeBroker.exe PID 624 wrote to memory of 3456 624 e573a0b.exe e5755d1.exe PID 624 wrote to memory of 3456 624 e573a0b.exe e5755d1.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e573a0b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573a0b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2736
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2808
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3eebe1d61de9cc9cc17a09a66dfe5690_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3eebe1d61de9cc9cc17a09a66dfe5690_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\e573a0b.exeC:\Users\Admin\AppData\Local\Temp\e573a0b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:624 -
C:\Users\Admin\AppData\Local\Temp\e573b73.exeC:\Users\Admin\AppData\Local\Temp\e573b73.exe4⤵
- Executes dropped EXE
PID:516 -
C:\Users\Admin\AppData\Local\Temp\e5755d1.exeC:\Users\Admin\AppData\Local\Temp\e5755d1.exe4⤵
- Executes dropped EXE
PID:3456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3680
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:780
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3792
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4480
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2300
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3128
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2012
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573a0b.exeFilesize
97KB
MD572cdcff2b9a44ddd1d7522e62677d491
SHA17365289d96bbaa1a9dd4cf4eedafb6b6352d1916
SHA2561ddefe108c9fe1671d5202552fbe304b956e794eefc5c63ccf974f53678a16b4
SHA512da4f248305c30aae46c8414f592b5e05602647ad8e695b8edad5a28afebc86ccf0f4d40ceca3aa5ab7bed97a5eff66e9491f5929661c350e33f18fd10a8bb257
-
memory/516-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/516-107-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/516-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/516-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/516-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/624-40-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-67-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-19-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-28-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-31-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-29-0x0000000001A70000-0x0000000001A72000-memory.dmpFilesize
8KB
-
memory/624-17-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/624-103-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/624-84-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-83-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-18-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-11-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-9-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-8-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-6-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-36-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-37-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-38-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-39-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-30-0x0000000001A70000-0x0000000001A72000-memory.dmpFilesize
8KB
-
memory/624-42-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-43-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-82-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-52-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-54-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-55-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-20-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-80-0x0000000001A70000-0x0000000001A72000-memory.dmpFilesize
8KB
-
memory/624-78-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-75-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-24-0x0000000001A80000-0x0000000001A81000-memory.dmpFilesize
4KB
-
memory/624-10-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-66-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-74-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-70-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-73-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/624-72-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/2920-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2920-32-0x00000000015F0000-0x00000000015F2000-memory.dmpFilesize
8KB
-
memory/2920-21-0x00000000015F0000-0x00000000015F2000-memory.dmpFilesize
8KB
-
memory/2920-22-0x0000000004530000-0x0000000004531000-memory.dmpFilesize
4KB
-
memory/2920-25-0x00000000015F0000-0x00000000015F2000-memory.dmpFilesize
8KB
-
memory/3456-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3456-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3456-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3456-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3456-111-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB