Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 21:05

General

  • Target

    3b740935520147afea5b306d569097b0_NeikiAnalytics.exe

  • Size

    34KB

  • MD5

    3b740935520147afea5b306d569097b0

  • SHA1

    342a270999b4bd8424a2841edf8d6d7b53f862a8

  • SHA256

    933b5acb7c2ccb1ebdb4612e907a2627757844178d1077b7a0c404eac1051ae2

  • SHA512

    49e052880c28539e8357f10bc188e43fd818a9a5c24114e872696a53a7186785f1629201c1778ddd1324846844011db5a117c5af1f9d83ddbab05624c57bb0af

  • SSDEEP

    768:UEzNbLcQ9qQuVriDMuyuruTD0qB77777J77c77c77c7nOTysMljy:l3h9qQA6hZunrB77777J77c77c77c7O7

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 53 IoCs
  • UPX packed file 35 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 33 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b740935520147afea5b306d569097b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3b740935520147afea5b306d569097b0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
      C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
          C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
            "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
            5⤵
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            PID:2576
            • C:\Windows\splwow64.exe
              C:\Windows\splwow64.exe 12288
              6⤵
                PID:1348
            • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
              C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2524
              • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
                6⤵
                  PID:3016
                • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
                  C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3028
                  • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                    C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                    7⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:2888
                    • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
                      C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:2616
                    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
                      8⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:2252
                    • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
                      C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe
                      8⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:320
                      • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                        9⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:984
                      • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                        9⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of SetWindowsHookEx
                        PID:2312
                        • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
                          C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe
                          10⤵
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          PID:1936
                        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
                          10⤵
                            PID:2804
                          • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
                            C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe
                            10⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetWindowsHookEx
                            PID:2456
                            • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                              C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                              11⤵
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              PID:2240
                            • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                              "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
                              11⤵
                                PID:2924
                              • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                                C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                                11⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetWindowsHookEx
                                PID:2672
                                • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
                                  C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe
                                  12⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1964
                                  • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                                    C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2608
                                  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                                    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
                                    13⤵
                                      PID:2868
                                    • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                                      C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2840
                                  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                                    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
                                    12⤵
                                      PID:2656
                                    • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe
                                      C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3020
                              • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                                "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
                                9⤵
                                  PID:2020
                                • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                                  C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                                  9⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:772
                                • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                                  C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                                  9⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:972
                            • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                              "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
                              7⤵
                              • Suspicious behavior: AddClipboardFormatListener
                              • Suspicious use of SetWindowsHookEx
                              PID:1564
                            • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                              C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe
                              7⤵
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              PID:1688
                  • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                    C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:2660

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

                  Filesize

                  36KB

                  MD5

                  a7211f0fec58c1b4b79b277eb89c3931

                  SHA1

                  4143e4b8b9bfcbe875057c17764fd3b182c46f47

                  SHA256

                  20b468bdbdf66f316861fa8d727bc06f82dcae6f90134006e23e7eb9fb192eff

                  SHA512

                  c4f6d262a8bc2c3efb6d1a85e47165e68528845088665553600f99f1677983d29689227c8e33b5fe8dd8fd19b95ad8ab839a009a78fd8a0fd3f7040711ce2cfd

                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

                  Filesize

                  86B

                  MD5

                  fa01d48c17df8c4fdbef94a4b7626fe5

                  SHA1

                  35b6f9d93733e001c3551e39f4b2d42b74ca821c

                  SHA256

                  b6d1b5a5d233ad45de11fc2c30b90db0c23a2b6e5c8e6130c0bcb99f1f05d809

                  SHA512

                  ec984141995dab05eb8063978b4da3796c8c34a6fc188dfc5334b0976c17576a5196addacfb45122b63814c3a0eb0979908e12f0f7565d43da1e0d1a8819bdc9

                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

                  Filesize

                  118B

                  MD5

                  0ed6a5342f66ef9a77280dee66426aaf

                  SHA1

                  abe61b4bba48c9b3c39baa8086adf15b02c0cf37

                  SHA256

                  d9527e8faa752f0782eb4f75eba897efd62e3d9da06047e3680325c78b51646e

                  SHA512

                  094a62844bc55178a46b863ddff109f9f639d070b1a0004a9d9f85ae2c5553e04844711ed384be07637a275827b4c8f46f406b50935d114807302d3d22f9e7a4

                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

                  Filesize

                  118B

                  MD5

                  ea3ec5ca9ad16844b09fc64bbe76eaf9

                  SHA1

                  b1e6e3bcc7e27b7ec0788309fc4497142035124c

                  SHA256

                  e383573000f20418a6af9b3a45607103d18127b90b55a31c468352a09f57f0a4

                  SHA512

                  e0761743a1280e9ceb5e812034cbe3e6b15b69ddab6bcec891f5eebf82ca9f0842dfd8f2f600a7a9172e319497df42a60b23f490d979c3d51f0e092d26895500

                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

                  Filesize

                  154B

                  MD5

                  89c9439b0c052c62b76105482f3cfcdf

                  SHA1

                  135f498be47c34188c0754365614c01e9a5cbc57

                  SHA256

                  6a9136770ad32e5ec6159ffb6b862343e33d1974e9eb73446ac0e9058d8f9f63

                  SHA512

                  27d0e9a993b5ced55eb1ef7d9a0be0c0652b0a19cb5ce4c7596e1d3e43a098a1d6966410fb6c6e91627e532b7d2a4b4e4ddf84af6019e5a3ee511c406ba167b6

                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\the [K]angen is back.doc.LNK

                  Filesize

                  1KB

                  MD5

                  84bb10a4ba72214240134b9ad402d9fc

                  SHA1

                  36f87d757bee50f5f05a27c47dabfaaea862756f

                  SHA256

                  2c218b1a50e8512012f86d4cb79525e87f27b4abda1cd05f78ff95dc9884265b

                  SHA512

                  2297395e0a7065e229313f7f15be6926e67cf0c4792d184cc802f62d1712e8b1d841c319d362c696edcc0e10c82dde2f36386a4f250e3d9f0885914f67c90bb8

                • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

                  Filesize

                  20KB

                  MD5

                  4e7c6abb195a178a48a09528323be684

                  SHA1

                  247a144f34c03944f18829cd2c2915fd94c0b430

                  SHA256

                  637c0031dfd19f427292b433cae93821d6b96c5eedaeadf46d501ffc663fa408

                  SHA512

                  2c0ec9808c307cc0498822ab3efcc680f77b272085e176de64ac776096c18ae73d103a05d2c10985a5765289de81b4569a5cef3c22f74d570239af416bbcd822

                • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                  Filesize

                  2B

                  MD5

                  f3b25701fe362ec84616a93a45ce9998

                  SHA1

                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                  SHA256

                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                  SHA512

                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                • C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc

                  Filesize

                  6KB

                  MD5

                  730ce61abbb36e76c9e06a2b7e5212a7

                  SHA1

                  7436058ca37a58f15d1665796223e2e4aecaca1c

                  SHA256

                  805b903c4557f4abea0640d516b28612d0f61ff4069eeb2bc7799ff9580008fb

                  SHA512

                  c3d63bbd7c8b259ea904648942c729e2812e4127c6d680b4d515d20dfb3740f0e111ecb8db7815b51c454814d34cfb006784ee89e567681af23e98acacb12c04

                • C:\Users\Admin\AppData\Roaming\~$e [K]angen is back.doc

                  Filesize

                  162B

                  MD5

                  9fe9314b6033d42f111e12ec68d5b87a

                  SHA1

                  bb5d7ec3f212e85b221fcca19ddc698708985844

                  SHA256

                  6ae708725fdf711fa20249119e6009c5c488970b86741ff060e11c93ff44e441

                  SHA512

                  796f1e54c20e133501a089f7faa560ff1d2bcfeaba4d0da0d2316e91bc7bb19a9b232920b4a7cdadf2827ce0e207ac1bc624ae3d55b7a841bd6bd3e444d6a334

                • C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe

                  Filesize

                  36KB

                  MD5

                  1e74a1afcd2b4fc81212ec3158993bde

                  SHA1

                  7beb1e1c45b7a5fcb0032a5f4ca9c0d1428c9bfc

                  SHA256

                  109fbba7ff8da7cabbfa165e639291c1bdad25eb882ae837a0fdb32c58fecb88

                  SHA512

                  23cdaedd73d26236b5a6b6b77035446be09e5d5b757761445c0ad104e7d661a094f498434984464e98986f1204ee5d9eddba1c3ab775699cd38f5798ec29925a

                • \??\PIPE\srvsvc

                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                • \Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe

                  Filesize

                  43KB

                  MD5

                  a330ad5cb5145462aece9dca8a501773

                  SHA1

                  5746ec14e5fa6ac517b82b347518b698a02354de

                  SHA256

                  38f5a029c0472fab24894b575fe2628931a18773636f025a28d482e25127b1f6

                  SHA512

                  7d36ceb2d167fbf15b0250532bc4b286c5465bc472504340e876d078148fee87d8b69d07afadbeedf5a35420d9a137013c80ce843ff9efbb6db65fd913dc6b26

                • memory/320-180-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/320-139-0x0000000003D20000-0x0000000003D42000-memory.dmp

                  Filesize

                  136KB

                • memory/320-158-0x0000000003D20000-0x0000000003D2A000-memory.dmp

                  Filesize

                  40KB

                • memory/772-162-0x0000000000220000-0x0000000000230000-memory.dmp

                  Filesize

                  64KB

                • memory/772-161-0x0000000000220000-0x0000000000230000-memory.dmp

                  Filesize

                  64KB

                • memory/972-178-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/984-132-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/1688-111-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/1936-168-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2240-217-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2312-196-0x0000000003EB0000-0x0000000003EBB000-memory.dmp

                  Filesize

                  44KB

                • memory/2312-197-0x0000000003E10000-0x0000000003E32000-memory.dmp

                  Filesize

                  136KB

                • memory/2436-45-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2436-0-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2436-15-0x00000000004B0000-0x00000000004D2000-memory.dmp

                  Filesize

                  136KB

                • memory/2456-223-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2456-219-0x0000000003A70000-0x0000000003A92000-memory.dmp

                  Filesize

                  136KB

                • memory/2456-206-0x00000000024C0000-0x00000000024E2000-memory.dmp

                  Filesize

                  136KB

                • memory/2456-218-0x0000000003D00000-0x0000000003D0A000-memory.dmp

                  Filesize

                  40KB

                • memory/2524-67-0x0000000003BC0000-0x0000000003BE2000-memory.dmp

                  Filesize

                  136KB

                • memory/2524-76-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2524-65-0x0000000003D30000-0x0000000003D3B000-memory.dmp

                  Filesize

                  44KB

                • memory/2524-66-0x0000000003D30000-0x0000000003D52000-memory.dmp

                  Filesize

                  136KB

                • memory/2576-296-0x000000005FFF0000-0x0000000060000000-memory.dmp

                  Filesize

                  64KB

                • memory/2576-63-0x000000005FFF0000-0x0000000060000000-memory.dmp

                  Filesize

                  64KB

                • memory/2608-243-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2608-241-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2616-85-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2616-87-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2660-43-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2660-29-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2672-224-0x0000000000530000-0x0000000000552000-memory.dmp

                  Filesize

                  136KB

                • memory/2672-244-0x0000000003D20000-0x0000000003D2B000-memory.dmp

                  Filesize

                  44KB

                • memory/2672-245-0x0000000003E90000-0x0000000003EB2000-memory.dmp

                  Filesize

                  136KB

                • memory/2672-267-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2672-225-0x0000000000530000-0x0000000000552000-memory.dmp

                  Filesize

                  136KB

                • memory/2716-49-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2716-28-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2840-276-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2888-80-0x00000000027B0000-0x00000000027D2000-memory.dmp

                  Filesize

                  136KB

                • memory/2888-127-0x00000000027B0000-0x00000000027D2000-memory.dmp

                  Filesize

                  136KB

                • memory/2888-120-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2888-134-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2888-115-0x0000000003E80000-0x0000000003E8B000-memory.dmp

                  Filesize

                  44KB

                • memory/2900-27-0x00000000003D0000-0x00000000003F2000-memory.dmp

                  Filesize

                  136KB

                • memory/2900-41-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2900-16-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2912-60-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/2912-51-0x0000000003D40000-0x0000000003D4A000-memory.dmp

                  Filesize

                  40KB

                • memory/2912-56-0x0000000000430000-0x0000000000452000-memory.dmp

                  Filesize

                  136KB

                • memory/2912-55-0x0000000003BC0000-0x0000000003BE2000-memory.dmp

                  Filesize

                  136KB

                • memory/3020-257-0x0000000000220000-0x0000000000230000-memory.dmp

                  Filesize

                  64KB

                • memory/3020-265-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/3028-93-0x0000000003EB0000-0x0000000003EBA000-memory.dmp

                  Filesize

                  40KB

                • memory/3028-114-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB

                • memory/3028-118-0x0000000000400000-0x0000000000422000-memory.dmp

                  Filesize

                  136KB