Analysis

  • max time kernel
    155s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 18:30

General

  • Target

    0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe

  • Size

    2.0MB

  • MD5

    0b12672f24b6406579c183750a1edc90

  • SHA1

    851a37da37d160094740f690a0aa3f09f228c677

  • SHA256

    27f967df5a697fb54a11f2f75b5ac560e6110369c491e90998b2c5b0a2f9a025

  • SHA512

    8f7da691e66ef37a2bc7a41fa57aa510f54b4722eda5cd8b9303b0f78bd4f6c71ac5ac8d97ffa7e900edd608a862549fa966065077035c7b293eab275b3e2bc4

  • SSDEEP

    49152:Zl20i8Ewu1R1v0njTDQRyGw0qksDM2jh3BqS7YtGL/Als:i0R4p0nfDQR6MMQS7kGLws

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 24 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1444
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    PID:2000
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:3972
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1648
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3944
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4944
    • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4640
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:3088
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4588
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:756
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:5044
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:3408
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:3476
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:4404
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:3320
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:4544
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:228
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:1936
      • C:\Windows\system32\TieringEngineService.exe
        C:\Windows\system32\TieringEngineService.exe
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2480
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:2988
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1796
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3332
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:3520
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:5392
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
          2⤵
          • Modifies data under HKEY_USERS
          PID:5428
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:5912

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

                Filesize

                2.2MB

                MD5

                2e38c4b94f42514e03d80c750e0a6f97

                SHA1

                2cb10938e6d99ff00e7f03bdc19c6b6af9b699e3

                SHA256

                ace385c57fe11efead316ab7b784233d002369a0f4c95a89cb86d5d2eb367b4b

                SHA512

                28fe25e48ff89ae00aca50cc7dd139b778f993239b8486521bf46d08c3332c194ec1edfcc975517782e82fbf378a2d8796b8c46e502187a16ef5fba22352dcb4

              • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                Filesize

                781KB

                MD5

                6d405801d539728565476a44874bd1ed

                SHA1

                bf28e257bd4db5a88158b4c85af4c5d360b6723e

                SHA256

                32827926c86d28138abf836c00353b51b30e1f905e821a9ed56dd5f17fd72fdb

                SHA512

                1732281056e4ab11a0c17e25c3cd4d7fa342c9167dbd1c9137209d5ffe09805135c57eb6cff235de6238ade842c7ad88ddc71bee980e52ff0cf7866266fe064b

              • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                Filesize

                805KB

                MD5

                1acba3d3475f007063e5a1cccff4b8e2

                SHA1

                3b20e0e67153776928b33a4daf60e87303588497

                SHA256

                62aab7167bcc649d9dc16f50a19c9daaab679c2c585e12142bdadb64e2040a1f

                SHA512

                24fba74141df4d2bbfaf8bc9ef2a68d34e958ae62c7b351389e6dbcd375eaf36fae6659102a7bed148575bca92247ab39647dda879805f81ea8f67af7776d01c

              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                Filesize

                2.1MB

                MD5

                a9bfa588ba5b070ab9032ab6a8b4447e

                SHA1

                2d5fa55d61ac4d800fcbf48841d390a44eb88e7f

                SHA256

                a5d1acdb64a2dd6b7196eeb9fdfb8a2c637a7817b36ea2e46a5a55588d7f0ea9

                SHA512

                3c49b8f2a27092a01129c8fa7e6c4a4a6c4d36812ae29746a674a9f91844f926eddf18e0203686f6e3bac97b4e9d89d78196f7f5d82d3a539835147fba9027e8

              • C:\Windows\SysWOW64\perfhost.exe

                Filesize

                588KB

                MD5

                43c2c964f668cb3786b5c9d2116e352b

                SHA1

                4f38870664aed0b12c33f2a9d1f3bff92eb45482

                SHA256

                fb7f8401e57f43eb27e8bd998e0189c6d7b715b503dfcb32f23427c1c954b878

                SHA512

                1de2706d92c4e60c4d049aead7b6b0018719fe8ab907714a5601ca93f2773fcf242461a6ac2f1244e03104bd137c9b8f96c1cf67617c757974bfe6ad722f5af5

              • C:\Windows\System32\AgentService.exe

                Filesize

                1.7MB

                MD5

                3948a9ec69697cd311c344dca32b0ac1

                SHA1

                5d60f51c67277cba95ba5ceec8c814856417599a

                SHA256

                c4e773a0978b84d1e3bdf9d1a7d8944cb1e0afc7a3acbcf7f83796d0906e97e5

                SHA512

                d263478ce069d9cfe7121948ebdff961b5c79bca2d0360a039c2bb700289f7bb2c28bc8203f1c3100d6658fa576fecb2667701359e4fd5ac66174104d4f122af

              • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                Filesize

                659KB

                MD5

                91392a4a3c4dc419f5fef04a8939f7cc

                SHA1

                30119ffb53d493193b6e5e4dfaca2bbffb456cf5

                SHA256

                e361fe7c10867d6070c598051317c3bd58717f9eadce8bc59f0cf3ebe037eba1

                SHA512

                199e63461c3721e09ee56daa14d7013111c2430822ace0d6346302edbd0c5a7cacd53d42e6dd436b0aaafc0dc43678231755944d9910304bf24a0e4afae19f84

              • C:\Windows\System32\FXSSVC.exe

                Filesize

                1.2MB

                MD5

                0311a593a68d84830b9ead36f09d9367

                SHA1

                a37556ea4c1804974cec3e5129d5f9e5bc2a439d

                SHA256

                f1585bc41ac6013239ffc4a93b9773382d3c0891faef07a605ee73ee970122e1

                SHA512

                6feacd26aa455c502977e1be54b34df118fbb7faf09f25cc6cce756db254cf87a19f3a089905220ffa74242d9d0bdcff4578671586b9ec26bc177b8bbb7fe96c

              • C:\Windows\System32\Locator.exe

                Filesize

                578KB

                MD5

                d6598d3a83efa09d4ed043ef0e0cee61

                SHA1

                dc2077f614db1ef616ce0842cccd931f824c5290

                SHA256

                ab315d3b425157438027ebbbf1fb08786229979cb18ba2681a266069112d7c0a

                SHA512

                375f13b9aaadfbac6c0cbc9f993c8c22eac924f14dc5a12662815ac86d0dae8a44d23fca1adac0544f45e5a8e21d46a03d2a8b6ef5adb36d44aee436624c84a8

              • C:\Windows\System32\OpenSSH\ssh-agent.exe

                Filesize

                940KB

                MD5

                c55c028b7298daed41f1c64b688dcf16

                SHA1

                b1bb56cca472e4080a72ce2794cd29f370616842

                SHA256

                3b0d8065d529d62a784335cfefdfaa01a4b3631a3aeeace8de0b9ab08e4f8289

                SHA512

                efc8b932622c0611387ba15f697954e5a17dc3efda8c30d98d9f7e06d8f1bc848706e3c8de251595c8d3847a427314461261c493c98e9387ef18d4412de7180b

              • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                Filesize

                671KB

                MD5

                e59d8b9c7266da6cfc953ca569b76c86

                SHA1

                2b22cfb98f71a72b0aa0503a72e21513041a4328

                SHA256

                ee738a15099afbfc702277afcfcc1e4e50cb36279fa5244e65eeed0b368a0687

                SHA512

                f5125579ef3dcd57f83eca9344a7bef596ad76d704ab6102857a0e96cd654c99e0d1c0184e241d4724fcdec5b4d1664d17f3e904674f89d1336ea4c9af550a06

              • C:\Windows\System32\SearchIndexer.exe

                Filesize

                1.4MB

                MD5

                028653951879158122b7f9cd7c9d78a6

                SHA1

                658f4e4eec2244b9a2d4c74bb42fc2884d976745

                SHA256

                9e6e0ee8e2052be71d3dd8138377c190b5b426e3b0d6c0861ceafce55c367d13

                SHA512

                9561f0fd518c5c964b5a6b862626e71324a77723409190d906029b19ae7bc4cfc8547d2c032e96c2413a2b5cc04c1bc57c44d07733ddc42e7f3737196a60437b

              • C:\Windows\System32\SensorDataService.exe

                Filesize

                1.8MB

                MD5

                6a9201fd5e86d5547fb014785b7350e5

                SHA1

                ee3a7b1585992e81dac41298e2773107b5ce5f47

                SHA256

                e73693cea9931f3899d7a7531dd708985e379002f6bdeb47f99f0a35aba69ef5

                SHA512

                4476e9a217e81f048f39cafeb7fce8d25f150c0c6925488574dbfd9eb91b0f6de482278da4c63bec98a8c8943ca708f44d4f8967a4bdb2eeefa17627ba2f6ac1

              • C:\Windows\System32\Spectrum.exe

                Filesize

                1.4MB

                MD5

                d9fc70d50880e4964a64d81e2d18c1bf

                SHA1

                cd6e50d280f5c1daefa994fda5d2cc4afe936e70

                SHA256

                0e76bad719732501f80268aa1f78358e4216d5c5b8f2e64ca0f68673e8edb1c4

                SHA512

                6e932479bfe7ae3b2189a9435948ec4cfd53062e337f2ad553d4e4c52eecd757131f675276a544377d3efb41c97fe4c5fc444e5e59c03e99edbb510f83bc0458

              • C:\Windows\System32\TieringEngineService.exe

                Filesize

                885KB

                MD5

                ee448624f1899acbd80fb5a56d5554b9

                SHA1

                b0855cf7a131281910c7de183bf0badd519b2213

                SHA256

                7d64cad371b8d4b712c4bcba9aad02585bb99fe2db6e6b4caf538237b79b1f1e

                SHA512

                b6e60b4f3426a5a3995f513f3f25d0a9b916c4069871df86f5b47b2c455e324ecea8d7f853f478ddea5edadd5d18b396de69f80abaae44a750f46b5533f94ea1

              • C:\Windows\System32\VSSVC.exe

                Filesize

                2.0MB

                MD5

                61fbff1f10ee5371ccc628fb1de6c023

                SHA1

                ec3f397b548e708369c48c91e30f15716fc87677

                SHA256

                431873a399e7be1644542809e3ec98652ee358c387a446a02b10b71b4a0346da

                SHA512

                55113217aa5f654e37dde32103beca540b54d98ccf140814c7fd9c1fa60fc8258db447ba987a620d28555d02f8b44da21300e3a2a73d97c7e4552bf67bbda939

              • C:\Windows\System32\alg.exe

                Filesize

                661KB

                MD5

                60b18b3c4e5f477c604e9454c105aa0a

                SHA1

                017bcec76e549726a8eceb46d88fda08ed7ed113

                SHA256

                a867039a78a9d8d486a2e992dadc8b12e8420ecbb319fd46fc5f373690119480

                SHA512

                79b723f9a2ada7e4c2a962a1d435efef6f6f4dddf637eb3c8e9eba2f1bef74f1b87c29884a1568455b29eb16e7829421d79f61cbd0cdd2974369016040c00a70

              • C:\Windows\System32\msdtc.exe

                Filesize

                712KB

                MD5

                a8adb3e2a60de7e8490bdd0390b4188d

                SHA1

                98af378d56aba73c554a591dbb81deea3a6ad34b

                SHA256

                5e7e0f62e7f34d31a1fe730b5c60aee9bb009bdc6308f308e7aaaccb80ae9697

                SHA512

                f05c12cee1f5ad7fb247bef07200acff0d0585b646c29b9f0f1e47a1bcf377408c2c63583a685de7b53b1b2b6c41e9c311334e5ee578382c2006a526b75dc8bc

              • C:\Windows\System32\snmptrap.exe

                Filesize

                584KB

                MD5

                e6c6f052c3f41e7cf85e84671f9356c5

                SHA1

                687366db754c9a79408de546d7f8381b6cde474a

                SHA256

                148e190134e984d332ed943f205c20c9476cb507eac158afb2a03afaed086553

                SHA512

                1f9e5fee1679343e1a7fcad86ade51e1d17c897530973959b38b4a5d25f564b040f18b060b74e6dd1319df9a36898b1ee29afa678b9c8a987b5f897a0e8d9d3c

              • C:\Windows\System32\vds.exe

                Filesize

                1.3MB

                MD5

                e1f58f1f2cd8e16f8c51774c793fb75f

                SHA1

                88e9e80d255f37031de20611eaf356dc9c9c3b36

                SHA256

                62c0b6d70c68ae563e44dfc57c8b2f9d87646522de10933bbf87e3d360113114

                SHA512

                69c8a3b6a6b390b9c01091de8a5e858d4ff00f2240f2000fef1dc7c6bc13da904fd05d2107b27484cc91c36c968b1b594e68df1dbb2dbdd4ccd73a5823373456

              • C:\Windows\System32\wbem\WmiApSrv.exe

                Filesize

                772KB

                MD5

                8ab6db6e7ff9b8a3dbf2560373148118

                SHA1

                202c303824587029ee1344338de168b0df564fc9

                SHA256

                ba0140525dc8f23bae1e443070453bcaeab9bdcbba47162f2607959f0c963f29

                SHA512

                b16b0c0402200998a19dbf87c081bbafaf276ceaad9006c349a16b6e9e4660b50fe27e182e0794a1c67f123c0c46849b70feff9bf26fdd5e071fa53fafb80274

              • C:\Windows\System32\wbengine.exe

                Filesize

                2.1MB

                MD5

                c36f8e2415f41f28bf8143a7c170be09

                SHA1

                c2b1f9240b2cd9ecdc59bd66c6789a6f48b6ac0f

                SHA256

                174d6996caf05abb8b798e80bee2670d6164efdf68beb2ab751fe426ae1fb6df

                SHA512

                536446b120c1c59edefdace2a9a89a1ee238d04e48accaa7cdae767d2cd9b46c57d19119b43c3c72992a4ab0241d9e705bd3985daa3b0203ec5aa70f4298e349

              • memory/228-136-0x0000000140000000-0x0000000140102000-memory.dmp

                Filesize

                1.0MB

              • memory/228-279-0x0000000140000000-0x0000000140102000-memory.dmp

                Filesize

                1.0MB

              • memory/756-81-0x00000000007D0000-0x0000000000830000-memory.dmp

                Filesize

                384KB

              • memory/756-155-0x0000000140000000-0x00000001400CF000-memory.dmp

                Filesize

                828KB

              • memory/756-83-0x0000000140000000-0x00000001400CF000-memory.dmp

                Filesize

                828KB

              • memory/756-75-0x00000000007D0000-0x0000000000830000-memory.dmp

                Filesize

                384KB

              • memory/1444-0-0x0000000000400000-0x0000000000606000-memory.dmp

                Filesize

                2.0MB

              • memory/1444-33-0x0000000000400000-0x0000000000606000-memory.dmp

                Filesize

                2.0MB

              • memory/1444-7-0x0000000002F00000-0x0000000002F67000-memory.dmp

                Filesize

                412KB

              • memory/1444-6-0x0000000002F00000-0x0000000002F67000-memory.dmp

                Filesize

                412KB

              • memory/1444-1-0x0000000002F00000-0x0000000002F67000-memory.dmp

                Filesize

                412KB

              • memory/1796-160-0x0000000140000000-0x00000001401FC000-memory.dmp

                Filesize

                2.0MB

              • memory/1796-313-0x0000000140000000-0x00000001401FC000-memory.dmp

                Filesize

                2.0MB

              • memory/2000-100-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

              • memory/2000-12-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

              • memory/2160-151-0x0000000140000000-0x00000001401C0000-memory.dmp

                Filesize

                1.8MB

              • memory/2160-153-0x0000000140000000-0x00000001401C0000-memory.dmp

                Filesize

                1.8MB

              • memory/2480-301-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/2480-147-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/2988-304-0x0000000140000000-0x0000000140147000-memory.dmp

                Filesize

                1.3MB

              • memory/2988-156-0x0000000140000000-0x0000000140147000-memory.dmp

                Filesize

                1.3MB

              • memory/3088-57-0x0000000002290000-0x00000000022F0000-memory.dmp

                Filesize

                384KB

              • memory/3088-56-0x0000000140000000-0x00000001400CA000-memory.dmp

                Filesize

                808KB

              • memory/3088-63-0x0000000002290000-0x00000000022F0000-memory.dmp

                Filesize

                384KB

              • memory/3088-69-0x0000000140000000-0x00000001400CA000-memory.dmp

                Filesize

                808KB

              • memory/3088-67-0x0000000002290000-0x00000000022F0000-memory.dmp

                Filesize

                384KB

              • memory/3320-218-0x0000000140000000-0x0000000140096000-memory.dmp

                Filesize

                600KB

              • memory/3320-119-0x0000000140000000-0x0000000140096000-memory.dmp

                Filesize

                600KB

              • memory/3332-164-0x0000000140000000-0x0000000140216000-memory.dmp

                Filesize

                2.1MB

              • memory/3332-326-0x0000000140000000-0x0000000140216000-memory.dmp

                Filesize

                2.1MB

              • memory/3408-102-0x0000000000730000-0x0000000000797000-memory.dmp

                Filesize

                412KB

              • memory/3408-163-0x0000000000400000-0x0000000000497000-memory.dmp

                Filesize

                604KB

              • memory/3408-101-0x0000000000400000-0x0000000000497000-memory.dmp

                Filesize

                604KB

              • memory/3408-107-0x0000000000730000-0x0000000000797000-memory.dmp

                Filesize

                412KB

              • memory/3476-112-0x0000000140000000-0x0000000140095000-memory.dmp

                Filesize

                596KB

              • memory/3476-167-0x0000000140000000-0x0000000140095000-memory.dmp

                Filesize

                596KB

              • memory/3520-335-0x0000000140000000-0x00000001400C6000-memory.dmp

                Filesize

                792KB

              • memory/3520-168-0x0000000140000000-0x00000001400C6000-memory.dmp

                Filesize

                792KB

              • memory/3944-29-0x0000000140000000-0x0000000140135000-memory.dmp

                Filesize

                1.2MB

              • memory/3944-32-0x0000000140000000-0x0000000140135000-memory.dmp

                Filesize

                1.2MB

              • memory/3972-25-0x00000000006C0000-0x0000000000720000-memory.dmp

                Filesize

                384KB

              • memory/3972-17-0x00000000006C0000-0x0000000000720000-memory.dmp

                Filesize

                384KB

              • memory/3972-16-0x0000000140000000-0x00000001400A9000-memory.dmp

                Filesize

                676KB

              • memory/3972-111-0x0000000140000000-0x00000001400A9000-memory.dmp

                Filesize

                676KB

              • memory/4404-222-0x0000000140000000-0x00000001401D7000-memory.dmp

                Filesize

                1.8MB

              • memory/4404-115-0x0000000140000000-0x00000001401D7000-memory.dmp

                Filesize

                1.8MB

              • memory/4404-172-0x0000000140000000-0x00000001401D7000-memory.dmp

                Filesize

                1.8MB

              • memory/4544-236-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/4544-123-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/4588-150-0x0000000140000000-0x00000001400B9000-memory.dmp

                Filesize

                740KB

              • memory/4588-71-0x0000000140000000-0x00000001400B9000-memory.dmp

                Filesize

                740KB

              • memory/4640-135-0x0000000140000000-0x0000000140245000-memory.dmp

                Filesize

                2.3MB

              • memory/4640-45-0x0000000140000000-0x0000000140245000-memory.dmp

                Filesize

                2.3MB

              • memory/4640-52-0x0000000000890000-0x00000000008F0000-memory.dmp

                Filesize

                384KB

              • memory/4640-46-0x0000000000890000-0x00000000008F0000-memory.dmp

                Filesize

                384KB

              • memory/4820-338-0x0000000140000000-0x0000000140179000-memory.dmp

                Filesize

                1.5MB

              • memory/4820-173-0x0000000140000000-0x0000000140179000-memory.dmp

                Filesize

                1.5MB

              • memory/4944-42-0x0000000140000000-0x0000000140237000-memory.dmp

                Filesize

                2.2MB

              • memory/4944-34-0x0000000000520000-0x0000000000580000-memory.dmp

                Filesize

                384KB

              • memory/4944-40-0x0000000000520000-0x0000000000580000-memory.dmp

                Filesize

                384KB

              • memory/4944-122-0x0000000140000000-0x0000000140237000-memory.dmp

                Filesize

                2.2MB

              • memory/5044-159-0x0000000140000000-0x00000001400AB000-memory.dmp

                Filesize

                684KB

              • memory/5044-89-0x0000000140000000-0x00000001400AB000-memory.dmp

                Filesize

                684KB

              • memory/5044-96-0x0000000000BB0000-0x0000000000C10000-memory.dmp

                Filesize

                384KB

              • memory/5044-90-0x0000000000BB0000-0x0000000000C10000-memory.dmp

                Filesize

                384KB