Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 22:20
Behavioral task
behavioral1
Sample
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe
-
Size
2.5MB
-
MD5
1d7c209d3fe49b48f00d22a367a25d20
-
SHA1
e188291b372a858870658efc1d965f04f89cbeb1
-
SHA256
b9264329c052618a08c48ba39c16263c7e06af5dee8704d78d73222cb820e4c6
-
SHA512
a55c758417613332c6f68fa1405906e4c673bebd4827cc52797c5e6fe8ff65ad34468f8a932528d8ea672db7bb0c8b652d183542828f3b587d4867b12548ce29
-
SSDEEP
49152:hxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyx4:hxx9NUFkQx753uWuCyyx4
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
spoolsv.exesvchost.exespoolsv.exe1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
spoolsv.exesvchost.exespoolsv.exe1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2424 explorer.exe 2348 spoolsv.exe 2824 svchost.exe 2944 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 2424 explorer.exe 2348 spoolsv.exe 2824 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1752-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\Themes\explorer.exe themida behavioral1/memory/2424-11-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral1/memory/2348-23-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\svchost.exe themida behavioral1/memory/2824-37-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2944-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1752-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2944-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2348-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1752-52-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2424-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2824-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2424-67-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2424-71-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2424-75-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Processes:
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 2424 explorer.exe 2348 spoolsv.exe 2824 svchost.exe 2944 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1308 schtasks.exe 1864 schtasks.exe 2548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exeexplorer.exesvchost.exepid process 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2424 explorer.exe 2824 svchost.exe 2824 svchost.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2824 svchost.exe 2824 svchost.exe 2424 explorer.exe 2424 explorer.exe 2824 svchost.exe 2824 svchost.exe 2424 explorer.exe 2424 explorer.exe 2824 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2424 explorer.exe 2824 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe 2424 explorer.exe 2424 explorer.exe 2348 spoolsv.exe 2348 spoolsv.exe 2824 svchost.exe 2824 svchost.exe 2944 spoolsv.exe 2944 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1752 wrote to memory of 2424 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe explorer.exe PID 1752 wrote to memory of 2424 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe explorer.exe PID 1752 wrote to memory of 2424 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe explorer.exe PID 1752 wrote to memory of 2424 1752 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe explorer.exe PID 2424 wrote to memory of 2348 2424 explorer.exe spoolsv.exe PID 2424 wrote to memory of 2348 2424 explorer.exe spoolsv.exe PID 2424 wrote to memory of 2348 2424 explorer.exe spoolsv.exe PID 2424 wrote to memory of 2348 2424 explorer.exe spoolsv.exe PID 2348 wrote to memory of 2824 2348 spoolsv.exe svchost.exe PID 2348 wrote to memory of 2824 2348 spoolsv.exe svchost.exe PID 2348 wrote to memory of 2824 2348 spoolsv.exe svchost.exe PID 2348 wrote to memory of 2824 2348 spoolsv.exe svchost.exe PID 2824 wrote to memory of 2944 2824 svchost.exe spoolsv.exe PID 2824 wrote to memory of 2944 2824 svchost.exe spoolsv.exe PID 2824 wrote to memory of 2944 2824 svchost.exe spoolsv.exe PID 2824 wrote to memory of 2944 2824 svchost.exe spoolsv.exe PID 2424 wrote to memory of 2756 2424 explorer.exe Explorer.exe PID 2424 wrote to memory of 2756 2424 explorer.exe Explorer.exe PID 2424 wrote to memory of 2756 2424 explorer.exe Explorer.exe PID 2424 wrote to memory of 2756 2424 explorer.exe Explorer.exe PID 2824 wrote to memory of 2548 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 2548 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 2548 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 2548 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 1308 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 1308 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 1308 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 1308 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 1864 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 1864 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 1864 2824 svchost.exe schtasks.exe PID 2824 wrote to memory of 1864 2824 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2944 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:22 /f5⤵
- Creates scheduled task(s)
PID:2548 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:23 /f5⤵
- Creates scheduled task(s)
PID:1308 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:24 /f5⤵
- Creates scheduled task(s)
PID:1864 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD57c94076d32d1bceb07e5f96dcb101084
SHA1d6ec35f4d904c715dd30a7ed683b2d15606237ad
SHA25628c350e4a3a6852385a54609dc3d7f8cb01680403c830191b5a2cceb8975d946
SHA5127ff7a212a5ab27c1d0e8571cf76647606e2f0ddc4cd6d6bbb26943899bec82a1b1dd1fc7a1a804f01bf118e275d0c4140c05c7f4e19bd981d5aaf1af65c8d093
-
\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD5bc1e1901255e68bb7719a13818099d58
SHA1571b4a86d9040db04d2aaa34f12402ebd4fccf4e
SHA256bd619f13564c330721dc8b49c5e844b3502ef4f668eea076e41fbc2c0f1493b5
SHA512f1a10ba0723771a42c9a8a381005527a164cec840e8f19eec81586909429987d8f428a8f8a34e86edaca2992dae8a8e0d70904146bffd9f8343a4cd5ad8c9023
-
\Windows\Resources\svchost.exeFilesize
2.5MB
MD55704d0324e55747198f0522310b7d4ca
SHA126646538e84a30c36e3ee2bad88ee0e06dcd16fa
SHA256671334298110a007a19d74496f2c0f08495988c9c74f78f0ba026d4062a4e9ad
SHA512ff4654bf909bc5e12d12d98f8f2463522f6fa63b563adcac3a5d3b880eb89390d3bf4a34184566b3f1726c0dcd49c18f722b9431ed8a7c9e9ba570185929ac06
-
memory/1752-43-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1752-1-0x0000000077210000-0x0000000077212000-memory.dmpFilesize
8KB
-
memory/1752-52-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1752-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2348-23-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2348-34-0x00000000038A0000-0x0000000003EAE000-memory.dmpFilesize
6.1MB
-
memory/2348-51-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2424-22-0x00000000036C0000-0x0000000003CCE000-memory.dmpFilesize
6.1MB
-
memory/2424-11-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2424-53-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2424-55-0x00000000036C0000-0x0000000003CCE000-memory.dmpFilesize
6.1MB
-
memory/2424-67-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2424-71-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2424-75-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2824-41-0x0000000003600000-0x0000000003C0E000-memory.dmpFilesize
6.1MB
-
memory/2824-37-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2824-56-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2944-44-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2944-49-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB