Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19/06/2024, 21:38

General

  • Target

    0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    499eb5354d018ee4a0a4eaa0d54d5de0

  • SHA1

    c228922423384522797e100bd239cc0146e9ee6a

  • SHA256

    0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5

  • SHA512

    d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db

  • SSDEEP

    1536:npDnq+5h/tDSZ15Wwd4pDnq+5h/tDSZ15WwdM:npDRzSZaC4pDRzSZaCM

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 45 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 42 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2860
    • C:\Windows\babon.exe
      C:\Windows\babon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1852
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2076
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2864
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2032
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1412
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1708
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2380
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2568
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2372
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2964
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1180
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2956
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2284
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2300
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2328
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2552
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2712
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2808
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:400
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1616
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1528
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2428
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2796
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2420
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2280
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1500
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2220
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2772
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2528
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\lsass.exe

    Filesize

    91KB

    MD5

    499eb5354d018ee4a0a4eaa0d54d5de0

    SHA1

    c228922423384522797e100bd239cc0146e9ee6a

    SHA256

    0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5

    SHA512

    d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    6c9fd09eda54f6bbc2ada21378905c1d

    SHA1

    e5ebefda48dc28275f32b1bc913859f006235bf2

    SHA256

    6bd7a923ae6a4cfbdf2f23abc91fd284645f7f17acfb634e8406db24743b96b8

    SHA512

    ea0ca78a53ccdee48eaec4644e86df61eb188813d453cb4095837d69db242f6f0be5cc4be460ddb394a05c44a1ff9905d7ce1e8b6515c728586d0fcafb0f0cf4

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    d8a2c91b6ec6196842db2a5e927efb54

    SHA1

    dc2fb21aede9413a072364542f217d148a983e18

    SHA256

    1195f6a69a7ed52347e1e7ba2588d9ffbefc6485b0e4198d07652389deabdc8a

    SHA512

    1cadb1bc5fdc08605c31da4f07cafe752953df442ddd90b8f960ad307c43115b09484536b922db5ef4d5b90aa830bd78db6d2a5d0f3f0406455bb49148c320d1

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    a17446c35b98580558320cd961bd22a7

    SHA1

    d475f50991767bc6d43bfae09c3bf0c5c20e1b12

    SHA256

    ed66022c231bf356bc4119bf27843e9492ef2d6abfac49a74b1dacb4e20b9bea

    SHA512

    55759ffadc715505b8b25750d88d444dae7fc1f46e604abdea3f106ec6578142e7ff7c21d4f9d37ff8e025d1da10ecfdbccce000dd958b85a0f3e333284c4560

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    91KB

    MD5

    0699eb8bc57218baf8adf758f66f9b79

    SHA1

    6d6a655714aa9205e59a221d5c77e2bfc583cab5

    SHA256

    4ed306db4d8ba6894c3a449ba2b73ce075ffe949b9fbdf365e2af46e9885f72b

    SHA512

    ca7b06a5af7965e4a9a05d5dda95109ca1f02a9faab79884c667191cb6d9ecae3b26780e1a622c6dc097113b554795ea275ad9b6ec3f229b33fd880240b19b6d

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    91KB

    MD5

    4ecb9c5b4980529ea6599a7cc84d49d8

    SHA1

    f8f3c6124854dd94b54c67779792e05171e27dd5

    SHA256

    ca519af441d09714676353184b87534af2c388e4f88739959c65d6cb37405fe4

    SHA512

    654f55bb83393705e45bb50b13368d9ea1c235218543fe3e3c5321af34e74042fef0b37338a70f9ea6d90de8fa13e8fbbad194e761008e7c6b5e47b35f33bb54

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    91KB

    MD5

    dc881b9d7820739bbdfaf90c2cf2174b

    SHA1

    d323106374068a46802c6312ab1469d8870a33a0

    SHA256

    85583e6db4703f511fa8987aa46be82b8be0e776b3d71ac59cf7a1b3d8148570

    SHA512

    3a740b6a575ab6b53410ec90e36a3629f2aaa8e7e6ce6ed4e78a9d170fc8719d82fdbd349c3e00f974e40eeaaa30c693fd0fd2d5d0b7edd2e73efc2d919d5e31

  • C:\Windows\babon.exe

    Filesize

    91KB

    MD5

    5bc369b05cc2dca9ef9eefd32dcf25bd

    SHA1

    2a3153c3d04619cae4c27311cc6404091707efbd

    SHA256

    0efb078b29ab9e62b53b7ad2e5029b8f7d5a32e09529da45e39e869802589497

    SHA512

    67d1837b872531d9ce2c3933f45cca38b7ef989da1849c8a40bdfec63f5e1d10f70d63260415fff3c9ca7f19735b0bdfa8028d773a419c155a768ce165751123

  • C:\babon.exe

    Filesize

    91KB

    MD5

    92d6a2ee05a12f7b14fede19b6350a4d

    SHA1

    e3570dd1224da7992ea2b87cfb17cdd24d255bf9

    SHA256

    f98db8edb0ba425b6e7cdff2473122f43b412c5f8f81c53457e4334e330e1086

    SHA512

    49d0beaef83f07964833bdd13acfa3584b815991c72ca6ece493c0d460d3a09a1a057bcca47a0ee80019a93b419dd6b589dd024d8fd43bfce4944b73da75f3fe

  • C:\wangsit.txt

    Filesize

    359B

    MD5

    df2f3e6971a7548c1688706f9a9798a8

    SHA1

    e38539857523a1e7eb3aa857e017bf6461b16a08

    SHA256

    1fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918

    SHA512

    d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072

  • F:\autorun.inf

    Filesize

    41B

    MD5

    097661e74e667ec2329bc274acb87b0d

    SHA1

    91c68a6089af2f61035e2e5f2a8da8c908dc93ed

    SHA256

    aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

    SHA512

    e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

  • \Users\Admin\AppData\Local\WINDOWS\csrss.exe

    Filesize

    91KB

    MD5

    1f1486fa76ea76d07f2d914c43792131

    SHA1

    60a202e07462c23cc2fff3449693781c7162e920

    SHA256

    fd29f9f26f52f530c39a7dec9cb464e1d4c9d51751c748f84e84f92404cf7220

    SHA512

    7e249631df49a6ed2c2d9c5a9ab035c42e52132241aa81f8c22ce193595c964f99a341b00f87e9776f0ae2523f0f31bd8ed40dd070a5b1854903c3afb9c16780

  • \Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    91KB

    MD5

    c9fbcf153738a5138bf614ef23f600a8

    SHA1

    0c3002f9eaf91b49d9e9549d71a415d26c4edcf8

    SHA256

    8febaff7792460ab4cdd8569e4f436596e996756ca4a6750e2e86e48842f6a72

    SHA512

    70b6b4bdc00cad2b4ed81540752f96447e062cfe544c0f4f77e1bb8191ecb0f57487233709ebe7f96347013a05686c83a6cc16e00d24090cc40c18567d434950

  • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    91KB

    MD5

    3fac68d73c58f5602c3913859df2b940

    SHA1

    9434e8869d3486faf7aaaa41c93a632ded05be65

    SHA256

    af606ea739de4731ffd4c3d25fbdd0e50ef07764a775652f2dfe2a71de14e8b3

    SHA512

    9a9ef2c517a51b1e2c24444bfb1b8fb147202f2ec80da86f61d76cedd3ab5ae3e491201b5037a91c110d2a86ae4386b9bcd7341660c6ee6910371b538fc5a5ca

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    39584461c96d346443982e181f663ac7

    SHA1

    043861f55694dbb013801de46a616661c50e6673

    SHA256

    45c1450c743fcc086d31084ff10ced51920d272713429c602ceb859421c6cfac

    SHA512

    fd719e3e37844d3afa7ce5be2dc761b3fb8eb7820bfd383305be3067a4f9f8f606f19054a88f7e5d16a47b65632fb4ec6bcb02cd79444faf5aad4001f839226d

  • memory/1500-352-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1528-353-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

  • memory/1528-354-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

  • memory/1616-332-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2076-179-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2300-321-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2420-368-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/2552-350-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2552-351-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2568-222-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2956-348-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/2956-349-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB