Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-06-2024 12:04

General

  • Target

    6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe

  • Size

    337KB

  • MD5

    4fcefc1cc5e5a2683523a5d01c986430

  • SHA1

    7dfcfc48f8913553c5635990daa75c48c3fad59e

  • SHA256

    6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e

  • SHA512

    e6c025369312c95ba9554e89e20a4ae6442807b303f322a4ab5fd6cae60187ef392c99f961a2cd26940a033c18599b92317fa25f65fbb9fdf1e3315f5cebd78d

  • SSDEEP

    3072:8GY3Z3S2W2Tw35yoNAD3yKJzgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:8/i92TwJZAD3rz1+fIyG5jZkCwi8r

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 48 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6b4af93c8ac3810a867a42c2e34476474556243e63761df2dfa6d0ae7147233e_NeikiAnalytics.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\SysWOW64\Faokjpfd.exe
      C:\Windows\system32\Faokjpfd.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Windows\SysWOW64\Ffkcbgek.exe
        C:\Windows\system32\Ffkcbgek.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\SysWOW64\Ffnphf32.exe
          C:\Windows\system32\Ffnphf32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1192
          • C:\Windows\SysWOW64\Fbdqmghm.exe
            C:\Windows\system32\Fbdqmghm.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\Fddmgjpo.exe
              C:\Windows\system32\Fddmgjpo.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2484
              • C:\Windows\SysWOW64\Gpknlk32.exe
                C:\Windows\system32\Gpknlk32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2552
                • C:\Windows\SysWOW64\Gbijhg32.exe
                  C:\Windows\system32\Gbijhg32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:792
                  • C:\Windows\SysWOW64\Gkgkbipp.exe
                    C:\Windows\system32\Gkgkbipp.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1688
                    • C:\Windows\SysWOW64\Gdopkn32.exe
                      C:\Windows\system32\Gdopkn32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1848
                      • C:\Windows\SysWOW64\Gacpdbej.exe
                        C:\Windows\system32\Gacpdbej.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1632
                        • C:\Windows\SysWOW64\Gkkemh32.exe
                          C:\Windows\system32\Gkkemh32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1700
                          • C:\Windows\SysWOW64\Hgbebiao.exe
                            C:\Windows\system32\Hgbebiao.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:664
                            • C:\Windows\SysWOW64\Hdfflm32.exe
                              C:\Windows\system32\Hdfflm32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:1508
                              • C:\Windows\SysWOW64\Hpmgqnfl.exe
                                C:\Windows\system32\Hpmgqnfl.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1248
                                • C:\Windows\SysWOW64\Hnagjbdf.exe
                                  C:\Windows\system32\Hnagjbdf.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2688
                                  • C:\Windows\SysWOW64\Hpocfncj.exe
                                    C:\Windows\system32\Hpocfncj.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • Modifies registry class
                                    PID:2996
                                    • C:\Windows\SysWOW64\Hpapln32.exe
                                      C:\Windows\system32\Hpapln32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      • Modifies registry class
                                      PID:2064
                                      • C:\Windows\SysWOW64\Henidd32.exe
                                        C:\Windows\system32\Henidd32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Drops file in System32 directory
                                        • Modifies registry class
                                        PID:1896
                                        • C:\Windows\SysWOW64\Hogmmjfo.exe
                                          C:\Windows\system32\Hogmmjfo.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in System32 directory
                                          • Modifies registry class
                                          PID:916
                                          • C:\Windows\SysWOW64\Idceea32.exe
                                            C:\Windows\system32\Idceea32.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Drops file in System32 directory
                                            • Modifies registry class
                                            PID:292
                                            • C:\Windows\SysWOW64\Iknnbklc.exe
                                              C:\Windows\system32\Iknnbklc.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Drops file in System32 directory
                                              • Modifies registry class
                                              PID:676
                                              • C:\Windows\SysWOW64\Iagfoe32.exe
                                                C:\Windows\system32\Iagfoe32.exe
                                                23⤵
                                                • Executes dropped EXE
                                                PID:1948
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 140
                                                  24⤵
                                                  • Loads dropped DLL
                                                  • Program crash
                                                  PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Fbdqmghm.exe

    Filesize

    337KB

    MD5

    cc9fcf1a2234ac0af85913b1d6894753

    SHA1

    75ba9963dc0b9b289456296e6ea00a6c29639976

    SHA256

    c71bc9ff0aed3431b77bdb5357924b56878b281de060f7e4a8785f242d653774

    SHA512

    76914980f656ccffe90e412428a51a83529392731fd5d2e9c4b93b133a3a42dff9052166094c34a3bf17cfc33f97fceeacb3e43f1517c050594ec6c86703e69c

  • C:\Windows\SysWOW64\Gbijhg32.exe

    Filesize

    337KB

    MD5

    e2043fe45de03f92bb703e764d093f98

    SHA1

    97e22d98568452f9dce934b64fe4330cd26bf413

    SHA256

    60f5255ef5c85e419b22b0d8fcef1ef6532615916812330f6a67bad8d37ede2b

    SHA512

    aa5d8a8fd7481bd0664c50847ac87886bd0a9dc72a9143e396f5eda52689ea339eb1813d75c83bd2dd61fce98e8025ac5c9618c5d653dd9319e9ff8a170e94ba

  • C:\Windows\SysWOW64\Gdopkn32.exe

    Filesize

    337KB

    MD5

    eaf5068692a203802e96a0b579370bdc

    SHA1

    15a45a3ed6e925433d932a4230dc1a62c338cec7

    SHA256

    fb10a480bc48813b3c0bdc33bae4076cd4b1e3490acd4bd543cbf6a9be89a889

    SHA512

    4f36bcfbb12704e9677338a0975588d9e787f432186fb5ea888561fffb28b9ec356c873a3c9fb0274cc7c620bc31a55fc0ee2ff4efc403d733e64b6879dae126

  • C:\Windows\SysWOW64\Gpknlk32.exe

    Filesize

    337KB

    MD5

    50463861c60bd94d96703c6ada97545e

    SHA1

    fa6e7900c41ba938e518eb0b41f9322497975fea

    SHA256

    f1a7272162c6c9b133d0c45cf1b50ea590daa2d3d0b3b9518fb09765b29d6213

    SHA512

    04142becce2b5fe4a5a7da43687f9f220b2bc76e340b7b56166db6de89d29b552dd6b249d6fa7d57b4442721a237963cac4d47547f9b7271577916b755d3c48f

  • C:\Windows\SysWOW64\Henidd32.exe

    Filesize

    337KB

    MD5

    c7a39bec42d1767759b36f2161520064

    SHA1

    66999deca1e4e7b13cc37a17b346fdd0ca59d7ac

    SHA256

    3286e454b431c135556c6ad6073fbfb1bdddb43e8cce5613c1cf2f25af38f6f9

    SHA512

    04b8260b2fe4370033512544d3865a27ceba5bc54ece73fd52e414bc07fbce7eb0cdd7f701f2c77fda9050efd524a725cf774e599530b718a28c2ccd3e4652b0

  • C:\Windows\SysWOW64\Hogmmjfo.exe

    Filesize

    337KB

    MD5

    43997ba81f4c9c4c0c4f4321431b5a8b

    SHA1

    5b9a5fe2a114fbf3f3496eb2b9a8b19989e56905

    SHA256

    1e6352c653cb0a2334b4892f863e3ea688aae0f14a7938a2ee1753941c982106

    SHA512

    ddb87644aecf46473493fa521d275ab0283aee79a0d7a83d288227591d1fc79036e0cf381d1f1ada3265e520b3912c8ace998e560c0e7298a80e8165616030ea

  • C:\Windows\SysWOW64\Hpapln32.exe

    Filesize

    337KB

    MD5

    e330821a8c5d449aceaa0ab358955685

    SHA1

    b202b6309811f0012ec54f3bb38da927b43b340c

    SHA256

    65f9a60c58bb24c4fbbea06fe9a2bda5c332aae54d219967c85e9cd6d3361d24

    SHA512

    542d1d1cd700004013fef4cf6dd48fd0b0491202f3270dfed28171e37d97f1bebfe6c8f1ba181b75d0cb9aaf2a29f67f297d638baece8b1048cb721b19897e9c

  • C:\Windows\SysWOW64\Iagfoe32.exe

    Filesize

    337KB

    MD5

    27c9460138baba5bd1e90c280b2ba9e3

    SHA1

    79ab5e9aad4939984824a5972be84c73bc6865f0

    SHA256

    a32e5cea3824043a4954cf54f70972f724433c7af517e0b4e7e15a2ac098088f

    SHA512

    728fa660d9bdee185e62a4dfba1533d87d96d22954b8c17df30c326429de618f7babff2ca5a79ec9b930029a9813ed5f62a9c6b788257b21805214bd61af79e3

  • C:\Windows\SysWOW64\Idceea32.exe

    Filesize

    337KB

    MD5

    cfb3bd1bc9156dc2ae12181df5d4f4ce

    SHA1

    f8107550253b443916f3ad51b062429115a5f88e

    SHA256

    085f2aeeddaafb3e0a3ce088ef068364eb021c32679653dac6beeac7e16f9bba

    SHA512

    d99bed7c565ab3d18997d37a5152bb874cfbb94742d74d00c13ae38a564b1770b06b553acf407ca3e6c87052c73fb5f2e6850119927db05823943c35744e4672

  • C:\Windows\SysWOW64\Iknnbklc.exe

    Filesize

    337KB

    MD5

    9b3e498cc2da318441be1479847473cc

    SHA1

    7f3962716856e398cf3609fdb3f58b8c0e9df462

    SHA256

    5b03eae948df1282022b622962ee1d117dd90e7dad5bbb9a9acb29379ae51a22

    SHA512

    27ba4c9839d0b383c48fff29b7db14738f9376cf41e248c8c22ce76e70ff79dbfe79a0c85774a9ea59679771f7184ebd6b93344af721a35e1f440952f855dbf2

  • \Windows\SysWOW64\Faokjpfd.exe

    Filesize

    337KB

    MD5

    6e12c94619463fda8bc43d2d3407d8e2

    SHA1

    6f2773fa644c73e12f626d0cc04a760734fcc917

    SHA256

    40cf60331741a5a0f94b4f43106dcd4c97c3d0e7202b37b96d2b773b626f2925

    SHA512

    6ed60abc8d260b413ef513daed559ad304c8233e72ad0bbc46fb64794308779615863e27af698fa8b7368262ba611004c391ee66f25730da3caa1cb1e1ff85ae

  • \Windows\SysWOW64\Fddmgjpo.exe

    Filesize

    337KB

    MD5

    e1d6879597a9b2c477cdaff2ca892591

    SHA1

    31b74a95cf1dea8b4c4f2bbe272cbf820f0f972e

    SHA256

    6b7455857bd40d55aa4f10d2eb6d00c8e61cc706354d837e1671854089054bfd

    SHA512

    6dcc3a87977407f8317e238476cca56126b3a32d879db93a6ef78b346feb45c3ac75da8b6fd905f7cc474818c0ba49cbc27c693dc73371a8674fc33b9f1ea5d1

  • \Windows\SysWOW64\Ffkcbgek.exe

    Filesize

    337KB

    MD5

    c750c63e9ba3b914bb3fe149ef4f1dfc

    SHA1

    7ec4de0c2c5463ee7e16286755894cca3d1607b1

    SHA256

    4843a915590b2722cb4bceabf412aab78dfce2313bc9cb21bd310b9d749135e6

    SHA512

    89a84b0bc20fe17e7cd37e8fa5ea74e9ee50077eb639c469e251cfa1eac7dcc4453f80f58b96222c9ea2856c45fe1142ede6ae898f9bf6b03905b502c31aa2c3

  • \Windows\SysWOW64\Ffnphf32.exe

    Filesize

    337KB

    MD5

    dc12af8a33dfc23e169de5af22939bbf

    SHA1

    e1702688272735da594750d7e09e485d99dc9fd2

    SHA256

    474bc2b8d8d1fb9ba97a4473a87c4e2e850d53ad3acea7100ae5bdbc5dee7a97

    SHA512

    4ebee594e1f70f96edbd1368d85755ea7c827260c3ded57f59b50c216b7de8c651b09a9d5cdb95c1c477afd2167894c23a980e2afaf6c663bd1226472e260012

  • \Windows\SysWOW64\Gacpdbej.exe

    Filesize

    337KB

    MD5

    f7efb3caea96c1d275e0f179140e612e

    SHA1

    9ca334e827caf10a77319d59f18332d1867f2e2d

    SHA256

    176660bb57376c9edea12fccd72e4921230f29ae475d6956735bc444512f7be7

    SHA512

    096dd0d8b851c255d46e2ed1e4947c765a3aaefee38e9e3d14869e03ebde7816fe442bea1b13a56c3f6a724ad7f650d8639859afb2e0c783b68f09347151db65

  • \Windows\SysWOW64\Gkgkbipp.exe

    Filesize

    337KB

    MD5

    821b60b297cde6bb8fd0adae8ce4fb82

    SHA1

    52f5ebd774d398e883efef418c26e1d0e9650c07

    SHA256

    ff30b0d3b03aa4a46adbc2f696a6306693805f1c0946deba81a334fa32ae12a6

    SHA512

    3043289d7c55ff8075e4c16c6456d4d95aa7bafccd065240a6b52183a64af406755dfe9039cd75928dfad56f24333ba959e211978241b067c53eeacd796b5c78

  • \Windows\SysWOW64\Gkkemh32.exe

    Filesize

    337KB

    MD5

    9db6d446bcbb22db9acbe502955d74b1

    SHA1

    f6cfdd8ebf6df900a160897799b60ab9fecfc769

    SHA256

    1590907ace54d0c79d82985109a6fdd57ceec3eefa994d3068617866eeb91fa6

    SHA512

    f5a495907d878a4d52fcc10836557c3abecc6939533181ab2977d4e0c524f36db7c1a574f9a3cbf0f30a7851c857fd386288c388c62ae22c4ea950a7248529ab

  • \Windows\SysWOW64\Hdfflm32.exe

    Filesize

    337KB

    MD5

    546206933446fecbe08b979fdd2f46b5

    SHA1

    ef8446e4337465c7e70cf3a3509f99d27c1649aa

    SHA256

    8172a3c76dbf9ae0e3b232957ad42b9aedfef555bab47016d43ec5ad6cd1865f

    SHA512

    f89ebaa2a8539a28374843059d892955fd0f2d689905a5fc744d4494eb3446c5bf6d0f0d906db110498374d945cb2fa639e15339b262d0327bb1fb8de6e5250f

  • \Windows\SysWOW64\Hgbebiao.exe

    Filesize

    337KB

    MD5

    0163dc3de4a733d082cad26983b78158

    SHA1

    775beafe2a0d44126278083004f1fdd9707e0c08

    SHA256

    5c146e05c932a0f87682496ecb0f36d56caf9208f40f48e250a612f229ec8a1d

    SHA512

    32c48892fdd65b2b03d07f308df677092e27f01f423486098e864ad10a7b07d655806109464018bf3f5b0ff136f5cc9041193c524a320a1d64978f64fd91f4a5

  • \Windows\SysWOW64\Hnagjbdf.exe

    Filesize

    337KB

    MD5

    bff851106b8861b378f64094b97db62a

    SHA1

    4c3bb4b786f0c8c1ab3cbee9a19576149c1b694f

    SHA256

    3a1015e3e05d9dba529bc55ef186b7af1fbc0465b6747f66b2fb9d4eece9b777

    SHA512

    15ed4f82a6253249899c810c4054843bebeb6f66ba0692636b6437e2e8fd673eee1dbaf439878673612d95f22579cec61255d9387c3b34a3b988d01de0c4e618

  • \Windows\SysWOW64\Hpmgqnfl.exe

    Filesize

    337KB

    MD5

    08d99251eb62f33a9789dcc83ac0536b

    SHA1

    d1471a462baaf2c8ab81dc34ed64b900527321c3

    SHA256

    cad4235c2dec879f081c1364fd9b041bf140f5a63e385dcc3b598dc9e3c413ed

    SHA512

    a886b1f235f8287573b73a09fa35a80116b1a7d7199ad30ba39579151cf1ef851aa171ae082249328ce49c7149d27f219150789136700132e25f070341c39e04

  • \Windows\SysWOW64\Hpocfncj.exe

    Filesize

    337KB

    MD5

    3243f0187667f919cf1350adc3b6528c

    SHA1

    00ac3edb0556c5ac0b29b1bebd9db0f7c4867e48

    SHA256

    7ebae41c4f7124295ba8843c45f664382e893bf298bb8100494f2be6513a1631

    SHA512

    e1cd23bce3fb147ef12662dbf78661ed7f0b8e9432d58707de0ef561fa118320e7b973fd91b030dae685da5b6654c913bac30ea657020e8d2c5048091f11c2e6

  • memory/292-310-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/292-277-0x0000000000270000-0x00000000002A3000-memory.dmp

    Filesize

    204KB

  • memory/292-276-0x0000000000270000-0x00000000002A3000-memory.dmp

    Filesize

    204KB

  • memory/292-270-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/664-302-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/664-181-0x00000000002F0000-0x0000000000323000-memory.dmp

    Filesize

    204KB

  • memory/664-168-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/676-288-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/676-278-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/676-311-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/676-287-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/792-297-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/792-98-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/792-110-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/916-309-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/916-269-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/916-257-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1192-55-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1192-42-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1192-293-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1248-196-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1248-304-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1248-209-0x0000000000290000-0x00000000002C3000-memory.dmp

    Filesize

    204KB

  • memory/1252-18-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1252-21-0x0000000000290000-0x00000000002C3000-memory.dmp

    Filesize

    204KB

  • memory/1508-194-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1508-303-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1508-182-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1632-300-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1632-152-0x00000000005D0000-0x0000000000603000-memory.dmp

    Filesize

    204KB

  • memory/1632-140-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1688-125-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1688-298-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1688-112-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1700-154-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1700-301-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1700-166-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1848-299-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1848-126-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1848-133-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1896-247-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1896-256-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1896-308-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1948-289-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2064-246-0x0000000000290000-0x00000000002C3000-memory.dmp

    Filesize

    204KB

  • memory/2064-307-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2064-236-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2064-245-0x0000000000290000-0x00000000002C3000-memory.dmp

    Filesize

    204KB

  • memory/2400-6-0x00000000002D0000-0x0000000000303000-memory.dmp

    Filesize

    204KB

  • memory/2400-290-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2400-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2484-88-0x0000000000300000-0x0000000000333000-memory.dmp

    Filesize

    204KB

  • memory/2484-70-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2484-295-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2552-89-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2552-97-0x00000000002F0000-0x0000000000323000-memory.dmp

    Filesize

    204KB

  • memory/2580-292-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2580-41-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2580-27-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2580-40-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2688-305-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2688-217-0x0000000001F50000-0x0000000001F83000-memory.dmp

    Filesize

    204KB

  • memory/2688-210-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2700-294-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2700-56-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2700-64-0x0000000000260000-0x0000000000293000-memory.dmp

    Filesize

    204KB

  • memory/2996-235-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2996-231-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2996-229-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB