Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 09:30
Static task
static1
Behavioral task
behavioral1
Sample
95c204834486f226cccd446454c8781489efccdeb8332ac004908ab2963ac944_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
95c204834486f226cccd446454c8781489efccdeb8332ac004908ab2963ac944_NeikiAnalytics.dll
-
Size
120KB
-
MD5
6df4ec2a8a91a5995e55d16bf4b72d40
-
SHA1
50b4fc4ccbf934947d13ea0b209cb2d64bd2d6e2
-
SHA256
95c204834486f226cccd446454c8781489efccdeb8332ac004908ab2963ac944
-
SHA512
eaaf21a0a5ae86c5700bd4ab09620ecb9060f1e8aac2f352518111d47e2293bc33e10a3aac3ca9790aadc823064a34cdd1e0074cf77235dbe943ee485dc0fbd2
-
SSDEEP
3072:5Zi8aCojvqs5R+SdWRgHErlSPJRvsGE7MzXwv:5b8vf53dqTr8vREAy
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
e574fc6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574fc6.exe -
Processes:
e574fc6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574fc6.exe -
Processes:
e574fc6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574fc6.exe -
Executes dropped EXE 4 IoCs
Processes:
e574fc6.exee5750cf.exee576b4d.exee576b5c.exepid process 4564 e574fc6.exe 2272 e5750cf.exe 2260 e576b4d.exe 2036 e576b5c.exe -
Processes:
resource yara_rule behavioral2/memory/4564-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-26-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-35-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-30-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-25-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-34-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-42-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-43-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-57-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-59-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-60-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-74-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-76-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-79-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-81-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-83-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-86-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-87-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-96-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-97-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4564-100-0x00000000007D0000-0x000000000188A000-memory.dmp upx -
Processes:
e574fc6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574fc6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574fc6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574fc6.exe -
Processes:
e574fc6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574fc6.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e574fc6.exedescription ioc process File opened (read-only) \??\J: e574fc6.exe File opened (read-only) \??\N: e574fc6.exe File opened (read-only) \??\R: e574fc6.exe File opened (read-only) \??\H: e574fc6.exe File opened (read-only) \??\I: e574fc6.exe File opened (read-only) \??\P: e574fc6.exe File opened (read-only) \??\S: e574fc6.exe File opened (read-only) \??\Q: e574fc6.exe File opened (read-only) \??\E: e574fc6.exe File opened (read-only) \??\G: e574fc6.exe File opened (read-only) \??\K: e574fc6.exe File opened (read-only) \??\L: e574fc6.exe File opened (read-only) \??\M: e574fc6.exe File opened (read-only) \??\O: e574fc6.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e574fc6.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e574fc6.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e574fc6.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e574fc6.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e574fc6.exe -
Drops file in Windows directory 2 IoCs
Processes:
e574fc6.exedescription ioc process File created C:\Windows\e575023 e574fc6.exe File opened for modification C:\Windows\SYSTEM.INI e574fc6.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e574fc6.exepid process 4564 e574fc6.exe 4564 e574fc6.exe 4564 e574fc6.exe 4564 e574fc6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e574fc6.exedescription pid process Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe Token: SeDebugPrivilege 4564 e574fc6.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
rundll32.exerundll32.exee574fc6.exedescription pid process target process PID 4488 wrote to memory of 3524 4488 rundll32.exe rundll32.exe PID 4488 wrote to memory of 3524 4488 rundll32.exe rundll32.exe PID 4488 wrote to memory of 3524 4488 rundll32.exe rundll32.exe PID 3524 wrote to memory of 4564 3524 rundll32.exe e574fc6.exe PID 3524 wrote to memory of 4564 3524 rundll32.exe e574fc6.exe PID 3524 wrote to memory of 4564 3524 rundll32.exe e574fc6.exe PID 4564 wrote to memory of 776 4564 e574fc6.exe fontdrvhost.exe PID 4564 wrote to memory of 784 4564 e574fc6.exe fontdrvhost.exe PID 4564 wrote to memory of 384 4564 e574fc6.exe dwm.exe PID 4564 wrote to memory of 3060 4564 e574fc6.exe sihost.exe PID 4564 wrote to memory of 2204 4564 e574fc6.exe svchost.exe PID 4564 wrote to memory of 3084 4564 e574fc6.exe taskhostw.exe PID 4564 wrote to memory of 3444 4564 e574fc6.exe Explorer.EXE PID 4564 wrote to memory of 3584 4564 e574fc6.exe svchost.exe PID 4564 wrote to memory of 3768 4564 e574fc6.exe DllHost.exe PID 4564 wrote to memory of 3856 4564 e574fc6.exe StartMenuExperienceHost.exe PID 4564 wrote to memory of 3920 4564 e574fc6.exe RuntimeBroker.exe PID 4564 wrote to memory of 4052 4564 e574fc6.exe SearchApp.exe PID 4564 wrote to memory of 4020 4564 e574fc6.exe RuntimeBroker.exe PID 4564 wrote to memory of 4384 4564 e574fc6.exe RuntimeBroker.exe PID 4564 wrote to memory of 2164 4564 e574fc6.exe TextInputHost.exe PID 4564 wrote to memory of 4488 4564 e574fc6.exe rundll32.exe PID 4564 wrote to memory of 3524 4564 e574fc6.exe rundll32.exe PID 4564 wrote to memory of 3524 4564 e574fc6.exe rundll32.exe PID 3524 wrote to memory of 2272 3524 rundll32.exe e5750cf.exe PID 3524 wrote to memory of 2272 3524 rundll32.exe e5750cf.exe PID 3524 wrote to memory of 2272 3524 rundll32.exe e5750cf.exe PID 3524 wrote to memory of 2260 3524 rundll32.exe e576b4d.exe PID 3524 wrote to memory of 2260 3524 rundll32.exe e576b4d.exe PID 3524 wrote to memory of 2260 3524 rundll32.exe e576b4d.exe PID 3524 wrote to memory of 2036 3524 rundll32.exe e576b5c.exe PID 3524 wrote to memory of 2036 3524 rundll32.exe e576b5c.exe PID 3524 wrote to memory of 2036 3524 rundll32.exe e576b5c.exe PID 4564 wrote to memory of 776 4564 e574fc6.exe fontdrvhost.exe PID 4564 wrote to memory of 784 4564 e574fc6.exe fontdrvhost.exe PID 4564 wrote to memory of 384 4564 e574fc6.exe dwm.exe PID 4564 wrote to memory of 3060 4564 e574fc6.exe sihost.exe PID 4564 wrote to memory of 2204 4564 e574fc6.exe svchost.exe PID 4564 wrote to memory of 3084 4564 e574fc6.exe taskhostw.exe PID 4564 wrote to memory of 3444 4564 e574fc6.exe Explorer.EXE PID 4564 wrote to memory of 3584 4564 e574fc6.exe svchost.exe PID 4564 wrote to memory of 3768 4564 e574fc6.exe DllHost.exe PID 4564 wrote to memory of 3856 4564 e574fc6.exe StartMenuExperienceHost.exe PID 4564 wrote to memory of 3920 4564 e574fc6.exe RuntimeBroker.exe PID 4564 wrote to memory of 4052 4564 e574fc6.exe SearchApp.exe PID 4564 wrote to memory of 4020 4564 e574fc6.exe RuntimeBroker.exe PID 4564 wrote to memory of 4384 4564 e574fc6.exe RuntimeBroker.exe PID 4564 wrote to memory of 2164 4564 e574fc6.exe TextInputHost.exe PID 4564 wrote to memory of 2272 4564 e574fc6.exe e5750cf.exe PID 4564 wrote to memory of 2272 4564 e574fc6.exe e5750cf.exe PID 4564 wrote to memory of 2260 4564 e574fc6.exe e576b4d.exe PID 4564 wrote to memory of 2260 4564 e574fc6.exe e576b4d.exe PID 4564 wrote to memory of 2036 4564 e574fc6.exe e576b5c.exe PID 4564 wrote to memory of 2036 4564 e574fc6.exe e576b5c.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e574fc6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574fc6.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95c204834486f226cccd446454c8781489efccdeb8332ac004908ab2963ac944_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95c204834486f226cccd446454c8781489efccdeb8332ac004908ab2963ac944_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574fc6.exeC:\Users\Admin\AppData\Local\Temp\e574fc6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5750cf.exeC:\Users\Admin\AppData\Local\Temp\e5750cf.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576b4d.exeC:\Users\Admin\AppData\Local\Temp\e576b4d.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576b5c.exeC:\Users\Admin\AppData\Local\Temp\e576b5c.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574fc6.exeFilesize
97KB
MD54bfcdbe4ccb77f52b5c5d6cd611ff2ac
SHA10e3e30efedb06a7821591e191bc94226e7a4318d
SHA256569e93a0e035e8ecc462c7626c1e7325f80b8351bdfbbdd93d7c2a5398e20229
SHA512e67113e38187d079dafa1e51746cf6912c38a85d4e17f46c761127e38c372ea3937f1a1a9e3edd4db75096b8cbcd72740be82234772c1520ceda23fbb8ab909c
-
memory/2036-129-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-69-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2036-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2260-66-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2260-125-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2260-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2260-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2260-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2272-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2272-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2272-32-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2272-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2272-121-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3524-13-0x00000000038E0000-0x00000000038E2000-memory.dmpFilesize
8KB
-
memory/3524-14-0x0000000003DB0000-0x0000000003DB1000-memory.dmpFilesize
4KB
-
memory/3524-15-0x00000000038E0000-0x00000000038E2000-memory.dmpFilesize
8KB
-
memory/3524-33-0x00000000038E0000-0x00000000038E2000-memory.dmpFilesize
8KB
-
memory/3524-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4564-42-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-6-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-37-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-36-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-38-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-39-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-40-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-10-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-43-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-25-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-30-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-57-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-59-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-60-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-31-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/4564-35-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-12-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-26-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-27-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/4564-34-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-18-0x0000000003E70000-0x0000000003E71000-memory.dmpFilesize
4KB
-
memory/4564-8-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-74-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-76-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-79-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-81-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-83-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-86-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-87-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-94-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/4564-96-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-97-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-100-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-117-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4564-11-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-9-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4564-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB