Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59_NeikiAnalytics.dll
Resource
win7-20240419-en
General
-
Target
18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59_NeikiAnalytics.dll
-
Size
120KB
-
MD5
1e780fa39773470b975a00ae19e9cba0
-
SHA1
297e703f82720d898c24cfee969fc24a53097d6b
-
SHA256
18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59
-
SHA512
393e58e57b71bbe43879cb011627927f8885dc11949ca26ea9c7b66d7c0c978482396cac3c6bdd1913f4ecb61eede28a63b0ecfc58553353b0dae1c6ed2c8977
-
SSDEEP
1536:+ybxmzXHfDmrbVBN0YwU9lkrxekG3f3a9ZCj4HigcWmE+uQMHZMujj:BxWX6bVB2faOxePau4CJWmTM5Mu
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
e5747e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5747e6.exe -
Processes:
e5747e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5747e6.exe -
Processes:
e5747e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5747e6.exe -
Executes dropped EXE 4 IoCs
Processes:
e5747e6.exee57495d.exee5763bb.exee5763cb.exepid process 3736 e5747e6.exe 4424 e57495d.exe 1616 e5763bb.exe 1888 e5763cb.exe -
Processes:
resource yara_rule behavioral2/memory/3736-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-16-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-30-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-31-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-32-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-41-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-42-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-56-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-58-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-59-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-73-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-75-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-78-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-80-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-82-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-84-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-86-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-94-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-96-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3736-99-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1616-130-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Processes:
e5747e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5747e6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5747e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5747e6.exe -
Processes:
e5747e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5747e6.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e5747e6.exedescription ioc process File opened (read-only) \??\K: e5747e6.exe File opened (read-only) \??\S: e5747e6.exe File opened (read-only) \??\G: e5747e6.exe File opened (read-only) \??\I: e5747e6.exe File opened (read-only) \??\J: e5747e6.exe File opened (read-only) \??\R: e5747e6.exe File opened (read-only) \??\E: e5747e6.exe File opened (read-only) \??\N: e5747e6.exe File opened (read-only) \??\P: e5747e6.exe File opened (read-only) \??\H: e5747e6.exe File opened (read-only) \??\L: e5747e6.exe File opened (read-only) \??\M: e5747e6.exe File opened (read-only) \??\O: e5747e6.exe File opened (read-only) \??\Q: e5747e6.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e5747e6.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e5747e6.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5747e6.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5747e6.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5747e6.exe -
Drops file in Windows directory 2 IoCs
Processes:
e5747e6.exedescription ioc process File created C:\Windows\e574873 e5747e6.exe File opened for modification C:\Windows\SYSTEM.INI e5747e6.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e5747e6.exepid process 3736 e5747e6.exe 3736 e5747e6.exe 3736 e5747e6.exe 3736 e5747e6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e5747e6.exedescription pid process Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe Token: SeDebugPrivilege 3736 e5747e6.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
rundll32.exerundll32.exee5747e6.exedescription pid process target process PID 2944 wrote to memory of 636 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 636 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 636 2944 rundll32.exe rundll32.exe PID 636 wrote to memory of 3736 636 rundll32.exe e5747e6.exe PID 636 wrote to memory of 3736 636 rundll32.exe e5747e6.exe PID 636 wrote to memory of 3736 636 rundll32.exe e5747e6.exe PID 3736 wrote to memory of 768 3736 e5747e6.exe fontdrvhost.exe PID 3736 wrote to memory of 764 3736 e5747e6.exe fontdrvhost.exe PID 3736 wrote to memory of 1016 3736 e5747e6.exe dwm.exe PID 3736 wrote to memory of 2540 3736 e5747e6.exe sihost.exe PID 3736 wrote to memory of 2560 3736 e5747e6.exe svchost.exe PID 3736 wrote to memory of 2772 3736 e5747e6.exe taskhostw.exe PID 3736 wrote to memory of 3500 3736 e5747e6.exe Explorer.EXE PID 3736 wrote to memory of 3628 3736 e5747e6.exe svchost.exe PID 3736 wrote to memory of 3828 3736 e5747e6.exe DllHost.exe PID 3736 wrote to memory of 3928 3736 e5747e6.exe StartMenuExperienceHost.exe PID 3736 wrote to memory of 3992 3736 e5747e6.exe RuntimeBroker.exe PID 3736 wrote to memory of 4072 3736 e5747e6.exe SearchApp.exe PID 3736 wrote to memory of 4128 3736 e5747e6.exe RuntimeBroker.exe PID 3736 wrote to memory of 4608 3736 e5747e6.exe RuntimeBroker.exe PID 3736 wrote to memory of 3744 3736 e5747e6.exe TextInputHost.exe PID 3736 wrote to memory of 2944 3736 e5747e6.exe rundll32.exe PID 3736 wrote to memory of 636 3736 e5747e6.exe rundll32.exe PID 3736 wrote to memory of 636 3736 e5747e6.exe rundll32.exe PID 636 wrote to memory of 4424 636 rundll32.exe e57495d.exe PID 636 wrote to memory of 4424 636 rundll32.exe e57495d.exe PID 636 wrote to memory of 4424 636 rundll32.exe e57495d.exe PID 636 wrote to memory of 1616 636 rundll32.exe e5763bb.exe PID 636 wrote to memory of 1616 636 rundll32.exe e5763bb.exe PID 636 wrote to memory of 1616 636 rundll32.exe e5763bb.exe PID 636 wrote to memory of 1888 636 rundll32.exe e5763cb.exe PID 636 wrote to memory of 1888 636 rundll32.exe e5763cb.exe PID 636 wrote to memory of 1888 636 rundll32.exe e5763cb.exe PID 3736 wrote to memory of 768 3736 e5747e6.exe fontdrvhost.exe PID 3736 wrote to memory of 764 3736 e5747e6.exe fontdrvhost.exe PID 3736 wrote to memory of 1016 3736 e5747e6.exe dwm.exe PID 3736 wrote to memory of 2540 3736 e5747e6.exe sihost.exe PID 3736 wrote to memory of 2560 3736 e5747e6.exe svchost.exe PID 3736 wrote to memory of 2772 3736 e5747e6.exe taskhostw.exe PID 3736 wrote to memory of 3500 3736 e5747e6.exe Explorer.EXE PID 3736 wrote to memory of 3628 3736 e5747e6.exe svchost.exe PID 3736 wrote to memory of 3828 3736 e5747e6.exe DllHost.exe PID 3736 wrote to memory of 3928 3736 e5747e6.exe StartMenuExperienceHost.exe PID 3736 wrote to memory of 3992 3736 e5747e6.exe RuntimeBroker.exe PID 3736 wrote to memory of 4072 3736 e5747e6.exe SearchApp.exe PID 3736 wrote to memory of 4128 3736 e5747e6.exe RuntimeBroker.exe PID 3736 wrote to memory of 4608 3736 e5747e6.exe RuntimeBroker.exe PID 3736 wrote to memory of 3744 3736 e5747e6.exe TextInputHost.exe PID 3736 wrote to memory of 4424 3736 e5747e6.exe e57495d.exe PID 3736 wrote to memory of 4424 3736 e5747e6.exe e57495d.exe PID 3736 wrote to memory of 1616 3736 e5747e6.exe e5763bb.exe PID 3736 wrote to memory of 1616 3736 e5747e6.exe e5763bb.exe PID 3736 wrote to memory of 1888 3736 e5747e6.exe e5763cb.exe PID 3736 wrote to memory of 1888 3736 e5747e6.exe e5763cb.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e5747e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5747e6.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\18e63d7b0fc6a6dca0d1b8ff8657d9a7d319dc5118309db1d69dc11bc10a7c59_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5747e6.exeC:\Users\Admin\AppData\Local\Temp\e5747e6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57495d.exeC:\Users\Admin\AppData\Local\Temp\e57495d.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5763bb.exeC:\Users\Admin\AppData\Local\Temp\e5763bb.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5763cb.exeC:\Users\Admin\AppData\Local\Temp\e5763cb.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5747e6.exeFilesize
97KB
MD54505cd2142c15dec99db268a11dbf60c
SHA1071fde03004b546939e48ceaa499f780fdb35902
SHA2566def2c041278768190a966cf89f5dd41a01fb313834a6ba3fe097502fde8913e
SHA5120c2ab9ceb51d5b0d644ac82dba03a015fc1cdcfc67663cb829a89f436c01a4af3daa0c5aae24bf6168f93c065bb911eb40741c6c8292692d151b096c7bb60701
-
memory/636-20-0x0000000000A50000-0x0000000000A52000-memory.dmpFilesize
8KB
-
memory/636-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/636-11-0x0000000000A50000-0x0000000000A52000-memory.dmpFilesize
8KB
-
memory/636-12-0x0000000003E00000-0x0000000003E01000-memory.dmpFilesize
4KB
-
memory/636-18-0x0000000000A50000-0x0000000000A52000-memory.dmpFilesize
8KB
-
memory/1616-131-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1616-130-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1616-125-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1616-64-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1616-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1616-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1888-55-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1888-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1888-129-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1888-66-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1888-69-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3736-84-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-88-0x0000000001AB0000-0x0000000001AB2000-memory.dmpFilesize
8KB
-
memory/3736-9-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3736-35-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-19-0x0000000001AB0000-0x0000000001AB2000-memory.dmpFilesize
8KB
-
memory/3736-37-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-14-0x0000000001AC0000-0x0000000001AC1000-memory.dmpFilesize
4KB
-
memory/3736-39-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-41-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-42-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-6-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-10-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-56-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-58-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-59-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-30-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-21-0x0000000001AB0000-0x0000000001AB2000-memory.dmpFilesize
8KB
-
memory/3736-8-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-33-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-34-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-38-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-36-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-31-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-73-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-75-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-78-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-80-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-82-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-32-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-86-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-16-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-94-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-96-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3736-116-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3736-99-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/4424-120-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4424-62-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4424-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4424-29-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4424-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB