sality | d4dd43f8d585666709637c7fecfa7294d1fce970140720e5ead8f3184ef5a8e3

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba8db550c52e2a5bb6af8b72723c940_NeikiAnalytics.dll
Size

120KB
MD5

3ba8db550c52e2a5bb6af8b72723c940
SHA1

86f78e00a922b4020ffbca4c54cc72aba18ab833
SHA256

d4dd43f8d585666709637c7fecfa7294d1fce970140720e5ead8f3184ef5a8e3
SHA512

f85d6a4d54b53a9a1d5b2c0f1223b8fb42aab646383931b8c0ca6309fdfd2d4954aa2dcddbaec956ac6c58d6313ec183824f4334a2d175cc1674e2cb4deffae6
SSDEEP

1536:mm9tXq4HR00xxyeliOVBgfn2udUdvW2J5VtdplKjvHKXp2rVh3C+isr7s:X9N00aelizn260+wcjHK52TC7Cs

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

f76899a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f76899a.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

f76899a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76899a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76899a.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76899a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76899a.exe

Executes dropped EXE 3 IoCs

Processes:

f76899a.exef768ce4.exef76a39f.exe

pid process

2308 f76899a.exe
2052 f768ce4.exe
860 f76a39f.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

1748 rundll32.exe
1748 rundll32.exe
1748 rundll32.exe
1748 rundll32.exe
1748 rundll32.exe
1748 rundll32.exe

pid	process
2308	f76899a.exe
2052	f768ce4.exe
860	f76a39f.exe

pid	process
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2308-22-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-13-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-16-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-11-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-20-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-15-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-17-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-19-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-21-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-18-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-61-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-62-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-63-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-64-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-65-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-67-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-81-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-82-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-84-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-87-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-86-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-105-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/2308-154-0x00000000006B0000-0x000000000176A000-memory.dmp	upx
behavioral1/memory/860-161-0x0000000000930000-0x00000000019EA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76899a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76899a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76899a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76899a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

f76899a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76899a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76899a.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f76899a.exe

description	ioc	process
File opened (read-only)	\??\Q:	f76899a.exe
File opened (read-only)	\??\R:	f76899a.exe
File opened (read-only)	\??\E:	f76899a.exe
File opened (read-only)	\??\J:	f76899a.exe
File opened (read-only)	\??\K:	f76899a.exe
File opened (read-only)	\??\N:	f76899a.exe
File opened (read-only)	\??\G:	f76899a.exe
File opened (read-only)	\??\S:	f76899a.exe
File opened (read-only)	\??\H:	f76899a.exe
File opened (read-only)	\??\L:	f76899a.exe
File opened (read-only)	\??\O:	f76899a.exe
File opened (read-only)	\??\I:	f76899a.exe
File opened (read-only)	\??\M:	f76899a.exe
File opened (read-only)	\??\P:	f76899a.exe

Drops file in Windows directory 2 IoCs

Processes:

f76899a.exe

description ioc process

File created C:\Windows\f768a36 f76899a.exe
File opened for modification C:\Windows\SYSTEM.INI f76899a.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f76899a.exe

pid process

2308 f76899a.exe
2308 f76899a.exe

description	ioc	process
File created	C:\Windows\f768a36	f76899a.exe
File opened for modification	C:\Windows\SYSTEM.INI	f76899a.exe

pid	process
2308	f76899a.exe
2308	f76899a.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

f76899a.exe

description	pid	process
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe
Token: SeDebugPrivilege	2308	f76899a.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

rundll32.exerundll32.exef76899a.exe

description	pid	process	target process
PID 1308 wrote to memory of 1748	1308	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 1748	1308	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 1748	1308	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 1748	1308	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 1748	1308	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 1748	1308	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 1748	1308	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 2308	1748	rundll32.exe	f76899a.exe
PID 1748 wrote to memory of 2308	1748	rundll32.exe	f76899a.exe
PID 1748 wrote to memory of 2308	1748	rundll32.exe	f76899a.exe
PID 1748 wrote to memory of 2308	1748	rundll32.exe	f76899a.exe
PID 2308 wrote to memory of 1088	2308	f76899a.exe	taskhost.exe
PID 2308 wrote to memory of 1168	2308	f76899a.exe	Dwm.exe
PID 2308 wrote to memory of 1200	2308	f76899a.exe	Explorer.EXE
PID 2308 wrote to memory of 792	2308	f76899a.exe	DllHost.exe
PID 2308 wrote to memory of 1308	2308	f76899a.exe	rundll32.exe
PID 2308 wrote to memory of 1748	2308	f76899a.exe	rundll32.exe
PID 2308 wrote to memory of 1748	2308	f76899a.exe	rundll32.exe
PID 1748 wrote to memory of 2052	1748	rundll32.exe	f768ce4.exe
PID 1748 wrote to memory of 2052	1748	rundll32.exe	f768ce4.exe
PID 1748 wrote to memory of 2052	1748	rundll32.exe	f768ce4.exe
PID 1748 wrote to memory of 2052	1748	rundll32.exe	f768ce4.exe
PID 1748 wrote to memory of 860	1748	rundll32.exe	f76a39f.exe
PID 1748 wrote to memory of 860	1748	rundll32.exe	f76a39f.exe
PID 1748 wrote to memory of 860	1748	rundll32.exe	f76a39f.exe
PID 1748 wrote to memory of 860	1748	rundll32.exe	f76a39f.exe
PID 2308 wrote to memory of 1088	2308	f76899a.exe	taskhost.exe
PID 2308 wrote to memory of 1168	2308	f76899a.exe	Dwm.exe
PID 2308 wrote to memory of 1200	2308	f76899a.exe	Explorer.EXE
PID 2308 wrote to memory of 2052	2308	f76899a.exe	f768ce4.exe
PID 2308 wrote to memory of 2052	2308	f76899a.exe	f768ce4.exe
PID 2308 wrote to memory of 860	2308	f76899a.exe	f76a39f.exe
PID 2308 wrote to memory of 860	2308	f76899a.exe	f76a39f.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

f76899a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76899a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76899a.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1088

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3ba8db550c52e2a5bb6af8b72723c940_NeikiAnalytics.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3ba8db550c52e2a5bb6af8b72723c940_NeikiAnalytics.dll,#1
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\f76899a.exe
      C:\Users\Admin\AppData\Local\Temp\f76899a.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\f768ce4.exe
      C:\Users\Admin\AppData\Local\Temp\f768ce4.exe
      4⤵
      Executes dropped EXE
      PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\f76a39f.exe
      C:\Users\Admin\AppData\Local\Temp\f76a39f.exe
      4⤵
      Executes dropped EXE
      PID:860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\f76899a.exe

Filesize
97KB

MD5
d8948838c30d39a30a7e47c311e9255b

SHA1
8d8fe49268b1c7f8e69de2fb913ae799c2a1b14d

SHA256
5cff771fb739bf8c2e8ec7d741b1e0d7ca1324a6efe34f5680a813e7ff3c8632

SHA512
c3ecf28e67ab9a5b777f95ce0a2b93e0cdb2797bd142b8434b935b87874c935677b4379ecbc0ba435413778dfe5b3d741e558f9ff0d13f6fba9fa1c8a7bfa28f

Download Submit
memory/860-99-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/860-162-0x0000000000930000-0x00000000019EA000-memory.dmp

Filesize
16.7MB

Download
memory/860-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/860-161-0x0000000000930000-0x00000000019EA000-memory.dmp

Filesize
16.7MB

Download
memory/860-160-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/860-101-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/860-103-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1088-28-0x0000000001C80000-0x0000000001C82000-memory.dmp

Filesize
8KB

Download
memory/1748-55-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1748-35-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1748-36-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1748-9-0x0000000000100000-0x0000000000112000-memory.dmp

Filesize
72KB

Download
memory/1748-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1748-58-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/1748-59-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1748-45-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1748-76-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1748-79-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/2052-96-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2052-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2052-95-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2052-102-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2052-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2308-19-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-48-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/2308-62-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-63-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-64-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-65-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-67-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-57-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/2308-18-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-21-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-81-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-82-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-84-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-87-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-86-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-61-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-46-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2308-17-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-15-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-20-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-11-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-105-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-129-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/2308-16-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-155-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2308-154-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-13-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-22-0x00000000006B0000-0x000000000176A000-memory.dmp

Filesize
16.7MB

Download
memory/2308-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download