Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 01:57

General

  • Target

    26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe

  • Size

    4.7MB

  • MD5

    4b01cd538281d558b44084e00fc8d0f0

  • SHA1

    4b56243284609cfc15d1665793afa44427dd7143

  • SHA256

    26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38

  • SHA512

    0da3753f66754668cf8b345f2fb9106667012b7a9b9acfa7c1c32c1e594eaa8178041073cc9743682dbed57c055aa8b5631ee73e1e7fe6bdeb277ab1e3bbb115

  • SSDEEP

    49152:6Hyjtk2MYC5GDXHyjtk2MYC5GDb7inIOY/BoiU2oyNiAbnblJwSinj+BxpEiixfw:6mtk2a2mtk2a5TF0LDjwSkgxeXvRnOn9

Malware Config

Signatures

  • Detect Neshta payload 29 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 31 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Users\Admin\AppData\Local\Temp\3582-490\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
            C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
              "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
              6⤵
              • Executes dropped EXE
              PID:1892
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\svchost.com
            "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:2180
            • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
              C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1612
              • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                7⤵
                • Executes dropped EXE
                PID:852
              • C:\ProgramData\Synaptics\Synaptics.exe
                "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:3000
                • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                  "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of WriteProcessMemory
                  PID:2480
                  • C:\Windows\svchost.com
                    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in Windows directory
                    • Suspicious use of WriteProcessMemory
                    PID:532
                    • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                      C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Adds Run key to start application
                      • Suspicious use of WriteProcessMemory
                      PID:764
                      • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                        11⤵
                        • Executes dropped EXE
                        PID:2728
                      • C:\ProgramData\Synaptics\Synaptics.exe
                        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:2992
                        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                          12⤵
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          PID:2964
                          • C:\Windows\svchost.com
                            "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                            13⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in Windows directory
                            PID:884
                            • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                              C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                              14⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Adds Run key to start application
                              PID:996
                              • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                                15⤵
                                • Executes dropped EXE
                                PID:2816
                              • C:\ProgramData\Synaptics\Synaptics.exe
                                "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                15⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:568
                                • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                  "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                  16⤵
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  PID:2708
                                  • C:\Windows\svchost.com
                                    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                                    17⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in Windows directory
                                    PID:2528
                                    • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                                      C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                                      18⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Adds Run key to start application
                                      PID:2404
                                      • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                                        19⤵
                                        • Executes dropped EXE
                                        PID:2448
                                      • C:\ProgramData\Synaptics\Synaptics.exe
                                        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                        19⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:2424
                                        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in Windows directory
                                          PID:1096
                                          • C:\Windows\svchost.com
                                            "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                                            21⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Drops file in Windows directory
                                            PID:108
                                            • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                                              C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                                              22⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Adds Run key to start application
                                              PID:2548
                                              • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                                "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                                                23⤵
                                                • Executes dropped EXE
                                                PID:1360
                                              • C:\ProgramData\Synaptics\Synaptics.exe
                                                "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                23⤵
                                                • Executes dropped EXE
                                                PID:476

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
    Filesize

    859KB

    MD5

    02ee6a3424782531461fb2f10713d3c1

    SHA1

    b581a2c365d93ebb629e8363fd9f69afc673123f

    SHA256

    ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

    SHA512

    6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

  • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
    Filesize

    186KB

    MD5

    58b58875a50a0d8b5e7be7d6ac685164

    SHA1

    1e0b89c1b2585c76e758e9141b846ed4477b0662

    SHA256

    2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

    SHA512

    d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

  • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
    Filesize

    1.1MB

    MD5

    566ed4f62fdc96f175afedd811fa0370

    SHA1

    d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

    SHA256

    e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

    SHA512

    cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

  • C:\ProgramData\Synaptics\RCX451B.tmp
    Filesize

    1.1MB

    MD5

    571276888422ac851dcca297232ad8c9

    SHA1

    73f5418c8e5ceb2aee6a7757eaca9553c4d1eb4a

    SHA256

    a847847a4cb7906241e58832e544b66bdfa0adae2f2c5d50ce52c2f3c47a946f

    SHA512

    5e5760071728cea1954b118b70772542d52c79866a6819175dd93b6d6c4d978125cd6d993b5023e4c39430df8b9700cd85abd932ac2f7b0c2768bf2a0177c6f2

  • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
    Filesize

    2.5MB

    MD5

    3168a31552404661098af0156860f0c0

    SHA1

    9c10beb703314d0c8843ba7a3c988f793d55e422

    SHA256

    2a0546c07c3831073b3b1b83866c63150d56638358e20d8a5247417de1efa4ff

    SHA512

    3a3c93f4ccf441c7b86d2aae33ba636c975fb38ce14c62653f2c4606312a1259aba21d11a44ad5164d36fbc6ad136e12f9158971c26866568582111b95a98f6c

  • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
    Filesize

    3.6MB

    MD5

    d3d55a4e2c3a6576b369cf9830501d58

    SHA1

    904ab1d3b592970762939ca44959ba19ac867f8a

    SHA256

    3ab5a17ac7f98dfe6cd0eadf0f30539fac1c42748f84cfdb40aa01b284869dd0

    SHA512

    a9d39b7020a5c4f97315dcb8e92c53b49782bf95817e5307ac1826e80ff4960537a1f176d7351468fab83bf43a9b6b72d047f361a3900d7095eb9b9341c30ea6

  • C:\Windows\directx.sys
    Filesize

    57B

    MD5

    6b3bfceb3942a9508a2148acbee89007

    SHA1

    3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

    SHA256

    e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

    SHA512

    fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    2ff724ca136d4a831421dfd891e167c6

    SHA1

    5416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8

    SHA256

    ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d

    SHA512

    5ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \Users\Admin\AppData\Local\Temp\._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe
    Filesize

    3.6MB

    MD5

    d9d56796c0b48436ac49221c071eee3d

    SHA1

    672b3d260717645fce52c960d29f13e7576d162f

    SHA256

    9ac4e811d439ed123fdf97c4cfae4b3fd2f26d71443f499e3bab35869f6d1cba

    SHA512

    b8f0d838904d819a9571c54a7a01ad3f4a44d2395bf7539a2ce3b04c572e108b147c2c871fde3f7794e86b6dcb595dee95957843932281003ee9f64f379eabdc

  • \Users\Admin\AppData\Local\Temp\3582-490\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe
    Filesize

    4.7MB

    MD5

    7155b4d6b0d32bc4d8ad1493e4095786

    SHA1

    88968227197f2d9bd0e629c8d3b95cd5bb8fc3f9

    SHA256

    449b020b762a435f758a2c7f9abce5abf9c2ccce055134820badcd509599b797

    SHA512

    b9bae19c305812ab3aabb63efef6140fd647c6bac51a8b96e43ddececd67067a787bf22a1d8eb7befc13c24e7c4825b0dfbc4499d8b9f0f5a82e529da0450a51

  • memory/108-276-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/476-329-0x0000000000400000-0x000000000051D000-memory.dmp
    Filesize

    1.1MB

  • memory/476-291-0x0000000000400000-0x000000000051D000-memory.dmp
    Filesize

    1.1MB

  • memory/532-136-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/568-251-0x0000000000400000-0x00000000008BA000-memory.dmp
    Filesize

    4.7MB

  • memory/764-145-0x0000000000400000-0x0000000000799000-memory.dmp
    Filesize

    3.6MB

  • memory/884-167-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/996-171-0x0000000000400000-0x0000000000799000-memory.dmp
    Filesize

    3.6MB

  • memory/1096-270-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/1612-114-0x0000000000400000-0x0000000000799000-memory.dmp
    Filesize

    3.6MB

  • memory/1892-146-0x00000000044F0000-0x000000000453C000-memory.dmp
    Filesize

    304KB

  • memory/1892-142-0x0000000000880000-0x0000000000B04000-memory.dmp
    Filesize

    2.5MB

  • memory/2180-104-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2404-266-0x0000000000400000-0x0000000000799000-memory.dmp
    Filesize

    3.6MB

  • memory/2412-83-0x0000000000400000-0x0000000000799000-memory.dmp
    Filesize

    3.6MB

  • memory/2424-277-0x0000000000400000-0x0000000000799000-memory.dmp
    Filesize

    3.6MB

  • memory/2468-110-0x0000000000400000-0x00000000008BA000-memory.dmp
    Filesize

    4.7MB

  • memory/2480-133-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2528-250-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2536-290-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2536-295-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2536-288-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2548-286-0x0000000000400000-0x0000000000799000-memory.dmp
    Filesize

    3.6MB

  • memory/2556-74-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2584-60-0x0000000000400000-0x00000000008BA000-memory.dmp
    Filesize

    4.7MB

  • memory/2584-12-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

  • memory/2628-90-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2708-244-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2728-143-0x0000000000560000-0x0000000000566000-memory.dmp
    Filesize

    24KB

  • memory/2728-141-0x0000000000E60000-0x00000000010E4000-memory.dmp
    Filesize

    2.5MB

  • memory/2920-289-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2920-287-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2920-293-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2964-149-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2992-170-0x0000000000400000-0x00000000008BA000-memory.dmp
    Filesize

    4.7MB

  • memory/3000-140-0x0000000000400000-0x00000000008BA000-memory.dmp
    Filesize

    4.7MB