neshta | 83a4b6cd0fa89d77f39c1ac7e3ecf5260bd7bffa07ab30fc6c7ab17e87525e39

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UPDATED SOA.exe
Size

1.1MB
MD5

253b21547cc9cb67b21c30223c60cfeb
SHA1

2626ba70352d3a19cadbeac4e1810e08968a9c55
SHA256

83a4b6cd0fa89d77f39c1ac7e3ecf5260bd7bffa07ab30fc6c7ab17e87525e39
SHA512

2d6dc3ab97d8aec0a880f9d3e03ca25646e4a8be2b72590d70fea5094eec9f06f1a911e8c05249883050e5802846489bd29e7352160865376c2e916f1e80876e
SSDEEP

24576:cSnlCe9qhJe96OE8uz2xxz9/cQVb3sFEg9SkLO7Dlw+T9koak48:/lCe9qhJesONuyxbn7sFLsw+T9p

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 6 IoCs

resource	yara_rule
behavioral1/memory/3012-42-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3012-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3012-48-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3012-46-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2144-51-0x0000000002660000-0x00000000026A0000-memory.dmp	family_neshta
behavioral1/memory/3012-117-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Loads dropped DLL 1 IoCs

pid	Process
3012	UPDATED SOA.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	UPDATED SOA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 3012	2172	UPDATED SOA.exe	37

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	UPDATED SOA.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	UPDATED SOA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1344	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	UPDATED SOA.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2172	UPDATED SOA.exe
2172	UPDATED SOA.exe
2172	UPDATED SOA.exe
2172	UPDATED SOA.exe
2172	UPDATED SOA.exe
2512	powershell.exe
2144	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	UPDATED SOA.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2512	2172	UPDATED SOA.exe	30
PID 2172 wrote to memory of 2512	2172	UPDATED SOA.exe	30
PID 2172 wrote to memory of 2512	2172	UPDATED SOA.exe	30
PID 2172 wrote to memory of 2512	2172	UPDATED SOA.exe	30
PID 2172 wrote to memory of 2144	2172	UPDATED SOA.exe	32
PID 2172 wrote to memory of 2144	2172	UPDATED SOA.exe	32
PID 2172 wrote to memory of 2144	2172	UPDATED SOA.exe	32
PID 2172 wrote to memory of 2144	2172	UPDATED SOA.exe	32
PID 2172 wrote to memory of 1344	2172	UPDATED SOA.exe	34
PID 2172 wrote to memory of 1344	2172	UPDATED SOA.exe	34
PID 2172 wrote to memory of 1344	2172	UPDATED SOA.exe	34
PID 2172 wrote to memory of 1344	2172	UPDATED SOA.exe	34
PID 2172 wrote to memory of 2720	2172	UPDATED SOA.exe	36
PID 2172 wrote to memory of 2720	2172	UPDATED SOA.exe	36
PID 2172 wrote to memory of 2720	2172	UPDATED SOA.exe	36
PID 2172 wrote to memory of 2720	2172	UPDATED SOA.exe	36
PID 2172 wrote to memory of 2720	2172	UPDATED SOA.exe	36
PID 2172 wrote to memory of 2720	2172	UPDATED SOA.exe	36
PID 2172 wrote to memory of 2720	2172	UPDATED SOA.exe	36
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37
PID 2172 wrote to memory of 3012	2172	UPDATED SOA.exe	37

C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe
"C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PaHUofRFlVXSn.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PaHUofRFlVXSn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp533E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1344
- C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe
  "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe
  "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
fbcd93f9801d46805880ae521671d11d

SHA1
51a024a16b39bee2615bdde8b752bfeb338f7dd7

SHA256
d124e4ecdfa83faf7bce47cecfa6dc047b0ea8f0c639895ff1561c0fa18b5b50

SHA512
e968528b2811494ca18c31044ff604b561ceb319c54c594ec787f992ec419f097ee3ed1434e7184f7ebb3d13360752568301e1f9d6bd207c82e0b2fcf7507131

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp533E.tmp

Filesize
1KB

MD5
8c50bd4f9ad2ae0319a41c6454d6f8b4

SHA1
57442cd89d7aa11fb50d9d467a9378edaccc1c71

SHA256
da5c5aa34b45946cb28102fc105d973b5645458778bb2e6da6536559dfd0cda2

SHA512
62ccb04af074dc0c8d46a270e511378a5a4e71b9697c517d335cbbd3280b2bce20f04e52d9dda5152236855f76e95649dee6d03164a706712fea6e4c585d5089

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TYT9NVDHTANBZ2CM5KQQ.temp

Filesize
7KB

MD5
cc3da128cb1ddeba9376c34cca6ba5ff

SHA1
70e40863a2226c8f288f1da4502bafe8de92bba8

SHA256
c1212bc4ccb434e38d929138a32d2509ef7ec698d99fd0fc0ce90194578d3a55

SHA512
eac0c0b213c15999cbfd50e96111ec31e281b1aec2633958071b797d1c49ee0485a29e2cd16c9d83edec9a4f915245e4d421f2340bd35a174c8b1d1d4e0c8ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cc3da128cb1ddeba9376c34cca6ba5ff

SHA1
70e40863a2226c8f288f1da4502bafe8de92bba8

SHA256
c1212bc4ccb434e38d929138a32d2509ef7ec698d99fd0fc0ce90194578d3a55

SHA512
eac0c0b213c15999cbfd50e96111ec31e281b1aec2633958071b797d1c49ee0485a29e2cd16c9d83edec9a4f915245e4d421f2340bd35a174c8b1d1d4e0c8ee2

Download Submit
C:\Users\Admin\AppData\Roaming\PAHUOF~1.EXE

Filesize
1.1MB

MD5
253b21547cc9cb67b21c30223c60cfeb

SHA1
2626ba70352d3a19cadbeac4e1810e08968a9c55

SHA256
83a4b6cd0fa89d77f39c1ac7e3ecf5260bd7bffa07ab30fc6c7ab17e87525e39

SHA512
2d6dc3ab97d8aec0a880f9d3e03ca25646e4a8be2b72590d70fea5094eec9f06f1a911e8c05249883050e5802846489bd29e7352160865376c2e916f1e80876e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
memory/2144-51-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2144-60-0x000000006F130000-0x000000006F6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2144-34-0x000000006F130000-0x000000006F6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2144-41-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2144-43-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2144-38-0x000000006F130000-0x000000006F6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2172-4-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-2-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/2172-1-0x0000000001060000-0x0000000001174000-memory.dmp

Filesize
1.1MB

Download
memory/2172-3-0x0000000000650000-0x000000000066A000-memory.dmp

Filesize
104KB

Download
memory/2172-49-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-7-0x0000000005950000-0x0000000005A18000-memory.dmp

Filesize
800KB

Download
memory/2172-5-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/2172-6-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/2172-0-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-35-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2512-45-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2512-40-0x000000006F130000-0x000000006F6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-59-0x000000006F130000-0x000000006F6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-50-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2512-31-0x000000006F130000-0x000000006F6DB000-memory.dmp

Filesize
5.7MB

Download
memory/3012-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-48-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download