neshta | 83a4b6cd0fa89d77f39c1ac7e3ecf5260bd7bffa07ab30fc6c7ab17e87525e39

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UPDATED SOA.exe
Size

1.1MB
MD5

253b21547cc9cb67b21c30223c60cfeb
SHA1

2626ba70352d3a19cadbeac4e1810e08968a9c55
SHA256

83a4b6cd0fa89d77f39c1ac7e3ecf5260bd7bffa07ab30fc6c7ab17e87525e39
SHA512

2d6dc3ab97d8aec0a880f9d3e03ca25646e4a8be2b72590d70fea5094eec9f06f1a911e8c05249883050e5802846489bd29e7352160865376c2e916f1e80876e
SSDEEP

24576:cSnlCe9qhJe96OE8uz2xxz9/cQVb3sFEg9SkLO7Dlw+T9koak48:/lCe9qhJesONuyxbn7sFLsw+T9p

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 6 IoCs

resource	yara_rule
behavioral2/memory/2912-38-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2912-43-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2912-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2912-47-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2912-178-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2912-180-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	UPDATED SOA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 2912	1912	UPDATED SOA.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~4.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MIA062~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~2.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MI9C33~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~3.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MI391D~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13175~1.29\MICROS~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	UPDATED SOA.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	UPDATED SOA.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	UPDATED SOA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4084	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	UPDATED SOA.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1912	UPDATED SOA.exe
1028	powershell.exe
4356	powershell.exe
1912	UPDATED SOA.exe
1912	UPDATED SOA.exe
1028	powershell.exe
4356	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	UPDATED SOA.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4356	1912	UPDATED SOA.exe	85
PID 1912 wrote to memory of 4356	1912	UPDATED SOA.exe	85
PID 1912 wrote to memory of 4356	1912	UPDATED SOA.exe	85
PID 1912 wrote to memory of 1028	1912	UPDATED SOA.exe	87
PID 1912 wrote to memory of 1028	1912	UPDATED SOA.exe	87
PID 1912 wrote to memory of 1028	1912	UPDATED SOA.exe	87
PID 1912 wrote to memory of 4084	1912	UPDATED SOA.exe	89
PID 1912 wrote to memory of 4084	1912	UPDATED SOA.exe	89
PID 1912 wrote to memory of 4084	1912	UPDATED SOA.exe	89
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91
PID 1912 wrote to memory of 2912	1912	UPDATED SOA.exe	91

C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe
"C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PaHUofRFlVXSn.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PaHUofRFlVXSn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1855.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4084
- C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe
  "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
  2⤵
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
345440a0e3d9cd89ecc5e266f17758a8

SHA1
e69e5bda11c4d50b7a9d4f6fe0c7bf28953ba367

SHA256
01ea1f55578178ffa073ba1a19fbfc971a6d9f5531b280a63623d66143fcaf7d

SHA512
2275020612f12f6ba348c2e9a8612fc9309c09546c550bfc3a7ba9c862e3e211bcf54478ace2376e227a2de7e292a8b1a28f1af4a1e6c94164b94c380445e960

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\UPDATED SOA.exe

Filesize
1.0MB

MD5
15e7bdf7d54862b7dce0fa0e9c10e00b

SHA1
14c98df2982812ba2f8ee659af262a32b773f909

SHA256
1eaf59619145db5eb6905ac7b43fecc746b0c2fc4907ae677c508a7eac886429

SHA512
a4ce5c2384e25b2893aa1cb1709100591d8d261dfbf1ca0b502c5526e454c4c5712440433f42eaeb2c62e79a6cc776232c54511a13d8dae774f8870e040c8113

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubmdgia0.zje.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1855.tmp

Filesize
1KB

MD5
db6d4109c251f1446d0f75eae5af753b

SHA1
4b6c18d947fe482808a0b7ae5147c833bd4130fa

SHA256
b06baaf5454e6a0394ecc011da65d923a2f1029e8c94e7d064dbc9deb15d1892

SHA512
820fb8109efcc48e5e99a3c2e44011156975f25093e0ba6bbb58ea0bf62350b953a7eb06c0ea06afbca10f0c0902b334736f42c9b8edf9a7bd23a8d03c35cdaa

Download Submit
C:\Users\Admin\AppData\Roaming\PAHUOF~1.EXE

Filesize
1.1MB

MD5
253b21547cc9cb67b21c30223c60cfeb

SHA1
2626ba70352d3a19cadbeac4e1810e08968a9c55

SHA256
83a4b6cd0fa89d77f39c1ac7e3ecf5260bd7bffa07ab30fc6c7ab17e87525e39

SHA512
2d6dc3ab97d8aec0a880f9d3e03ca25646e4a8be2b72590d70fea5094eec9f06f1a911e8c05249883050e5802846489bd29e7352160865376c2e916f1e80876e

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
cfb0be10bc22d3d2a6acef73c1ce2e1a

SHA1
44110d2317ac0272eac0d6e8ea0c1bbd93f664ef

SHA256
12952d948fced5c150047d0d85ffe6063c7067a5745fe129ed93b3e11f47931e

SHA512
a07f81199e353841ff896e63f4b4d08b0b38ed11fc7cab0b035cdd7517c8b402f3e859b669d5598bfdd9a48556ed8866262230a15373ed5f388e5cd54074f6cb

Download Submit
memory/1028-63-0x000000007F120000-0x000000007F130000-memory.dmp

Filesize
64KB

Download
memory/1028-18-0x0000000004CC0000-0x00000000052E8000-memory.dmp

Filesize
6.2MB

Download
memory/1028-64-0x00000000715A0000-0x00000000715EC000-memory.dmp

Filesize
304KB

Download
memory/1028-62-0x0000000006BB0000-0x0000000006BE2000-memory.dmp

Filesize
200KB

Download
memory/1028-101-0x0000000006F20000-0x0000000006F3A000-memory.dmp

Filesize
104KB

Download
memory/1028-61-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/1028-103-0x00000000071A0000-0x0000000007236000-memory.dmp

Filesize
600KB

Download
memory/1028-75-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/1028-17-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/1028-19-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/1028-148-0x0000000007240000-0x0000000007248000-memory.dmp

Filesize
32KB

Download
memory/1028-21-0x0000000004B40000-0x0000000004B62000-memory.dmp

Filesize
136KB

Download
memory/1028-161-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/1028-23-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/1912-48-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/1912-2-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/1912-6-0x0000000005850000-0x00000000058EC000-memory.dmp

Filesize
624KB

Download
memory/1912-8-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/1912-7-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/1912-1-0x0000000000AB0000-0x0000000000BC4000-memory.dmp

Filesize
1.1MB

Download
memory/1912-5-0x0000000005630000-0x000000000563A000-memory.dmp

Filesize
40KB

Download
memory/1912-4-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/1912-0-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/1912-3-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/2912-47-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-180-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-43-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4356-60-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4356-151-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4356-102-0x0000000007780000-0x000000000778A000-memory.dmp

Filesize
40KB

Download
memory/4356-99-0x0000000007DB0000-0x000000000842A000-memory.dmp

Filesize
6.5MB

Download
memory/4356-13-0x0000000002AF0000-0x0000000002B26000-memory.dmp

Filesize
216KB

Download
memory/4356-104-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4356-129-0x0000000007940000-0x000000000794E000-memory.dmp

Filesize
56KB

Download
memory/4356-147-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/4356-65-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

Filesize
64KB

Download
memory/4356-76-0x00000000715A0000-0x00000000715EC000-memory.dmp

Filesize
304KB

Download
memory/4356-152-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4356-14-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4356-160-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4356-15-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4356-16-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4356-22-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/4356-49-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download