neshta | 6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c

Analysis

max time kernel
18s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
Size

273KB
MD5

8c7fadc8cfa7c3843e1476955b3cefb2
SHA1

acdea4a7ce0985ad0f40e63f76b20c249e7bb2e9
SHA256

6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c
SHA512

039698f0415e4dfe9e3e9b0a4328df6e6c7b08880f8d8c775021852ce6b7d91597695df12d6c7a8f8c04c2e1efa0cb5590a3a127d63a61affbde25e1f06b742a
SSDEEP

3072:sr85C9j0O8Jy99J5RqG7R6kE9NFr2wDDJ3Tq14EY6T5180KW4txEeXp9/:k99Ag3699X5X5AUQ80dPmr/

Score

10^/10

neshta smokeloader backdoor persistence spyware trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/1344-136-0x00000000005E0000-0x00000000005E9000-memory.dmp	family_smokeloader

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 1 IoCs

pid	Process
1344	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\msedge.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\BHO\IE_TO_~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1344	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
1344	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found
3000	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1344	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1344	4968	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe	83
PID 4968 wrote to memory of 1344	4968	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe	83
PID 4968 wrote to memory of 1344	4968	6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe	83

C:\Users\Admin\AppData\Local\Temp\6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
"C:\Users\Admin\AppData\Local\Temp\6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\3582-490\6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Filesize
232KB

MD5
5663a767ac9d9b9efde3244125509cf3

SHA1
84f383a3ddb9f073655e1f6383b9c1d015e26524

SHA256
fc04e80d343f5929aea4aac77fb12485c7b07b3a3d2fc383d68912c9ad0666da

SHA512
2fdad14cfa700f20a732fdd2e43563f45d52c188801ea4c989a3e2924484b835005b9a98c7b3a4f7e9005c985770e7b38ef1b44d0dd7fdb9c2f308d37bdfe4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6b3170b2e0ff449edf080fb5f278d963ec69f68afaad7f31d688df89e6a43d1c.exe

Filesize
232KB

MD5
5663a767ac9d9b9efde3244125509cf3

SHA1
84f383a3ddb9f073655e1f6383b9c1d015e26524

SHA256
fc04e80d343f5929aea4aac77fb12485c7b07b3a3d2fc383d68912c9ad0666da

SHA512
2fdad14cfa700f20a732fdd2e43563f45d52c188801ea4c989a3e2924484b835005b9a98c7b3a4f7e9005c985770e7b38ef1b44d0dd7fdb9c2f308d37bdfe4be

Download Submit
memory/1344-136-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/1344-135-0x00000000006AE000-0x00000000006BE000-memory.dmp

Filesize
64KB

Download
memory/1344-137-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1344-138-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download