neshta | cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60

Analysis

max time kernel
149s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-11-2022 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
Size

830KB
MD5

26fc3926ea14e37da6083a1e183a1300
SHA1

bdccdead104fccead0c7bcaccfe93e5c58108807
SHA256

cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60
SHA512

1bcf91881f6f14acc62cfbf094661ddd2a37fa4e99657b9f4d52f9c057b953fcb3c3a48ca7ca77c4b52097e73ee25268f1fff080ccf9e3afea90f274089b5376
SSDEEP

24576:WigILlEs4JDfhYWxbu7brybbmkDBktUzQmJxZ:GYp4JDfhYyuXrybbmWkteQU

Score

10^/10

neshta evasion persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 30 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	family_neshta
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 3 IoCs

Processes:

cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exesvchost.comsvchost.com

pid process

1796 cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
1656 svchost.com
1412 svchost.com
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
1656	svchost.com
1412	svchost.com

Loads dropped DLL 8 IoCs

Processes:

cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.execd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exesvchost.com

pid	process
2000	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
2000	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
1656	svchost.com
2000	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
2000	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe

Drops file in Windows directory 5 IoCs

Processes:

cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1932 sc.exe
844 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1932	sc.exe
844	sc.exe

Modifies registry class 1 IoCs

Processes:

cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.execd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exesvchost.comsvchost.com

description	pid	process	target process
PID 2000 wrote to memory of 1796	2000	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
PID 2000 wrote to memory of 1796	2000	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
PID 2000 wrote to memory of 1796	2000	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
PID 2000 wrote to memory of 1796	2000	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
PID 1796 wrote to memory of 1656	1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	svchost.com
PID 1796 wrote to memory of 1656	1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	svchost.com
PID 1796 wrote to memory of 1656	1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	svchost.com
PID 1796 wrote to memory of 1656	1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	svchost.com
PID 1796 wrote to memory of 1412	1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	svchost.com
PID 1796 wrote to memory of 1412	1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	svchost.com
PID 1796 wrote to memory of 1412	1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	svchost.com
PID 1796 wrote to memory of 1412	1796	cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe	svchost.com
PID 1656 wrote to memory of 844	1656	svchost.com	sc.exe
PID 1656 wrote to memory of 844	1656	svchost.com	sc.exe
PID 1656 wrote to memory of 844	1656	svchost.com	sc.exe
PID 1656 wrote to memory of 844	1656	svchost.com	sc.exe
PID 1412 wrote to memory of 1932	1412	svchost.com	sc.exe
PID 1412 wrote to memory of 1932	1412	svchost.com	sc.exe
PID 1412 wrote to memory of 1932	1412	svchost.com	sc.exe
PID 1412 wrote to memory of 1932	1412	svchost.com	sc.exe

C:\Users\Admin\AppData\Local\Temp\cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
"C:\Users\Admin\AppData\Local\Temp\cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\3582-490\cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\sc.exe" stop PcaSvc
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe stop PcaSvc
4⤵
- Launches sc.exe
PID:844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\sc.exe" config PcaSvc start= disabled
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe config PcaSvc start= disabled
4⤵
- Launches sc.exe
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
831270ac3db358cdbef5535b0b3a44e6

SHA1
c0423685c09bbe465f6bb7f8672c936e768f05a3

SHA256
a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0

SHA512
f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
8c4f4eb73490ca2445d8577cf4bb3c81

SHA1
0f7d1914b7aeabdb1f1e4caedd344878f48be075

SHA256
85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

SHA512
65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
569KB

MD5
eef2f834c8d65585af63916d23b07c36

SHA1
8cb85449d2cdb21bd6def735e1833c8408b8a9c6

SHA256
3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd

SHA512
2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
373KB

MD5
2f6f7891de512f6269c8e8276aa3ea3e

SHA1
53f648c482e2341b4718a60f9277198711605c80

SHA256
d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86

SHA512
c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
140KB

MD5
e584c29c854081c78a366fbcc6f7f84c

SHA1
32b7e552e5916b43d57d7b088c543b77f1067338

SHA256
b2748833775c7c1bfce6959afbd5e472f6ff40497ee1a0b4c16d210270c56450

SHA512
c2e1d90d30f8799e4871c3eb87a2bff6b2ec7e46324027f4590503505808600db41583805d265786771a53f658b2d4b0edea85c85b9ae88850119cc0a682be0c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
611KB

MD5
4d17fd5156bf1b74ef3b2672d1d54cb4

SHA1
496d86fba010f8d503a9f3a782ab006f97ff2c97

SHA256
8ec6137525a1e699869d5fa012414cd3862791aa33984df7ff0956d9351df169

SHA512
5990379a9023ddc386196c77c1a3f4e7bf3b91d6c3037eeabc8281cc1627560d0e80686ff919b20807a2d0f71d99a1ff2b73af0cdf8cc356972b7e88457e7891

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
229KB

MD5
28f7305b74e1d71409fec722d940d17a

SHA1
4c64e1ceb723f90da09e1a11e677d01fc8118677

SHA256
706db4d832abdf4907a1386b917e553315660a59bfb4c180e38215b4a606d896

SHA512
117de88d0bc437023ca2f1f54b1f2cf03b00c8cb52e4b728cabcb3140659c67cdb6d2c203d3ca13767312831c6308622dfa65d6c5361ec28aaf4ec0870f9ba6e

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE

Filesize
226KB

MD5
61c4eb4385ee3530cb2022fe6fc5bc45

SHA1
551c8baeb6dac4470dbaf68091ad9b864c022e90

SHA256
9cdb825851f24e29737dfa6fd3f8dc1a314956b1224c8a438e614ca8229d1dfe

SHA512
a4a4dd302df0696c43765aec07df39d1dae7e4e9db7fc2e1c4df7cdf4ad88f6026d912d3be323d92e286b6e694cba9d81a50e6f52a037e30803c38d009963c9f

Download Submit
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE

Filesize
1.5MB

MD5
bfe8267cbc145e3230a3fc9430e3de1e

SHA1
505e1723d02274804942dc322f4d45c99a0d1a1c

SHA256
127e2cf254aa60bcc1e2bfc7f963afa92d57e8ea2a2b3d50f4fb5b4b73d089ba

SHA512
5c1680af090e8667e103700015e50de6174c13427f9fa4865d786170bd45b1c2733342bc8cf1e5b23830beaddcb99a21566b957e5cafe9b95fe36d8c5fb3567e

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
320KB

MD5
9b3a83b01fca0830e87fb16fc8942346

SHA1
c591a4db5637161086982d9eab146cc08e3b382b

SHA256
4159126582e2f6a9eb7a7da215f649a94d2bbc7a21ea34efa943aabafd0190d1

SHA512
af97f0347ef24e045a544fe136a82818610a1624a02c0bb3139ac14542c38b9e6e9c12223ce699b10876525a060e225d7c99dd575592490d4b1691cdf1b2bcc5

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
129KB

MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
24179b4581907abfef8a55ab41c97999

SHA1
e4de417476f43da4405f4340ebf6044f6b094337

SHA256
a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7

SHA512
6fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
06366e48936df8d5556435c9820e9990

SHA1
0e3ed1da26a0c96f549720684e87352f1b58ef45

SHA256
cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612

SHA512
bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
c5d4c60518113b5a3cfd66385d884933

SHA1
1dae76c880b7581aff4b778fc6dd7c5b261163fa

SHA256
9f0c97ad8fc2ec8b56afd64d9248df354abf6040b9358b88a7b3d582d83a7b18

SHA512
54f46d7dc078cee115e3cc1a20b04a6a62dee7d767f6114e4f3096c8b848a74dc372bf93798f49f9ae74f8b40280da86e6fedfa37f72f03d2abde9768dbff7be

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
f6636e7fd493f59a5511f08894bba153

SHA1
3618061817fdf1155acc0c99b7639b30e3b6936c

SHA256
61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

SHA512
bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
806b6861a4472da8facc1887677113d0

SHA1
db864d7d27b731526051a43062ec79aa7a82e9c1

SHA256
3e518e645949ec736ffe7b3f9e53865fa3abae6a81931dd2aa8aaeb2f4c4b11d

SHA512
048dd9d2bab12ebd91f8cf323df814d1dc5ac0ce68c056412a63109b044a0ba235d8602a953c011e435a071333096bc4b4e2a2df79273ca7833cdad44d646b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe

Filesize
790KB

MD5
4a28d960fbd7df3a4b89adf7c508fd9a

SHA1
3b4c0e1db9b3c115e3fc30031fc430eb4e1be310

SHA256
5626dcc7a7bed11936fda91bd9cae33f71926a7239c66e755238b05e370c18b3

SHA512
d9c2209b54597da9cc17b17e5fba1e36d4610ed6b69d234952598e3c5de929f4ca10a0d281a3f71f6df9ebfa4b3dab3456695f2465018f1089168a01ac49f190

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe

Filesize
790KB

MD5
4a28d960fbd7df3a4b89adf7c508fd9a

SHA1
3b4c0e1db9b3c115e3fc30031fc430eb4e1be310

SHA256
5626dcc7a7bed11936fda91bd9cae33f71926a7239c66e755238b05e370c18b3

SHA512
d9c2209b54597da9cc17b17e5fba1e36d4610ed6b69d234952598e3c5de929f4ca10a0d281a3f71f6df9ebfa4b3dab3456695f2465018f1089168a01ac49f190

Download Submit
C:\Windows\directx.sys

Filesize
28B

MD5
a858dbaad3ae67af13e2f1aa6aec073a

SHA1
4374e080ce5bd1d4599f6d4566df88a2e4d8dc02

SHA256
efe110602e37962b873d680775c0c0aab255da224ddebba201bfdcf5db6f44d3

SHA512
0b97c297de264138344db5ec88c3792bb3a5cbecfdcf01f2330d8d0074aa781f36b687112e5dabd6883c7ffb76eaace766882208feaa1ce5ec4fd98aa118d3b5

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
a1bd4403a5a76ad736bec71482075bc0

SHA1
753b796dcdbce1476dfd892c36571aed6d84a7d1

SHA256
7dfc1ba9c547a0d2a7679e8920ed5b578cd17c51e5bfededc1a874fbf56e6e19

SHA512
6394e70214ac68fd216d7819f84dd1807f9a25818618151606c619382d168f031528f7d6196f56a89ac66fa7212ba65d8fc32a763a72e3e9bc4b3b3c464bffd0

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
a1bd4403a5a76ad736bec71482075bc0

SHA1
753b796dcdbce1476dfd892c36571aed6d84a7d1

SHA256
7dfc1ba9c547a0d2a7679e8920ed5b578cd17c51e5bfededc1a874fbf56e6e19

SHA512
6394e70214ac68fd216d7819f84dd1807f9a25818618151606c619382d168f031528f7d6196f56a89ac66fa7212ba65d8fc32a763a72e3e9bc4b3b3c464bffd0

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
a1bd4403a5a76ad736bec71482075bc0

SHA1
753b796dcdbce1476dfd892c36571aed6d84a7d1

SHA256
7dfc1ba9c547a0d2a7679e8920ed5b578cd17c51e5bfededc1a874fbf56e6e19

SHA512
6394e70214ac68fd216d7819f84dd1807f9a25818618151606c619382d168f031528f7d6196f56a89ac66fa7212ba65d8fc32a763a72e3e9bc4b3b3c464bffd0

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
129KB

MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\cd34f87021aae4317d126adf8210f7fd6ea30d9475ae017c76a07e92a56f6a60.exe

Filesize
790KB

MD5
4a28d960fbd7df3a4b89adf7c508fd9a

SHA1
3b4c0e1db9b3c115e3fc30031fc430eb4e1be310

SHA256
5626dcc7a7bed11936fda91bd9cae33f71926a7239c66e755238b05e370c18b3

SHA512
d9c2209b54597da9cc17b17e5fba1e36d4610ed6b69d234952598e3c5de929f4ca10a0d281a3f71f6df9ebfa4b3dab3456695f2465018f1089168a01ac49f190

Download Submit
\Users\Admin\AppData\Local\Temp\nst5747.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nst5747.tmp\nsis7z.dll

Filesize
169KB

MD5
a7ec265954e2c897dbeb045bca97ced0

SHA1
04979920106adb0765589b3a34030f4b5bebc4e6

SHA256
32d512b1c3136ce877d91c5310615eb452c3a89ab10482ff9acaaa213a72412a

SHA512
31cd06182a35f5d2cad5583f4263c314063c1147f8c1feb8491ab0388d23a7c9fdeb181ae5c7d259aa391a113e1ea946ce922127ef99c88da0904cb70d4ab00e

Download Submit
\Users\Admin\AppData\Local\Temp\nst5747.tmp\nsis7z.dll

Filesize
169KB

MD5
a7ec265954e2c897dbeb045bca97ced0

SHA1
04979920106adb0765589b3a34030f4b5bebc4e6

SHA256
32d512b1c3136ce877d91c5310615eb452c3a89ab10482ff9acaaa213a72412a

SHA512
31cd06182a35f5d2cad5583f4263c314063c1147f8c1feb8491ab0388d23a7c9fdeb181ae5c7d259aa391a113e1ea946ce922127ef99c88da0904cb70d4ab00e

Download Submit
memory/844-68-0x0000000000000000-mapping.dmp

Download
memory/1412-65-0x0000000000000000-mapping.dmp

Download
memory/1656-62-0x0000000000000000-mapping.dmp

Download
memory/1796-77-0x00000000008B0000-0x00000000008E3000-memory.dmp

Filesize
204KB

Download
memory/1796-76-0x00000000008B1000-0x00000000008D1000-memory.dmp

Filesize
128KB

Download
memory/1796-56-0x0000000000000000-mapping.dmp

Download
memory/1932-74-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download