b65a47737eef140c672a03c768a9b0e98b51a3d43254b36746fe6eda96990f69

Analysis

max time kernel
1193s
max time network
1202s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trip.msi
Size

2.5MB
MD5

ecf939562331d02eace64bd8ac54b033
SHA1

3293d1c6d91f91eea211616e9365b2be9a928121
SHA256

b65a47737eef140c672a03c768a9b0e98b51a3d43254b36746fe6eda96990f69
SHA512

032c6879ea8df25b972e8bb0fc939c1f2c3aff40d74bff86a55a6c13e0235ca088cdb3e146bf546d05ff5ece2493ed4bfdcbdcd113d749c6d4f9b557043b312c
SSDEEP

49152:3wtuTLri0U9clw3W2vMPrITR8pq0GFO/E7ZIcKqvtdAoSh636PYp1g:gtuTvjUUw3W2vMMqbGoc9IES3hxPM

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.dll	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{3857C70D-03D7-47D4-AF80-E94474C0AE4E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A72.tmp	msiexec.exe
File created	C:\Windows\Installer\{3857C70D-03D7-47D4-AF80-E94474C0AE4E}\DefaultIcon	msiexec.exe
File created	C:\Windows\Installer\e5990bd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA776.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A52.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D32.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{3857C70D-03D7-47D4-AF80-E94474C0AE4E}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e5990bd.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F47.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{3857C70D-03D7-47D4-AF80-E94474C0AE4E}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\e5990bf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4780	ScreenConnect.ClientService.exe
3684	ScreenConnect.WindowsClient.exe

Loads dropped DLL 23 IoCs

pid	Process
3716	MsiExec.exe
936	rundll32.exe
936	rundll32.exe
936	rundll32.exe
936	rundll32.exe
936	rundll32.exe
936	rundll32.exe
936	rundll32.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3256	MsiExec.exe
3256	MsiExec.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ScreenConnect.ClientService.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\PackageCode = "659B838C479AA6F49870983AFB38DA1E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D07C75837D304D74FA089E44470CEAE4\Full	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\ProductName = "ScreenConnect Client (d99ea53d69ff0bee)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\ProductIcon = "C:\\Windows\\Installer\\{3857C70D-03D7-47D4-AF80-E94474C0AE4E}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-d99ea53d69ff0bee	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (d99ea53d69ff0bee)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Version = "369500690"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FE95885AED2AF4C99DE95AD396FFB0EE\D07C75837D304D74FA089E44470CEAE4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-d99ea53d69ff0bee\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FE95885AED2AF4C99DE95AD396FFB0EE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\PackageName = "trip.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D07C75837D304D74FA089E44470CEAE4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
404	msiexec.exe
404	msiexec.exe
4780	ScreenConnect.ClientService.exe
4780	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	488	msiexec.exe
Token: SeSecurityPrivilege	404	msiexec.exe
Token: SeCreateTokenPrivilege	488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	488	msiexec.exe
Token: SeLockMemoryPrivilege	488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	488	msiexec.exe
Token: SeMachineAccountPrivilege	488	msiexec.exe
Token: SeTcbPrivilege	488	msiexec.exe
Token: SeSecurityPrivilege	488	msiexec.exe
Token: SeTakeOwnershipPrivilege	488	msiexec.exe
Token: SeLoadDriverPrivilege	488	msiexec.exe
Token: SeSystemProfilePrivilege	488	msiexec.exe
Token: SeSystemtimePrivilege	488	msiexec.exe
Token: SeProfSingleProcessPrivilege	488	msiexec.exe
Token: SeIncBasePriorityPrivilege	488	msiexec.exe
Token: SeCreatePagefilePrivilege	488	msiexec.exe
Token: SeCreatePermanentPrivilege	488	msiexec.exe
Token: SeBackupPrivilege	488	msiexec.exe
Token: SeRestorePrivilege	488	msiexec.exe
Token: SeShutdownPrivilege	488	msiexec.exe
Token: SeDebugPrivilege	488	msiexec.exe
Token: SeAuditPrivilege	488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	488	msiexec.exe
Token: SeChangeNotifyPrivilege	488	msiexec.exe
Token: SeRemoteShutdownPrivilege	488	msiexec.exe
Token: SeUndockPrivilege	488	msiexec.exe
Token: SeSyncAgentPrivilege	488	msiexec.exe
Token: SeEnableDelegationPrivilege	488	msiexec.exe
Token: SeManageVolumePrivilege	488	msiexec.exe
Token: SeImpersonatePrivilege	488	msiexec.exe
Token: SeCreateGlobalPrivilege	488	msiexec.exe
Token: SeCreateTokenPrivilege	488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	488	msiexec.exe
Token: SeLockMemoryPrivilege	488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	488	msiexec.exe
Token: SeMachineAccountPrivilege	488	msiexec.exe
Token: SeTcbPrivilege	488	msiexec.exe
Token: SeSecurityPrivilege	488	msiexec.exe
Token: SeTakeOwnershipPrivilege	488	msiexec.exe
Token: SeLoadDriverPrivilege	488	msiexec.exe
Token: SeSystemProfilePrivilege	488	msiexec.exe
Token: SeSystemtimePrivilege	488	msiexec.exe
Token: SeProfSingleProcessPrivilege	488	msiexec.exe
Token: SeIncBasePriorityPrivilege	488	msiexec.exe
Token: SeCreatePagefilePrivilege	488	msiexec.exe
Token: SeCreatePermanentPrivilege	488	msiexec.exe
Token: SeBackupPrivilege	488	msiexec.exe
Token: SeRestorePrivilege	488	msiexec.exe
Token: SeShutdownPrivilege	488	msiexec.exe
Token: SeDebugPrivilege	488	msiexec.exe
Token: SeAuditPrivilege	488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	488	msiexec.exe
Token: SeChangeNotifyPrivilege	488	msiexec.exe
Token: SeRemoteShutdownPrivilege	488	msiexec.exe
Token: SeUndockPrivilege	488	msiexec.exe
Token: SeSyncAgentPrivilege	488	msiexec.exe
Token: SeEnableDelegationPrivilege	488	msiexec.exe
Token: SeManageVolumePrivilege	488	msiexec.exe
Token: SeImpersonatePrivilege	488	msiexec.exe
Token: SeCreateGlobalPrivilege	488	msiexec.exe
Token: SeCreateTokenPrivilege	488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	488	msiexec.exe
Token: SeLockMemoryPrivilege	488	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
488	msiexec.exe
488	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 3716	404	msiexec.exe	100
PID 404 wrote to memory of 3716	404	msiexec.exe	100
PID 404 wrote to memory of 3716	404	msiexec.exe	100
PID 3716 wrote to memory of 936	3716	MsiExec.exe	101
PID 3716 wrote to memory of 936	3716	MsiExec.exe	101
PID 3716 wrote to memory of 936	3716	MsiExec.exe	101
PID 404 wrote to memory of 4616	404	msiexec.exe	118
PID 404 wrote to memory of 4616	404	msiexec.exe	118
PID 404 wrote to memory of 3684	404	msiexec.exe	120
PID 404 wrote to memory of 3684	404	msiexec.exe	120
PID 404 wrote to memory of 3684	404	msiexec.exe	120
PID 404 wrote to memory of 3256	404	msiexec.exe	121
PID 404 wrote to memory of 3256	404	msiexec.exe	121
PID 404 wrote to memory of 3256	404	msiexec.exe	121
PID 4780 wrote to memory of 3684	4780	ScreenConnect.ClientService.exe	127
PID 4780 wrote to memory of 3684	4780	ScreenConnect.ClientService.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\trip.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CC03DC6F333FE1AB1C2E719E9A31495A C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI2E9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240657062 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    PID:936
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4616
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 06A50591CEA36293713B2F2298C0BBA8
  2⤵
  - Loads dropped DLL
  PID:3684
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BC615B42468E7397C46F1DF341594B9A E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  PID:3256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:1092

C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=connect-tripadvisor.com&p=443&s=bb367d12-09cf-4e58-a51e-da68a712dfef&k=BgIAAACkAABSU0ExAAgAAAEAAQCxEP5Q5dY4dsd2WT0OF5M02NRSLwvHK%2b2gGrPnmXE%2bdjK66JHBg%2fOV974GClUfv92JP70R5rrdM5T%2f6RJhXpaPyovS5HRdSWayUDPDOuWwKTU5C2bwDJen%2be5gCJSSc5SS3NM%2bMR45m8a7Pfn%2fo3PhZxmUp60nGraMvVCU7VzZjbe6obzQ0ssurK8jh0vLGx5%2bqAnuKvpQRSTVkO8Jxn7R9WUkjXWbspN%2bvV4Zctr3RFgUv0em7Dv%2biktj7RlINLPGxSfwDCTHUggef%2bkfVFIVBGxPqiKD4yv9ZF3CHITonYLsDO99nuJOJHorUCra%2f7kb8%2fePltzQ8Q4f4kXoTHfY&t=&c=&c=&c=&c=&c=&c=&c=&c="
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe" "RunRole" "7ffd5620-f3f0-43ab-8527-9a9837c4066a" "User"
  2⤵
  - Executes dropped EXE
  PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5990be.rbs

Filesize
212KB

MD5
b120dcb20ffce6b7d5e17ecb9f976126

SHA1
65f07f54005d3140139da97a584d08bb3b49965f

SHA256
561dffe5701a7e787bf8415369b4b04826290b626c286428bc747165956b7173

SHA512
fb60b9c42d874a18fcda142de46b3e4b5c8c1aa9bf14eb55fcda8c6c9787f2e5e3b4e201ed59bfc76cfa472ba56fce5d03aec7efd8f776531883a9b66e3c5620

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.en-US.resources

Filesize
42KB

MD5
20518e7d17ee442c745f09cd223f1f58

SHA1
5790c9ab42775e65107c07e44f0ec955acc3aa4d

SHA256
715cea8a7c4544691c00ee22a93cd42889e433f95786a2c509aa8ad10b3b316e

SHA512
51219703473fd9e6ab21e7629c11a5891d47920be46cca96beacb4292a131a0733acafa8c438cc6552e06db9d1089d52b8ddcf032676e9e93fd64d45daf82644

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.resources

Filesize
2KB

MD5
0b47901f2c782922f034fba8e8062916

SHA1
893075f8ca04f92dbef7f6e81223e1b08e29328f

SHA256
64da2cfeacfcba97cad701da9288618bc42a20f69dd4a0fe5652ce49ef92524c

SHA512
b3db1c4ffed1dbaef5e03f4819bcba5f0a6864c26123e059b6a649911adbd380ae3aa1eb63c2397ea1ea5fc61103468b5db838080d7c7d5de848b5002c31cbd6

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Client.dll

Filesize
174KB

MD5
53f4028f53716457d2f4ecd88153ee28

SHA1
6ba080b54774194929deb2dbeb07870de4c6fd94

SHA256
020abca409831487d12103e63236ce4e3437c11748ba21838694ab4e945a34d1

SHA512
1f09ec6ed90735a028f042b6900029c2c7696e76cb5c5b53357d0ba72dad01c5afa9cba8f8262e57d84f4d4ed252063e24e472381eba1bfabe7c0b533182984d

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.dll

Filesize
35KB

MD5
e5437673f01321bce36de3d3c64dfd1c

SHA1
2fd3da4b0320042465c4f2ad2afde3e80686012b

SHA256
de7bcf5d9af680f6534477cfe842d5790662b717e61f3579483beddf3020be55

SHA512
d36d464bc04eb5d6a74975128b83034c80fa1a502b436a469e1a3803f918ae0f6ab712b29f56136ae4c2726b30bc33de0a693b1a3d8e81d1faa242341104245f

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
513f2d59390eac20cb80876f92c6c079

SHA1
5e806426e48401e4c286e3de64ccbeb4555c4c16

SHA256
851211a77cb938257f5d1fed9385662f0ba0d47442108caf802f6fbc5d72ca02

SHA512
2192a700fc1ae17b05b076d28bd89b6d1d7ff2dfdeabff4f50d0d64084f8a242293cd8f8b479bf39fe1dace97c2b0548f055647134d25cae2ad5f9bf15ea6cd3

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Core.dll

Filesize
211KB

MD5
919d0cdc7c88b20c0c1e69542b0e3d33

SHA1
3aab39e2848e8a9cd8387eaa4e21ed1be3e9f39f

SHA256
f8c7cccde679c2e227c775d2a3705d6e0485918620978a1e71aba86f5a9233fe

SHA512
db63df06722a0b70afc9c06ad8ebddcf504858c67721681389635dbb272626c8c5f1f015253ff42695ab75f0ce66623ef49f938d79b935fe09be354bd1e75210

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll

Filesize
347KB

MD5
9bfdc0df748b2fe9e6216f3421052060

SHA1
7b0b7bc3f0a57294710ca50e80b64cfd29e2d646

SHA256
f1d72a5441df6a604d36d056011cef24597d114847f4c22bddae39e570c9b087

SHA512
fa00849d801d62c2927b648f83b7603f4c256e1bcb0a33e6c6b5d9d129877d091770b0131f8c0749b5ebdc382c17197d6690a0e21ae34e237c66fbea9c2e534a

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll

Filesize
391KB

MD5
f504d35b7c5ba2cf4c676c28072507ed

SHA1
d8f1e1f2c82443507ab926947c92d07dce90e714

SHA256
d730fc792ae26c9a745eacdc24efdbb6f1094307390b5341965d4dd61bc196b4

SHA512
119c667fb6cf47b066fb8800ef3d9e2e199af3f2ecfdf2cf9d92b8b4fd1bd47e5f4a4c7407235f71eb2664092d006096872e20c732f096865e1fb703b213e227

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll

Filesize
325KB

MD5
cbad790cfa8abba78769bb105d0df826

SHA1
1d5461d5a222e09aa502b9edcd2c95ce141971a1

SHA256
fe739bdcaec145cb6f4408a984b22dc1244a36e42cb9830e00144952e22fb990

SHA512
0e3498d53dc6eb15f04fff0c4a1004bbda4483c355bce753d9b35e7ffc135d40dae9a4b5f42a1bab91e7fa27ec6cc896bd08ccf672632de145de7b91580cf213

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe

Filesize
554KB

MD5
b59554f17317dd72e51c2c81e70c3f12

SHA1
4cdb0b86d5e524a45423e78f759d4d73b156c4cd

SHA256
12296d6703a36b3386a2bd7c7c5217aa391d0defcb95e88cbf2e2527a0e5890c

SHA512
ee6e34645c3b03d2af8d1cc8fe2ee9da5b8fe8c886e2459f7cdb37a25bf5fed80b672884146df7a383f7ee8a1cb90a8873b5f826844adf3e7ce50a80924b6c76

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\app.config

Filesize
1KB

MD5
1807bc28da12a3ea9c5b28b4df4062ed

SHA1
16a33ed6f7dd65c10882284ee92a7f7e9f9a1bc2

SHA256
baca85c0e0ec3dfccb31f77dce14486f1eaf776e2afa18e3c6e0b44b8d8a1706

SHA512
c034565f12cf79c746fe2c19a07e85ad63504ee3f51df2ef12eacc8cf1dc88c0472726b64533810aef3267f1721ca147a94add29e414851262489a6bf7eb608c

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\system.config

Filesize
899B

MD5
5768c08ad4422850c8ccb2df2add6c46

SHA1
2d63833344efce93991d1cf9e5aead37440ab10a

SHA256
b1ee9fd52ee6e90961687ada828c83c37f6db0b1e34bcda742dd46596f43b4ae

SHA512
e4c1c748baf6ee380ae8f3a3c652f55530b0c212e7932c97994fc2609d29cb202eea22594ad4a0471c65f9e82d48b602936168c7e5e1206deb1a1150863df4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E9.tmp

Filesize
739KB

MD5
a10b2618219097dd7778b3e5574a484d

SHA1
ac7eb58f1c21e084976bd33012b611079ceaf5ac

SHA256
d650c9b94bdee6f19e5ff8f80b2b67b982b73d880e5ce0e0f190198a5c49bf4a

SHA512
1caa1bed23a64038ce92c61e23e2b26ec8c572cad0d1a2c160b182b954cb8f597f03d2eff37bc673e209e0664f67e9f234b2d7a23c47ca789e590ef9b05abcf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E9.tmp

Filesize
754KB

MD5
2a3ad4492453f2b695cb26977019b46d

SHA1
b34507c4ac6762bf50336a71ab9f9c4b4f26a742

SHA256
a6868835dc8b9ca8fda73a3fd6a465a757dd499bd87fa50581d0e4b196047282

SHA512
0961dd62dab762d9fea7597a7e975fcfceede5ea890e8950dce32f59ed6e340b0ee98696d42e112675785636589d0e2fb518d511706b010588abb536f11006fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E9.tmp

Filesize
1008KB

MD5
5f6ad2b5b34d0e8ad9fa9055423bca23

SHA1
9ce6f887bc287bdd0321937d190c79f58918db3b

SHA256
2a13ca204e47abc63fff05479da2ccabef97a3b9d529b15d392c1ba6de9616f5

SHA512
cb4583bc5dc9bfab8a02a221b2b5c33023aa5d1333155a320a85e57b1cd95e976ca23b0897dba180052a9101bd55bf6a49bc3f469c25e37c985c1f4d32ba7ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E9.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E9.tmp-\ScreenConnect.Core.dll

Filesize
446KB

MD5
cfd9cd30f406354bb944873f19489647

SHA1
95db009881894236c5c1922716c6576acbdb0545

SHA256
98c00de265d8050f23a332e55628713d984d4d20094ca486da73ba5a9fd81bc8

SHA512
7756d452f2d4ef38ada3bd1e17b6d7807b7c5b90f2d38d701b74c34165087f6f92a8b7704db2678c8713ad1e0e4d207de0d86afe0d674f55bfe97372b951d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E9.tmp-\ScreenConnect.Core.dll

Filesize
82KB

MD5
b8ae3bc7d6b2ea0bca5ce60d0b552555

SHA1
f572f3232e056098e8a5607c68b8a8bda6423e03

SHA256
63734dcde3a2fe2d8b6cf19d8e4e3e41de0d14332d107c414c26a1ec6cde1e58

SHA512
aea56aeb1b9f99438302c10eea4053795b0015b7e8eb26f08b1db3b9f0b76c1219776091a9c3c2ad87835392f0dc6d411adc442851cab8d9fdffb5c274a34f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E9.tmp-\ScreenConnect.InstallerActions.dll

Filesize
20KB

MD5
e0b7cf71221699f2e984cd9f7c1001cc

SHA1
6188c79fd6529c16cc87b081a00fef7b2abe7ede

SHA256
8304fb6b333037d9bd9f65d99cb21918add1c3d0334f754d23c98bcf45c50a22

SHA512
1a6189610b1620fd11373841ebdeae9f553a6c9b5f1cad57afcbe9bfb2b571fc34824cd133281f266111445ca07cb8d13abdd8a179cf1744164a15352eaa94b6

Download Submit
C:\Windows\Installer\MSI9A72.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\e5990bd.msi

Filesize
2.5MB

MD5
ecf939562331d02eace64bd8ac54b033

SHA1
3293d1c6d91f91eea211616e9365b2be9a928121

SHA256
b65a47737eef140c672a03c768a9b0e98b51a3d43254b36746fe6eda96990f69

SHA512
032c6879ea8df25b972e8bb0fc939c1f2c3aff40d74bff86a55a6c13e0235ca088cdb3e146bf546d05ff5ece2493ed4bfdcbdcd113d749c6d4f9b557043b312c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
1.4MB

MD5
a84862fb2c8d30c0094b222051cc0381

SHA1
9edce78d2141e7f1edfdef6b5385596f0cba7a8f

SHA256
44a2b21a3b4d81413e19676c01657cc93e951940e5ee1658e3ea7dc19a20021c

SHA512
e512bb586b3ff0bc2e25db8a0be397d6846d0b5a7184ca11ab2c000880a7883af178644697faf578710bcdc0b11bc423f22d5c628c94801d55b965e9f64bc3b7

Download Submit
\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{03a6bbdf-2264-4480-a63e-15bca16a87e0}_OnDiskSnapshotProp

Filesize
6KB

MD5
00e5ff7648b77adab3a1b2c25d11d9e4

SHA1
8828d9472d0e1dfef85143980e2444b716b38b55

SHA256
e536fc2df51ec91174106c48e39075f6eba1edcf0b0fd328b49d6507ee42ecb6

SHA512
4d031e5d2b2298c6cc097a9b6ddce24ae0a6587454c71dbfd308a903d07a68b28d27073b7e5803f64d19a75ceb1bca0e139878c313a504925eced147cdaee036

Download Submit
memory/936-12-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/936-24-0x0000000004B40000-0x0000000004B4C000-memory.dmp

Filesize
48KB

Download
memory/936-20-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/936-18-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/936-39-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/936-19-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/936-17-0x0000000004B10000-0x0000000004B3E000-memory.dmp

Filesize
184KB

Download
memory/936-28-0x0000000004BD0000-0x0000000004C46000-memory.dmp

Filesize
472KB

Download
memory/936-11-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3684-136-0x0000000000CD0000-0x0000000000D5E000-memory.dmp

Filesize
568KB

Download
memory/3684-137-0x000000001B830000-0x000000001B862000-memory.dmp

Filesize
200KB

Download
memory/3684-144-0x00007FFE88280000-0x00007FFE88D41000-memory.dmp

Filesize
10.8MB

Download
memory/3684-142-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3684-141-0x000000001C170000-0x000000001C2F6000-memory.dmp

Filesize
1.5MB

Download
memory/3684-140-0x00007FFE88280000-0x00007FFE88D41000-memory.dmp

Filesize
10.8MB

Download
memory/3684-139-0x000000001BE40000-0x000000001BFDE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-138-0x000000001BC20000-0x000000001BC96000-memory.dmp

Filesize
472KB

Download
memory/4780-90-0x0000000003A30000-0x0000000003A40000-memory.dmp

Filesize
64KB

Download
memory/4780-115-0x0000000003BC0000-0x0000000003BF2000-memory.dmp

Filesize
200KB

Download
memory/4780-122-0x0000000003EA0000-0x000000000403E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-89-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4780-131-0x0000000004BA0000-0x0000000004BF0000-memory.dmp

Filesize
320KB

Download
memory/4780-91-0x0000000003A30000-0x0000000003A40000-memory.dmp

Filesize
64KB

Download
memory/4780-95-0x0000000003A10000-0x0000000003A20000-memory.dmp

Filesize
64KB

Download
memory/4780-128-0x00000000041D0000-0x0000000004356000-memory.dmp

Filesize
1.5MB

Download
memory/4780-143-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4780-125-0x00000000045F0000-0x0000000004B94000-memory.dmp

Filesize
5.6MB

Download