1dbe36e729f1e91cb35af05a0b4c7d48843341ef0a4e5a9bce0dc2876273dbad

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe
Size

1.8MB
MD5

2475d4fa80a7b6af042c79d1046016d2
SHA1

22834caa9edf1fc3ea29c435efd772dc571a6ab4
SHA256

a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557
SHA512

0b5a30de1edb91f4bffdf16973102f2fe560fcfdd57ffd77642eb6dee797d34d8a488491029792867426d3f24f280d60335752ab710675ea8a8ccded773fc5ac
SSDEEP

49152:gpuG8T0+TL3Z0DmvyTm61lGdODmuGu4IDAAM:gpuGjaH6HGA/GxID7M

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe

Executes dropped EXE 2 IoCs

Processes:

ScreenConnect.ClientService.exeScreenConnect.WindowsClient.exe

pid process

2008 ScreenConnect.ClientService.exe
2820 ScreenConnect.WindowsClient.exe

pid	process
2008	ScreenConnect.ClientService.exe
2820	ScreenConnect.WindowsClient.exe

Loads dropped DLL 25 IoCs

Processes:

MsiExec.exerundll32.exeMsiExec.exeMsiExec.exeScreenConnect.ClientService.exe

pid	process
1756	MsiExec.exe
4188	rundll32.exe
4188	rundll32.exe
4188	rundll32.exe
4188	rundll32.exe
4188	rundll32.exe
4188	rundll32.exe
4188	rundll32.exe
3396	MsiExec.exe
3396	MsiExec.exe
3396	MsiExec.exe
3832	MsiExec.exe
3832	MsiExec.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exe	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE75.tmp	msiexec.exe
File created	C:\Windows\Installer\e57aad8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC4F.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{2FE7AB38-5E76-4E78-BF53-E1CB530FCDE1}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\e57aad6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC7F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57aad6.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2FE7AB38-5E76-4E78-BF53-E1CB530FCDE1}	msiexec.exe
File created	C:\Windows\Installer\{2FE7AB38-5E76-4E78-BF53-E1CB530FCDE1}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{2FE7AB38-5E76-4E78-BF53-E1CB530FCDE1}\DefaultIcon	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000073c7eb973396fb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000073c7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900073c7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d073c7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000073c7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

ScreenConnect.ClientService.exemsiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe

Modifies registry class 32 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\sc-8cb4187b5188786a	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-8cb4187b5188786a\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (8cb4187b5188786a)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\ProductName = "ScreenConnect Client (8cb4187b5188786a)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\83BA7EF267E587E4FB351EBC35F0DC1E\Full	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\Version = "100674595"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\199262E51F28C655C84B81B7158887A6\83BA7EF267E587E4FB351EBC35F0DC1E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-8cb4187b5188786a\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\83BA7EF267E587E4FB351EBC35F0DC1E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\PackageCode = "4ACEA75B557563E4A99BB4A20B8FE566"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\ProductIcon = "C:\\Windows\\Installer\\{2FE7AB38-5E76-4E78-BF53-E1CB530FCDE1}\\DefaultIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\SourceList\PackageName = "setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-8cb4187b5188786a\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-8cb4187b5188786a	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\199262E51F28C655C84B81B7158887A6	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-8cb4187b5188786a\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-8cb4187b5188786a\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-8cb4187b5188786a\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-8cb4187b5188786a\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83BA7EF267E587E4FB351EBC35F0DC1E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeScreenConnect.ClientService.exe

pid process

1260 msiexec.exe
1260 msiexec.exe
2008 ScreenConnect.ClientService.exe
2008 ScreenConnect.ClientService.exe

pid	process
1260	msiexec.exe
1260	msiexec.exe
2008	ScreenConnect.ClientService.exe
2008	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3672	a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe
Token: SeShutdownPrivilege	1592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1592	msiexec.exe
Token: SeSecurityPrivilege	1260	msiexec.exe
Token: SeCreateTokenPrivilege	1592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1592	msiexec.exe
Token: SeLockMemoryPrivilege	1592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1592	msiexec.exe
Token: SeMachineAccountPrivilege	1592	msiexec.exe
Token: SeTcbPrivilege	1592	msiexec.exe
Token: SeSecurityPrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeLoadDriverPrivilege	1592	msiexec.exe
Token: SeSystemProfilePrivilege	1592	msiexec.exe
Token: SeSystemtimePrivilege	1592	msiexec.exe
Token: SeProfSingleProcessPrivilege	1592	msiexec.exe
Token: SeIncBasePriorityPrivilege	1592	msiexec.exe
Token: SeCreatePagefilePrivilege	1592	msiexec.exe
Token: SeCreatePermanentPrivilege	1592	msiexec.exe
Token: SeBackupPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeShutdownPrivilege	1592	msiexec.exe
Token: SeDebugPrivilege	1592	msiexec.exe
Token: SeAuditPrivilege	1592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1592	msiexec.exe
Token: SeChangeNotifyPrivilege	1592	msiexec.exe
Token: SeRemoteShutdownPrivilege	1592	msiexec.exe
Token: SeUndockPrivilege	1592	msiexec.exe
Token: SeSyncAgentPrivilege	1592	msiexec.exe
Token: SeEnableDelegationPrivilege	1592	msiexec.exe
Token: SeManageVolumePrivilege	1592	msiexec.exe
Token: SeImpersonatePrivilege	1592	msiexec.exe
Token: SeCreateGlobalPrivilege	1592	msiexec.exe
Token: SeCreateTokenPrivilege	1592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1592	msiexec.exe
Token: SeLockMemoryPrivilege	1592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1592	msiexec.exe
Token: SeMachineAccountPrivilege	1592	msiexec.exe
Token: SeTcbPrivilege	1592	msiexec.exe
Token: SeSecurityPrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeLoadDriverPrivilege	1592	msiexec.exe
Token: SeSystemProfilePrivilege	1592	msiexec.exe
Token: SeSystemtimePrivilege	1592	msiexec.exe
Token: SeProfSingleProcessPrivilege	1592	msiexec.exe
Token: SeIncBasePriorityPrivilege	1592	msiexec.exe
Token: SeCreatePagefilePrivilege	1592	msiexec.exe
Token: SeCreatePermanentPrivilege	1592	msiexec.exe
Token: SeBackupPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeShutdownPrivilege	1592	msiexec.exe
Token: SeDebugPrivilege	1592	msiexec.exe
Token: SeAuditPrivilege	1592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1592	msiexec.exe
Token: SeChangeNotifyPrivilege	1592	msiexec.exe
Token: SeRemoteShutdownPrivilege	1592	msiexec.exe
Token: SeUndockPrivilege	1592	msiexec.exe
Token: SeSyncAgentPrivilege	1592	msiexec.exe
Token: SeEnableDelegationPrivilege	1592	msiexec.exe
Token: SeManageVolumePrivilege	1592	msiexec.exe
Token: SeImpersonatePrivilege	1592	msiexec.exe
Token: SeCreateGlobalPrivilege	1592	msiexec.exe
Token: SeCreateTokenPrivilege	1592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1592	msiexec.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

msiexec.exeScreenConnect.WindowsClient.exe

pid	process
1592	msiexec.exe
1592	msiexec.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

ScreenConnect.WindowsClient.exe

pid	process
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe
2820	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exemsiexec.exeMsiExec.exeScreenConnect.ClientService.exe

description	pid	process	target process
PID 3672 wrote to memory of 1592	3672	a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe	msiexec.exe
PID 3672 wrote to memory of 1592	3672	a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe	msiexec.exe
PID 3672 wrote to memory of 1592	3672	a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe	msiexec.exe
PID 1260 wrote to memory of 1756	1260	msiexec.exe	MsiExec.exe
PID 1260 wrote to memory of 1756	1260	msiexec.exe	MsiExec.exe
PID 1260 wrote to memory of 1756	1260	msiexec.exe	MsiExec.exe
PID 1756 wrote to memory of 4188	1756	MsiExec.exe	rundll32.exe
PID 1756 wrote to memory of 4188	1756	MsiExec.exe	rundll32.exe
PID 1756 wrote to memory of 4188	1756	MsiExec.exe	rundll32.exe
PID 1260 wrote to memory of 708	1260	msiexec.exe	srtasks.exe
PID 1260 wrote to memory of 708	1260	msiexec.exe	srtasks.exe
PID 1260 wrote to memory of 3396	1260	msiexec.exe	MsiExec.exe
PID 1260 wrote to memory of 3396	1260	msiexec.exe	MsiExec.exe
PID 1260 wrote to memory of 3396	1260	msiexec.exe	MsiExec.exe
PID 1260 wrote to memory of 3832	1260	msiexec.exe	MsiExec.exe
PID 1260 wrote to memory of 3832	1260	msiexec.exe	MsiExec.exe
PID 1260 wrote to memory of 3832	1260	msiexec.exe	MsiExec.exe
PID 2008 wrote to memory of 2820	2008	ScreenConnect.ClientService.exe	ScreenConnect.WindowsClient.exe
PID 2008 wrote to memory of 2820	2008	ScreenConnect.ClientService.exe	ScreenConnect.WindowsClient.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe
"C:\Users\Admin\AppData\Local\Temp\a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ECF0D08EF5752CBD9EA1BAD08C78A008 C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI60CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240607531 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
3⤵
- Loads dropped DLL
PID:4188

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:708

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B63E798F894BDC96D2D88C4BCEE606C0
2⤵
- Loads dropped DLL
PID:3396

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FA2DB28EF2CE1F2B396EAA0DEF9E0BF4 E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4964

C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=remote.itpscorp.com&p=8041&s=20978567-270d-4043-9091-f3357dd7a9b1&k=BgIAAACkAABSU0ExAAgAAAEAAQDRZuff2G6AqGrCUrnr8YRri%2fQ2b4QvL9J74fMDfzFPNAwEBQ%2fCpEzbvKBAQ2NPCwWIweRELTDWwrYEN0H6cXAubwnahOnwyG2j69lwy0MuEWgX1vTvzJEfE0Kn%2boe7FBzJaNPrEkJYyEcX9Wcx%2bJH0I9VpJc6qzVsdPgjOTN4DpoINBJoZfur%2bPRxGwhHk7aZYht69jz1IdTmmjOwo%2b9VUTil2M0258AYc2DpLD6bIX754tyMcyTaDVu4MR8guiwRH7wlFht2yxzdTIFjSfoE%2f1Qs6g9KZsdJsIlK%2bWoYhgnd4uc1oZJAwHI8NcuMJAgxJuPx7vctwBmSW%2fbhAToW2&t=&c=&c=&c=&c=&c=&c=&c=&c="
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exe" "RunRole" "8ee897a2-bc19-42e5-9b7d-ddeed12d9364" "User"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57aad7.rbs
Filesize
162KB

MD5
460eb32f367ef4f366d068acc32551b6

SHA1
a41e027eead4690246e6e92ab1e353272cfa1d8f

SHA256
230d9c41f490b8a8d2020c974bf290f33eaa29ea26c957e4379a79f4efce18be

SHA512
4e1a54de151959a40cf32f7b565923ffb41d0f264c128cfb5d43be3807bee1720221d11f44fa24a3b61345fa09665aa1ce541759acbdb6e9ea68ae5feca1677a

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.Override.en-US.resources
Filesize
376B

MD5
24831dc7eb428756b06bcc13dfb51133

SHA1
45fcaf20bb858ea45de81230dfc885bf8f1893f5

SHA256
381405a47d821c2d1199cca034dddfe38bbf6da4a399eaec8c13835593873274

SHA512
e0b701387c62639d4ef0bea63325ce2393c02c206cdf01caf882685b588216c62ce6e20b192569b91d6f34b6661d736b2d49beecffba66acd58f8bb95011f41a

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.Override.resources
Filesize
33KB

MD5
193f71a0681b3f5f606e64025c6c6808

SHA1
205662c9430edf6979feacea309f584f44e5be78

SHA256
4d9d0e18921604bf41630fbb100ea6cdce9c4ffd75388dd488978a8d0ab1394d

SHA512
efcbdd8f71bbf7c370d0b440a294a812994538a543cbe3b1dc1bb2c13cc1f38db400dcb26b6816be8e166e2a854d25371a6c60af0570d673207e7f394352ec87

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.en-US.resources
Filesize
29KB

MD5
a43aaf2d1dddc85e4a2a8d4f504aa778

SHA1
5211bd8b588f6f22b907d34a01c442c9fb07792b

SHA256
9c3d39f3b4c1aeac49be78fbf4ab947de5059575472409e8e39c0079bb87595a

SHA512
e932bef68a03ae7665447bb031d4aeb031b4dccbdda18126fad2f0fd753a8363eea123d57352117b92b5f0738db2eb6c36fd5d41895da35e5a362745259918e6

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.resources
Filesize
4KB

MD5
2a9e105ffe57302cae11202ea1194182

SHA1
72255e5e34e450b450157732330761ce4c010b11

SHA256
6e5a9facb9f91eb70320e4400c40a2911c4500170e05a5c02c544edaf9b7464f

SHA512
024a61ada26e3dd483eb60b538c1b7e3ff15518f7ea0914a7915a3e5ca1c81ae35922f79cbd1eba8fcd9a0675044894ec36129246c47eb91811955569230edab

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.Client.dll
Filesize
111KB

MD5
fe14c58a632cbf3a96cd9d0ac7ee2502

SHA1
51350b955de5c57e0656bf836ef64ba30fe883fe

SHA256
714793018ee4413de1c6581937f9f560bec6a51d8df5547d89fdc702d8ec4fec

SHA512
17af67e3e577561f8fb5a36e5880aeec43b741dff5e85cfd6bbae261c9f0d41be83050918b5998a5583914fd2b915e210927c6f6af7d8a9bcfae1c48632a09f9

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.dll
Filesize
27KB

MD5
97c3034adbecd6244ad2ad0906a1ae29

SHA1
9ce6c38fab6f9f7596a3ee7d5a18258cb142f2f2

SHA256
37f3cdeb50928991d607f3869566d4d25741a1d29ceafc34c59e51fd1090c363

SHA512
290a6159d75d0ccca24f1234d17f519c5b4da0d593e32dffed2defd92d717cfc3e2397acad3426578af7d2d0461de325ac9c6bda3416c15c777d67a288eabc31

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.exe
Filesize
88KB

MD5
a6b19567486c5fa7d8f62b9651960717

SHA1
8747ebd27f7d8c3bb0d86720942c30091c71a33d

SHA256
0804a763fb0ce0a5a0431cb4f1a0a2a3e0328ae6407ea00cd17fb008b3ff13c7

SHA512
86b8f5b1a0f1f193f8ce8f608e19f7cc05177ef86c9c1ece1a702b6b5300a87ad59603abfe06451ff60327b13d8a9d09c2b8dcc803b6880a469c08b68f2849bd

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.Windows.dll
Filesize
399KB

MD5
ffc554d3dc3a162ace86145bdd123d1b

SHA1
8a38bc464aa472c0dc3c15eafe408e4b56ecd336

SHA256
ee903fa082246f3cc129e715b7f571fe674104e850a57ae44db6a261519c225f

SHA512
37279e8251fd9c74f146abc2d3e37249365f93974c185e236c5d3f3da9a6fe33b50e944625a9c3f7b5f0a90d319e77e1cd9a87f5d7dd7333effd635bf07e5e4d

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exe
Filesize
401KB

MD5
97ced867e7c5601a4b3c95dd1a09af6b

SHA1
08895d3691c44c4ea263d1d506c29de5d2a1a995

SHA256
960cafb83857e8b61ed48450053358a04a9832e6a254537521f549d6a69d9571

SHA512
4698c88f433036b67861a4bd3793918467fc49ea89e431ae41ee49a592d49506df69951cedf3b883d4b93a1ab3693eb31793ecf649f93d97da98236eabde1b97

Download Submit
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exe.config
Filesize
259B

MD5
95f04aa18dc27e4f0c73ac6829dcc3d8

SHA1
2f361486c18e23cea4b375e1c9cccdc14bdd620d

SHA256
f3c7ed5a1114cbfa6e3e996f4b0311edb5e25dc2099fd7eb7a3a456c261a2d94

SHA512
59bfd8675c2b215e793bf343b6d1aa9c3304ab763c5870a4934ab947284af7bb0493fc4b5a6048dc3d531262e061d68d7395f09eaee1ebf1524c0d8ed63164b4

Download Submit
C:\ProgramData\ScreenConnect Client (8cb4187b5188786a)\user.config
Filesize
521B

MD5
adb228bef4bba270872639b526e48b19

SHA1
09f429486de2b9b32d2c5a2029032a95187b95b0

SHA256
03eba6653c902ec870f68b04370ea43c4e06345c8f276ece191f582a46de73b0

SHA512
d5fbe92994582180cdd8dda80ee06da6dd725ec7e5d3e302a3c6f8d327f1aba816bcf7285d2efd0e8e1397b02376c8f9ae6efbc2b962d3e2b670e5eca9e91470

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI60CD.tmp
Filesize
294KB

MD5
d9f32a58000fbd76723f5b0548873279

SHA1
dc72a8447304a5c65023c84cc7f756a504dd1d7c

SHA256
84135ab7cbdc549ef5a0cb13ea80e250fd7c407ed436b1541f915fb4334cf803

SHA512
4d80067a831f58fbb596eb16fa4db8c025a057a53c341101c6f80f7d88adbd95a7be84d848e071f49bf74dc40acfac9b520589a5a9cab914d83b7def0eff5e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI60CD.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Filesize
176KB

MD5
1e5a0962f20e91ca18bc150266e6f49e

SHA1
e71caab3b88b2913178ca2ae549a00455679cd4e

SHA256
fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99

SHA512
09021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI60CD.tmp-\ScreenConnect.Core.dll
Filesize
238KB

MD5
57499c4e2bea1c72dfa51287b419f6af

SHA1
c686b1c699dc934ceeaa62990c1396421ea4ccaf

SHA256
940121c7c7827d639f6c9d8ce25a90473b79c4272e07e49f1e6d6e179800584f

SHA512
3a070b9dd3179179b768f54afe5960b0f16a1895c0581cf69052c00d85fed675278216d88bef07852d895d7662a84f146678148bacd20c4531787080844f5acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI60CD.tmp-\ScreenConnect.InstallerActions.dll
Filesize
18KB

MD5
346dd22c00a48d9e98f307c0b36dabc8

SHA1
3ff99714b7e5e02a685d83f84dbb2ea8511e45e0

SHA256
14b36c4e01a3b65595702536fdd33012aa08aead4468011b329090c01e08d077

SHA512
50b979e7e585891f5502d52913014cabc4c41cbf2c2b10542031369b03cc0fb7afc9346038966519db7d4d9700a1c208ec1c7887aa2e8b4fd2908d3b31a8fd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.msi
Filesize
1.1MB

MD5
431547f82221d6cf88b904137846217c

SHA1
d92d1d8fd216569737eab9b23e2b3950382e2036

SHA256
9e01ccc41bbd4a8eed86151423c4441170a55eb873d8230f30e11900d53bc82c

SHA512
1a3445ad34813046e55475219946f94a080893c156e56a984dccf75295703766f0a5f3b9e86d09c659a0592fd772a0c8929b8ab93ffeaa67d4910b1b2c4b612b

Download Submit
C:\Windows\Installer\MSIABB2.tmp
Filesize
152KB

MD5
c62f1d994bb13e677211bbdba96433f8

SHA1
3a00d34df6ec81035234e339194fb49fbe317dbf

SHA256
3585ccf92c60150cf863e26c0eb2948e206841ca8ff91dac092cf567eef0880b

SHA512
c3269bcc5a639e7b8ebffc6f75313e12b27c8ad83abd99708e2aa7b5adfbb46a9fad1ebee81c2c53b9f84ea0e5ef200611a6db7b9f7165d43af04d853d47bef9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
2248d830624a8d0c5f71fe97b793f289

SHA1
8a520728a2247cb1f9bba7065b13d82a5b3e9584

SHA256
13774b0b6d76a3fd04f1b313e9c5f5dec53204348323249b83db118c679ea665

SHA512
4717b5d0293ec480d14024a4359696371260f10e33c3609f19c56cb71a1646445e5e0c70e4c669b6df3a6c6bac3377a8b6212a0b86d396955eb83b6f64f13841

Download Submit
\??\Volume{b97e3c07-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{aa46a63b-5440-47c4-989a-6ab34e29af82}_OnDiskSnapshotProp
Filesize
6KB

MD5
2507e8272c6c8a5d481178aa8fd964ad

SHA1
99d15c0f9769562679d034af17a85d2628d198b4

SHA256
c59f0892ed435540f6cec900e564e215cee6f08a83ab6695861c90d2cd85ffb5

SHA512
78419afbd5fcb9d0d5c84499c9c9efb0665f384ac015a6479ac3db44b6c62fe91aebbfd8d27f3872a3782d77ccc7acc992e9b7f6059d5e739bfb108ae4b4ae23

Download Submit
memory/2008-102-0x0000000004860000-0x00000000048CA000-memory.dmp

Filesize
424KB

Download
memory/2008-93-0x0000000001C00000-0x0000000001C0E000-memory.dmp

Filesize
56KB

Download
memory/2008-103-0x0000000004970000-0x0000000004A02000-memory.dmp

Filesize
584KB

Download
memory/2008-107-0x0000000004800000-0x0000000004822000-memory.dmp

Filesize
136KB

Download
memory/2008-111-0x0000000004D40000-0x0000000004DAA000-memory.dmp

Filesize
424KB

Download
memory/2008-112-0x00000000055C0000-0x0000000005746000-memory.dmp

Filesize
1.5MB

Download
memory/2008-114-0x0000000004DB0000-0x0000000004E00000-memory.dmp

Filesize
320KB

Download
memory/2820-116-0x0000000000900000-0x000000000096A000-memory.dmp

Filesize
424KB

Download
memory/2820-123-0x0000000002AC0000-0x0000000002ACE000-memory.dmp

Filesize
56KB

Download
memory/2820-122-0x000000001CBB0000-0x000000001CD36000-memory.dmp

Filesize
1.5MB

Download
memory/2820-121-0x000000001B800000-0x000000001B86A000-memory.dmp

Filesize
424KB

Download
memory/2820-120-0x000000001B7B0000-0x000000001B7F2000-memory.dmp

Filesize
264KB

Download
memory/2820-119-0x0000000002A20000-0x0000000002A42000-memory.dmp

Filesize
136KB

Download
memory/3672-9-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/3672-4-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/3672-13-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/3672-1-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/3672-2-0x0000000004D70000-0x0000000004E74000-memory.dmp

Filesize
1.0MB

Download
memory/3672-0-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/3672-3-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/3672-8-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/3672-7-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/3672-6-0x0000000004FB0000-0x000000000501A000-memory.dmp

Filesize
424KB

Download
memory/3672-5-0x00000000028E0000-0x0000000002922000-memory.dmp

Filesize
264KB

Download
memory/4188-37-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4188-36-0x0000000005410000-0x0000000005452000-memory.dmp

Filesize
264KB

Download
memory/4188-32-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/4188-28-0x0000000005330000-0x0000000005360000-memory.dmp

Filesize
192KB

Download