meshagent | 0c30201fa247ef384098a2360270280d73fb1cea17f4e0f9d1b829dcab620b85

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe
Size

7.1MB
MD5

1db373b17f59735e466cf096f4a3b2a1
SHA1

4dda405e028d69406cb6b870ed5a7d9e45a9a122
SHA256

0c30201fa247ef384098a2360270280d73fb1cea17f4e0f9d1b829dcab620b85
SHA512

ae391e3c8965a24dce1b1802907f59729a3ed7b93a7fdbda9f9fe00a5a6a6a43227556f87c8957a8ba2a0a8f4c26bf66a8dcfe7ad0193602ed529279d1c5a6aa
SSDEEP

98304:pA47lMQl5tHuC+Eo5EdT9k/6asoCaRN1lMI6jQ:pLMQl5kkokTasoCafDSQ

Score

10^/10

meshagent backdoor discovery execution persistence rat trojan

Malware Config

Signatures

Detects MeshAgent payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000c000000023bab-4.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

meshagent64-ЭКРАНЫ[email protected]

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64-ЭКРАНЫ[email protected]

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe

Executes dropped EXE 2 IoCs

Processes:

meshagent64-ЭКРАНЫ[email protected]MeshAgent.exe

pid	Process
4668	meshagent64-ЭКРАНЫ[email protected]
2796	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

Processes:

MeshAgent.exepowershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5F7D86F16B376678AB2206AA5FFF43BA895F3665	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5F7D86F16B376678AB2206AA5FFF43BA895F3665	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\D0E164AF5225698AE940439D09DC0E8E1740559A	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\97AE4052CD09CA88AFE921DB7BD2D67CAD2F6404	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe

Drops file in Program Files directory 6 IoCs

Processes:

MeshAgent.exemeshagent64-ЭКРАНЫ[email protected]

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64-ЭКРАНЫ[email protected]
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
956	powershell.exe
4664	powershell.exe
2932	powershell.exe
3980	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeMeshAgent.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MeshAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754833971260893"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2932	powershell.exe
2932	powershell.exe
3980	powershell.exe
3980	powershell.exe
956	powershell.exe
956	powershell.exe
4664	powershell.exe
4664	powershell.exe
4664	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1476	wmic.exe
Token: SeIncreaseQuotaPrivilege	1476	wmic.exe
Token: SeSecurityPrivilege	1476	wmic.exe
Token: SeTakeOwnershipPrivilege	1476	wmic.exe
Token: SeLoadDriverPrivilege	1476	wmic.exe
Token: SeSystemtimePrivilege	1476	wmic.exe
Token: SeBackupPrivilege	1476	wmic.exe
Token: SeRestorePrivilege	1476	wmic.exe
Token: SeShutdownPrivilege	1476	wmic.exe
Token: SeSystemEnvironmentPrivilege	1476	wmic.exe
Token: SeUndockPrivilege	1476	wmic.exe
Token: SeManageVolumePrivilege	1476	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1476	wmic.exe
Token: SeIncreaseQuotaPrivilege	1476	wmic.exe
Token: SeSecurityPrivilege	1476	wmic.exe
Token: SeTakeOwnershipPrivilege	1476	wmic.exe
Token: SeLoadDriverPrivilege	1476	wmic.exe
Token: SeSystemtimePrivilege	1476	wmic.exe
Token: SeBackupPrivilege	1476	wmic.exe
Token: SeRestorePrivilege	1476	wmic.exe
Token: SeShutdownPrivilege	1476	wmic.exe
Token: SeSystemEnvironmentPrivilege	1476	wmic.exe
Token: SeUndockPrivilege	1476	wmic.exe
Token: SeManageVolumePrivilege	1476	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1724	wmic.exe
Token: SeIncreaseQuotaPrivilege	1724	wmic.exe
Token: SeSecurityPrivilege	1724	wmic.exe
Token: SeTakeOwnershipPrivilege	1724	wmic.exe
Token: SeLoadDriverPrivilege	1724	wmic.exe
Token: SeSystemtimePrivilege	1724	wmic.exe
Token: SeBackupPrivilege	1724	wmic.exe
Token: SeRestorePrivilege	1724	wmic.exe
Token: SeShutdownPrivilege	1724	wmic.exe
Token: SeSystemEnvironmentPrivilege	1724	wmic.exe
Token: SeUndockPrivilege	1724	wmic.exe
Token: SeManageVolumePrivilege	1724	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1724	wmic.exe
Token: SeIncreaseQuotaPrivilege	1724	wmic.exe
Token: SeSecurityPrivilege	1724	wmic.exe
Token: SeTakeOwnershipPrivilege	1724	wmic.exe
Token: SeLoadDriverPrivilege	1724	wmic.exe
Token: SeSystemtimePrivilege	1724	wmic.exe
Token: SeBackupPrivilege	1724	wmic.exe
Token: SeRestorePrivilege	1724	wmic.exe
Token: SeShutdownPrivilege	1724	wmic.exe
Token: SeSystemEnvironmentPrivilege	1724	wmic.exe
Token: SeUndockPrivilege	1724	wmic.exe
Token: SeManageVolumePrivilege	1724	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1656	wmic.exe
Token: SeIncreaseQuotaPrivilege	1656	wmic.exe
Token: SeSecurityPrivilege	1656	wmic.exe
Token: SeTakeOwnershipPrivilege	1656	wmic.exe
Token: SeLoadDriverPrivilege	1656	wmic.exe
Token: SeSystemtimePrivilege	1656	wmic.exe
Token: SeBackupPrivilege	1656	wmic.exe
Token: SeRestorePrivilege	1656	wmic.exe
Token: SeShutdownPrivilege	1656	wmic.exe
Token: SeSystemEnvironmentPrivilege	1656	wmic.exe
Token: SeUndockPrivilege	1656	wmic.exe
Token: SeManageVolumePrivilege	1656	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1656	wmic.exe
Token: SeIncreaseQuotaPrivilege	1656	wmic.exe
Token: SeSecurityPrivilege	1656	wmic.exe
Token: SeTakeOwnershipPrivilege	1656	wmic.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exeMeshAgent.execmd.execmd.exe

description	pid	Process	procid_target
PID 4376 wrote to memory of 4668	4376	2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe	87
PID 4376 wrote to memory of 4668	4376	2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe	87
PID 2796 wrote to memory of 1476	2796	MeshAgent.exe	97
PID 2796 wrote to memory of 1476	2796	MeshAgent.exe	97
PID 2796 wrote to memory of 1724	2796	MeshAgent.exe	99
PID 2796 wrote to memory of 1724	2796	MeshAgent.exe	99
PID 2796 wrote to memory of 1656	2796	MeshAgent.exe	101
PID 2796 wrote to memory of 1656	2796	MeshAgent.exe	101
PID 2796 wrote to memory of 5092	2796	MeshAgent.exe	103
PID 2796 wrote to memory of 5092	2796	MeshAgent.exe	103
PID 2796 wrote to memory of 4888	2796	MeshAgent.exe	105
PID 2796 wrote to memory of 4888	2796	MeshAgent.exe	105
PID 2796 wrote to memory of 904	2796	MeshAgent.exe	107
PID 2796 wrote to memory of 904	2796	MeshAgent.exe	107
PID 2796 wrote to memory of 2932	2796	MeshAgent.exe	109
PID 2796 wrote to memory of 2932	2796	MeshAgent.exe	109
PID 2796 wrote to memory of 3980	2796	MeshAgent.exe	114
PID 2796 wrote to memory of 3980	2796	MeshAgent.exe	114
PID 2796 wrote to memory of 956	2796	MeshAgent.exe	117
PID 2796 wrote to memory of 956	2796	MeshAgent.exe	117
PID 2796 wrote to memory of 4664	2796	MeshAgent.exe	125
PID 2796 wrote to memory of 4664	2796	MeshAgent.exe	125
PID 2796 wrote to memory of 2216	2796	MeshAgent.exe	128
PID 2796 wrote to memory of 2216	2796	MeshAgent.exe	128
PID 2216 wrote to memory of 4668	2216	cmd.exe	130
PID 2216 wrote to memory of 4668	2216	cmd.exe	130
PID 2796 wrote to memory of 2292	2796	MeshAgent.exe	132
PID 2796 wrote to memory of 2292	2796	MeshAgent.exe	132
PID 2292 wrote to memory of 2656	2292	cmd.exe	134
PID 2292 wrote to memory of 2656	2292	cmd.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-07_1db373b17f59735e466cf096f4a3b2a1_frostygoop_luca-stealer_poet-rat_snatch.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Roaming\meshagent64-ЭКРАНЫ[email protected]
  "C:\Users\Admin\AppData\Roaming\meshagent64-ЭКРАНЫ[email protected]" -fullinstall
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4668

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:5092
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:4888
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:4668
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
153KB

MD5
9363ede385b875808400ad7ceb66571c

SHA1
19eefe95b96f85465ceb4b68a92ba79ffb9d3c1c

SHA256
b451487eb48b5b1c88fee8118de4e6cfac70ded285fa607a67208321d489dd4d

SHA512
7bc601389ee3cdb012163d9d804b562ab55665a134a9dbfa41a42a6aed6bf8516feecde5993c8ce7d5eff117e3449236624a625bc70ad9905a06a71882a0cd16

Download Submit
C:\Users\Admin\AppData\Roaming\meshagent64-ЭКРАНЫ[email protected]

Filesize
3.3MB

MD5
9c3de7192e8ed1f42790bee4b5356786

SHA1
5272b834e29e03c3c807aa2b6140c8180d1dc288

SHA256
6dfd22ca602fee5740548b2d61a54e224b790acfa3b412259790145566b52671

SHA512
41b59e32c8bc7240cf7ae415602a9e4d1d4e4b516bb35f3d09de1d2a87fa2a1f405cf30a4f797879188ea06026716426d383c65d237b68dd43ed96bc04093b8f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5F7D86F16B376678AB2206AA5FFF43BA895F3665

Filesize
1KB

MD5
8c30c70e5fdf8650a5f17999799cef9e

SHA1
5a338048d96ff0adaad35e1b70434d12cccb6f86

SHA256
55e53886fa7ea0f9d579a22639676fd4e400a7b41d8e36a0b968716d94fee6ea

SHA512
b351688eebe6d4484fe9b168945ac5bf2960e10e7261aaf398f16c1f385aa1c251e0536d8ca6800fda1381ec1ee1a929f15637819456a0d03d683e02615a8b68

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_jj3ndi52.5tr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
77ebd6a7d20b8204b95cb4dc65011c5d

SHA1
bfdb833ee8db1b9778f45a5b90fddd80da43e4c5

SHA256
b3b9f69c23369d99c17c1647b5e2821f55200173a8c2789e626792d6e42fabab

SHA512
b7e45e560a29be125e6accedcf603e2b5055da4eafb8f353d03f3f35e92fca0ed0223e3d51e2b93656cfa91c225dedf24307919c1cf44264529ffc1c574f7c58

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
718112bf0dbfa212280211f029dcb3fb

SHA1
c5739c7cc39d47852597576547f84bb5afc0cd9f

SHA256
a8dd32a217ceb22928ef1b97530f73657472578140e8d73169b04697037f554d

SHA512
7249a2b9f6c4dd8ab2edd378a91fc0212bdf85def98ba2d6b385cbab7d73f6422d90b89334964ec205c92789c4386f68cecd682abd1bb34b8c62fc7ee39da669

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2c0bdf06d302688498d4e7f9cd669ab5

SHA1
18186323d93499e03f737f137b4ad795eb7f470b

SHA256
86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6

SHA512
f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe

Download Submit
memory/956-110-0x000001E0C9580000-0x000001E0C9635000-memory.dmp

Filesize
724KB

Download
memory/2932-47-0x0000017F70F50000-0x0000017F70F72000-memory.dmp

Filesize
136KB

Download
memory/2932-48-0x0000017F71430000-0x0000017F71474000-memory.dmp

Filesize
272KB

Download
memory/2932-49-0x0000017F71500000-0x0000017F71576000-memory.dmp

Filesize
472KB

Download
memory/3980-81-0x0000020B653F0000-0x0000020B654A5000-memory.dmp

Filesize
724KB

Download
memory/3980-84-0x0000020B65340000-0x0000020B6534A000-memory.dmp

Filesize
40KB

Download
memory/3980-85-0x0000020B654F0000-0x0000020B6550A000-memory.dmp

Filesize
104KB

Download
memory/3980-86-0x0000020B654B0000-0x0000020B654B8000-memory.dmp

Filesize
32KB

Download
memory/3980-87-0x0000020B654C0000-0x0000020B654C6000-memory.dmp

Filesize
24KB

Download
memory/3980-88-0x0000020B65510000-0x0000020B6551A000-memory.dmp

Filesize
40KB

Download
memory/3980-83-0x0000020B654D0000-0x0000020B654EC000-memory.dmp

Filesize
112KB

Download
memory/3980-82-0x0000020B65330000-0x0000020B6533A000-memory.dmp

Filesize
40KB

Download
memory/3980-80-0x0000020B65350000-0x0000020B6536C000-memory.dmp

Filesize
112KB

Download
memory/4664-133-0x0000028AF30C0000-0x0000028AF3175000-memory.dmp

Filesize
724KB

Download
memory/4664-134-0x0000028AF3000000-0x0000028AF302A000-memory.dmp

Filesize
168KB

Download
memory/4664-135-0x0000028AF3000000-0x0000028AF3024000-memory.dmp

Filesize
144KB

Download