meshagent | 354578664bb1086e7d9193fdd0374eda91bfed1546ca7325706a52a1a8d601f6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_42867209afb0cd3511bb6e8091ebc90f_frostygoop_luca-stealer_poet-rat_snatch.exe
Size

7.1MB
MD5

42867209afb0cd3511bb6e8091ebc90f
SHA1

ae01caa6c329082baca3633e5189f018f6e64b31
SHA256

354578664bb1086e7d9193fdd0374eda91bfed1546ca7325706a52a1a8d601f6
SHA512

e6484b2e328e63066de87fb03d26f5b49456463705e396b2875525d508e62f4c64344c519a0834a2881672a8494650d6bfc162e137eb19cc2a8c62aa39d2c2ad
SSDEEP

98304:SA47lMQl5tHuC+EoZEdA9rYmBprCfmzsDzs1lMI6jQ:SLMQl5kko7zXsKsvsDSQ

Score

10^/10

meshagent backdoor discovery execution persistence rat trojan

Malware Config

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b53-4.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64-ЭКРАНЫ[email protected]

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2024-11-11_42867209afb0cd3511bb6e8091ebc90f_frostygoop_luca-stealer_poet-rat_snatch.exe

Executes dropped EXE 3 IoCs

pid	Process
264	meshagent64-ЭКРАНЫ[email protected]
5020	MeshAgent.exe
384	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B588688A7E7AB925DDB74C4967B80A0CAA5A4C67	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\916489A08B0C6A34595D3DB62EBA732F21CDA37C	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B588688A7E7AB925DDB74C4967B80A0CAA5A4C67	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\A48F7C6E1E4B64797748547BA9E2DCF63C54A9EA	MeshAgent.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64-ЭКРАНЫ[email protected]
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1336	powershell.exe
4172	powershell.exe
1668	powershell.exe
976	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-11-11_42867209afb0cd3511bb6e8091ebc90f_frostygoop_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-11-11_42867209afb0cd3511bb6e8091ebc90f_frostygoop_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-11-11_42867209afb0cd3511bb6e8091ebc90f_frostygoop_luca-stealer_poet-rat_snatch.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4172	powershell.exe
4172	powershell.exe
1668	powershell.exe
1668	powershell.exe
976	powershell.exe
976	powershell.exe
1336	powershell.exe
1336	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	724	wmic.exe
Token: SeIncreaseQuotaPrivilege	724	wmic.exe
Token: SeSecurityPrivilege	724	wmic.exe
Token: SeTakeOwnershipPrivilege	724	wmic.exe
Token: SeLoadDriverPrivilege	724	wmic.exe
Token: SeSystemtimePrivilege	724	wmic.exe
Token: SeBackupPrivilege	724	wmic.exe
Token: SeRestorePrivilege	724	wmic.exe
Token: SeShutdownPrivilege	724	wmic.exe
Token: SeSystemEnvironmentPrivilege	724	wmic.exe
Token: SeUndockPrivilege	724	wmic.exe
Token: SeManageVolumePrivilege	724	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	724	wmic.exe
Token: SeIncreaseQuotaPrivilege	724	wmic.exe
Token: SeSecurityPrivilege	724	wmic.exe
Token: SeTakeOwnershipPrivilege	724	wmic.exe
Token: SeLoadDriverPrivilege	724	wmic.exe
Token: SeSystemtimePrivilege	724	wmic.exe
Token: SeBackupPrivilege	724	wmic.exe
Token: SeRestorePrivilege	724	wmic.exe
Token: SeShutdownPrivilege	724	wmic.exe
Token: SeSystemEnvironmentPrivilege	724	wmic.exe
Token: SeUndockPrivilege	724	wmic.exe
Token: SeManageVolumePrivilege	724	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2104	wmic.exe
Token: SeIncreaseQuotaPrivilege	2104	wmic.exe
Token: SeSecurityPrivilege	2104	wmic.exe
Token: SeTakeOwnershipPrivilege	2104	wmic.exe
Token: SeLoadDriverPrivilege	2104	wmic.exe
Token: SeSystemtimePrivilege	2104	wmic.exe
Token: SeBackupPrivilege	2104	wmic.exe
Token: SeRestorePrivilege	2104	wmic.exe
Token: SeShutdownPrivilege	2104	wmic.exe
Token: SeSystemEnvironmentPrivilege	2104	wmic.exe
Token: SeUndockPrivilege	2104	wmic.exe
Token: SeManageVolumePrivilege	2104	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2104	wmic.exe
Token: SeIncreaseQuotaPrivilege	2104	wmic.exe
Token: SeSecurityPrivilege	2104	wmic.exe
Token: SeTakeOwnershipPrivilege	2104	wmic.exe
Token: SeLoadDriverPrivilege	2104	wmic.exe
Token: SeSystemtimePrivilege	2104	wmic.exe
Token: SeBackupPrivilege	2104	wmic.exe
Token: SeRestorePrivilege	2104	wmic.exe
Token: SeShutdownPrivilege	2104	wmic.exe
Token: SeSystemEnvironmentPrivilege	2104	wmic.exe
Token: SeUndockPrivilege	2104	wmic.exe
Token: SeManageVolumePrivilege	2104	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1172	wmic.exe
Token: SeIncreaseQuotaPrivilege	1172	wmic.exe
Token: SeSecurityPrivilege	1172	wmic.exe
Token: SeTakeOwnershipPrivilege	1172	wmic.exe
Token: SeLoadDriverPrivilege	1172	wmic.exe
Token: SeSystemtimePrivilege	1172	wmic.exe
Token: SeBackupPrivilege	1172	wmic.exe
Token: SeRestorePrivilege	1172	wmic.exe
Token: SeShutdownPrivilege	1172	wmic.exe
Token: SeSystemEnvironmentPrivilege	1172	wmic.exe
Token: SeUndockPrivilege	1172	wmic.exe
Token: SeManageVolumePrivilege	1172	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1172	wmic.exe
Token: SeIncreaseQuotaPrivilege	1172	wmic.exe
Token: SeSecurityPrivilege	1172	wmic.exe
Token: SeTakeOwnershipPrivilege	1172	wmic.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 264	972	2024-11-11_42867209afb0cd3511bb6e8091ebc90f_frostygoop_luca-stealer_poet-rat_snatch.exe	88
PID 972 wrote to memory of 264	972	2024-11-11_42867209afb0cd3511bb6e8091ebc90f_frostygoop_luca-stealer_poet-rat_snatch.exe	88
PID 5020 wrote to memory of 724	5020	MeshAgent.exe	95
PID 5020 wrote to memory of 724	5020	MeshAgent.exe	95
PID 5020 wrote to memory of 2104	5020	MeshAgent.exe	97
PID 5020 wrote to memory of 2104	5020	MeshAgent.exe	97
PID 5020 wrote to memory of 1172	5020	MeshAgent.exe	99
PID 5020 wrote to memory of 1172	5020	MeshAgent.exe	99
PID 5020 wrote to memory of 1980	5020	MeshAgent.exe	101
PID 5020 wrote to memory of 1980	5020	MeshAgent.exe	101
PID 5020 wrote to memory of 1228	5020	MeshAgent.exe	103
PID 5020 wrote to memory of 1228	5020	MeshAgent.exe	103
PID 5020 wrote to memory of 2712	5020	MeshAgent.exe	105
PID 5020 wrote to memory of 2712	5020	MeshAgent.exe	105
PID 384 wrote to memory of 4764	384	MeshAgent.exe	111
PID 384 wrote to memory of 4764	384	MeshAgent.exe	111
PID 384 wrote to memory of 5004	384	MeshAgent.exe	113
PID 384 wrote to memory of 5004	384	MeshAgent.exe	113
PID 384 wrote to memory of 4800	384	MeshAgent.exe	115
PID 384 wrote to memory of 4800	384	MeshAgent.exe	115
PID 384 wrote to memory of 4832	384	MeshAgent.exe	117
PID 384 wrote to memory of 4832	384	MeshAgent.exe	117
PID 384 wrote to memory of 4696	384	MeshAgent.exe	119
PID 384 wrote to memory of 4696	384	MeshAgent.exe	119
PID 384 wrote to memory of 4172	384	MeshAgent.exe	121
PID 384 wrote to memory of 4172	384	MeshAgent.exe	121
PID 384 wrote to memory of 1668	384	MeshAgent.exe	123
PID 384 wrote to memory of 1668	384	MeshAgent.exe	123
PID 384 wrote to memory of 976	384	MeshAgent.exe	125
PID 384 wrote to memory of 976	384	MeshAgent.exe	125
PID 384 wrote to memory of 1336	384	MeshAgent.exe	128
PID 384 wrote to memory of 1336	384	MeshAgent.exe	128
PID 384 wrote to memory of 380	384	MeshAgent.exe	130
PID 384 wrote to memory of 380	384	MeshAgent.exe	130
PID 380 wrote to memory of 772	380	cmd.exe	132
PID 380 wrote to memory of 772	380	cmd.exe	132
PID 384 wrote to memory of 1724	384	MeshAgent.exe	133
PID 384 wrote to memory of 1724	384	MeshAgent.exe	133
PID 1724 wrote to memory of 1308	1724	cmd.exe	135
PID 1724 wrote to memory of 1308	1724	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-11-11_42867209afb0cd3511bb6e8091ebc90f_frostygoop_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_42867209afb0cd3511bb6e8091ebc90f_frostygoop_luca-stealer_poet-rat_snatch.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:972
- C:\Users\Admin\AppData\Roaming\meshagent64-ЭКРАНЫ[email protected]
  "C:\Users\Admin\AppData\Roaming\meshagent64-ЭКРАНЫ[email protected]" -fullinstall
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:264

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:1980
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:1228
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2712

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:4764
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:5004
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4800
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:4832
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1336
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
153KB

MD5
b7262cd197053444639042497dca3943

SHA1
7cbe8c44e64e4c6fe688b35af99874beb38a2586

SHA256
0365acbcbb9cd4d22a7aeca645bb5f0b8b326fd2a2f55d975b7713b85e4e6fe2

SHA512
23e081d1a393283d2f9b34239a6989e77a8754fff909a38718246fce8ebeff7425a049e4b5fc1ccb3d25aed1068a24af541c0a60fb3bd9623dd72e2e7efe5e07

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.msh

Filesize
31KB

MD5
aeacd4a02f8c57f5b2e295035089645b

SHA1
53358ad49431d9ff1333d190d8da7663980c100a

SHA256
66b7a8906d4b885846f72bfc90d552abb2c4c61bf722ee6bf40552c4c1081b4c

SHA512
15191dbfaf3d5b16f572eb1806cf102da6d915d70e67ce15eec744dd7c7b869c6174e1cc44763ac0b4b3154eb304172e00b4e9b1bd9e6e85364a76078ef0490e

Download Submit
C:\Users\Admin\AppData\Roaming\meshagent64-ЭКРАНЫ[email protected]

Filesize
3.3MB

MD5
9c3de7192e8ed1f42790bee4b5356786

SHA1
5272b834e29e03c3c807aa2b6140c8180d1dc288

SHA256
6dfd22ca602fee5740548b2d61a54e224b790acfa3b412259790145566b52671

SHA512
41b59e32c8bc7240cf7ae415602a9e4d1d4e4b516bb35f3d09de1d2a87fa2a1f405cf30a4f797879188ea06026716426d383c65d237b68dd43ed96bc04093b8f

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_inn3kdkd.z2m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
0df934cbb027c5e7f17d815e171877b5

SHA1
e9cc1c1df53071c90ddb0630bc28de8c3a6ecb7c

SHA256
b254b7f293ef76007f851bddd9056ddf636539b8ddfdcffe3a0b7721ddce11bd

SHA512
3b5403ce8676735117e19a8062c67f5b1298f06cec997af68d0210a719e0bb8364491941c356cf85fe9b1b102ade51c9e3b7094a8b4562606dcb56f76839ac79

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2c0bdf06d302688498d4e7f9cd669ab5

SHA1
18186323d93499e03f737f137b4ad795eb7f470b

SHA256
86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6

SHA512
f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\1B30432103B6744DFCF7B376C283A5F56270D53F

Filesize
1KB

MD5
909b8357b6b8f91376874f2b68f4a5a1

SHA1
278f9f7761a3169f037a457b76bb5b83cc7784c6

SHA256
aa07fa2163b6f68b88537479bf9d4c5b803093636c11889a5cdb34062ed1010c

SHA512
88ce825e7bbf6f17b7d48e051037b3920f2b171222f66f209d196751e6803d08444058c0161535b35461551c6ef77b1dd78a59f73c300a6cc029a7431bdfda86

Download Submit
memory/1336-141-0x0000015DD1990000-0x0000015DD19B4000-memory.dmp

Filesize
144KB

Download
memory/1336-140-0x0000015DD1990000-0x0000015DD19BA000-memory.dmp

Filesize
168KB

Download
memory/1336-139-0x0000015DD1A40000-0x0000015DD1AF5000-memory.dmp

Filesize
724KB

Download
memory/1668-87-0x0000029CC8C60000-0x0000029CC8C7C000-memory.dmp

Filesize
112KB

Download
memory/1668-89-0x0000029CC8BC0000-0x0000029CC8BCA000-memory.dmp

Filesize
40KB

Download
memory/1668-90-0x0000029CC8DE0000-0x0000029CC8DFC000-memory.dmp

Filesize
112KB

Download
memory/1668-91-0x0000029CC8C80000-0x0000029CC8C8A000-memory.dmp

Filesize
40KB

Download
memory/1668-92-0x0000029CC8E20000-0x0000029CC8E3A000-memory.dmp

Filesize
104KB

Download
memory/1668-98-0x0000029CC8C90000-0x0000029CC8C98000-memory.dmp

Filesize
32KB

Download
memory/1668-103-0x0000029CC8E00000-0x0000029CC8E06000-memory.dmp

Filesize
24KB

Download
memory/1668-104-0x0000029CC8E10000-0x0000029CC8E1A000-memory.dmp

Filesize
40KB

Download
memory/1668-88-0x0000029CC8D20000-0x0000029CC8DD5000-memory.dmp

Filesize
724KB

Download
memory/4172-62-0x00000258ED170000-0x00000258ED1E6000-memory.dmp

Filesize
472KB

Download
memory/4172-61-0x00000258ED0A0000-0x00000258ED0E4000-memory.dmp

Filesize
272KB

Download
memory/4172-51-0x00000258ECBE0000-0x00000258ECC02000-memory.dmp

Filesize
136KB

Download