glupteba | f007f850a708b041bf4b8d6d97c59a004b57232d3642d9292cb349abb183dc5f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Size

9.1MB
MD5

7d31b20c88ee1938102f889b63f4105b
SHA1

1bbad6d8ee432927a6ae5e300a9d5a70bbe03fad
SHA256

f007f850a708b041bf4b8d6d97c59a004b57232d3642d9292cb349abb183dc5f
SHA512

d854b299772ab46cd677e6814a84711e8c2e447963e61a31cfe188995c7fd84f756ab0fec0b298e314a7f139e790c56bd5418a98737c84978cbc530e4c457789
SSDEEP

98304:GHxMZDJ1TRpxYVX9u2IazANfQhZytTD5iqE:sxEvYjVzANIhwN

Score

10^/10

glupteba discovery dropper evasion execution loader persistence privilege_escalation rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b7d-126.dat	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2040	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
4900	csrss.exe
2052	injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
File created	C:\Windows\rss\csrss.exe	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
940	powershell.exe
4672	powershell.exe
1084	powershell.exe
940	powershell.exe
4344	powershell.exe
2932	powershell.exe
4848	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4156	schtasks.exe
4948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
940	powershell.exe
940	powershell.exe
3788	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
3788	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
4344	powershell.exe
4344	powershell.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
2932	powershell.exe
2932	powershell.exe
2932	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
940	powershell.exe
940	powershell.exe
4672	powershell.exe
4672	powershell.exe
1084	powershell.exe
1084	powershell.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
4900	csrss.exe
2052	injector.exe
4900	csrss.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
4900	csrss.exe
4900	csrss.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe
2052	injector.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	3788	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Token: SeImpersonatePrivilege	3788	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeSystemEnvironmentPrivilege	4900	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 940	3788	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	87
PID 3788 wrote to memory of 940	3788	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	87
PID 3788 wrote to memory of 940	3788	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	87
PID 2644 wrote to memory of 4344	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	96
PID 2644 wrote to memory of 4344	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	96
PID 2644 wrote to memory of 4344	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	96
PID 2644 wrote to memory of 4044	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	100
PID 2644 wrote to memory of 4044	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	100
PID 4044 wrote to memory of 2040	4044	cmd.exe	102
PID 4044 wrote to memory of 2040	4044	cmd.exe	102
PID 2644 wrote to memory of 2932	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	103
PID 2644 wrote to memory of 2932	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	103
PID 2644 wrote to memory of 2932	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	103
PID 2644 wrote to memory of 4848	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	105
PID 2644 wrote to memory of 4848	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	105
PID 2644 wrote to memory of 4848	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	105
PID 2644 wrote to memory of 4900	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	107
PID 2644 wrote to memory of 4900	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	107
PID 2644 wrote to memory of 4900	2644	2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe	107
PID 4900 wrote to memory of 940	4900	csrss.exe	108
PID 4900 wrote to memory of 940	4900	csrss.exe	108
PID 4900 wrote to memory of 940	4900	csrss.exe	108
PID 4900 wrote to memory of 4672	4900	csrss.exe	114
PID 4900 wrote to memory of 4672	4900	csrss.exe	114
PID 4900 wrote to memory of 4672	4900	csrss.exe	114
PID 4900 wrote to memory of 1084	4900	csrss.exe	116
PID 4900 wrote to memory of 1084	4900	csrss.exe	116
PID 4900 wrote to memory of 1084	4900	csrss.exe	116
PID 4900 wrote to memory of 2052	4900	csrss.exe	118
PID 4900 wrote to memory of 2052	4900	csrss.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Users\Admin\AppData\Local\Temp\2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:940
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4156
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2052
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_roftm0cu.5p2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b6ced01f4b798ac3a619835da677639b

SHA1
e03deaa536df53332143e68dd216ca769b746830

SHA256
e8ac1bef807e4e869521f4447dc45c21586319c2254ee1de95466d32090e3384

SHA512
72b5bee0a50c81509c3c8d6684a63e0f42781716c1ec33c164c92244667bc4e0d634d77fb12250d920b585d05ea25e389a436d184b774d61fb1f0345671a04c4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
336abd7342a84c7c0fb75da0514a4278

SHA1
109672669b93993183f82555a57ceeae7bbd348f

SHA256
c450a49aa45f878418374f9722cafcf5fc0d5b2212565a34db5e0d63616c5419

SHA512
a73dda261a897c1cb635edeb30029c9948d3aca862f2ccef8f3acbc999b42a189676a475cd6b3a92e88743e5fad5417ee74c26a681f74d9ac53184506c1f856a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2fa1a2cff8c935b5367cb151e83d48b8

SHA1
ef6b9b43f70d5aa05d76955b72dd8c19802650c8

SHA256
955c2f666e5277b9714760db5fc576c47e880dc5595da24fdc2cbe642513264c

SHA512
d9b538cffc241b9dfebdb24efcfdae2a0b4842823dea4d92aa574e59d7394cdde92f6be7696bcc96c543212dc7e6cfcb33307a63b2795b5af23234eab5032c5d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
064a613c0a46efb47d5ef3fea750d755

SHA1
c02c01c742a26529d82fe08607f8f7758482a534

SHA256
fa2ca06bac5fd557b974b6dbc52beb5806a10529d5a488e815a014b3e2a1ed6d

SHA512
b63ccf3c24824eaf83d02fce7144f1205736a8ed30c74a6642ba03bff06c83ff6d7d8c0f5b7ff981f91f2ccd987337b9310875a3e0afa6ddae18b2ea567cd541

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b230709c60ac4ad3351829759ca42b65

SHA1
5fbb5f34348e8c44c0971c8a5c50b824c44c0861

SHA256
b6e7104ab94dc82c245088ab6ec6e449bc0e5891031b6ad20cbe2eb8fb3c98ea

SHA512
577dc803d930195a97277fd5e6048cdcb761dca4176bb97182d229067619c92bb8eb0ab586ad16b1191d4b1b9f9aa3415cf4a5416da0a791ba8f8118e3708802

Download Submit
C:\Windows\rss\csrss.exe

Filesize
9.1MB

MD5
7d31b20c88ee1938102f889b63f4105b

SHA1
1bbad6d8ee432927a6ae5e300a9d5a70bbe03fad

SHA256
f007f850a708b041bf4b8d6d97c59a004b57232d3642d9292cb349abb183dc5f

SHA512
d854b299772ab46cd677e6814a84711e8c2e447963e61a31cfe188995c7fd84f756ab0fec0b298e314a7f139e790c56bd5418a98737c84978cbc530e4c457789

Download Submit
memory/940-141-0x0000000070A00000-0x0000000070D54000-memory.dmp

Filesize
3.3MB

Download
memory/940-140-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/940-19-0x0000000006BB0000-0x0000000006BF4000-memory.dmp

Filesize
272KB

Download
memory/940-20-0x0000000007960000-0x00000000079D6000-memory.dmp

Filesize
472KB

Download
memory/940-21-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/940-22-0x00000000079E0000-0x00000000079FA000-memory.dmp

Filesize
104KB

Download
memory/940-25-0x0000000070360000-0x00000000706B4000-memory.dmp

Filesize
3.3MB

Download
memory/940-31-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/940-24-0x00000000701E0000-0x000000007022C000-memory.dmp

Filesize
304KB

Download
memory/940-23-0x0000000007BA0000-0x0000000007BD2000-memory.dmp

Filesize
200KB

Download
memory/940-36-0x0000000007BE0000-0x0000000007BFE000-memory.dmp

Filesize
120KB

Download
memory/940-37-0x0000000007C00000-0x0000000007CA3000-memory.dmp

Filesize
652KB

Download
memory/940-38-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/940-39-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

Filesize
40KB

Download
memory/940-40-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/940-41-0x0000000007DB0000-0x0000000007E46000-memory.dmp

Filesize
600KB

Download
memory/940-42-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/940-43-0x0000000007D30000-0x0000000007D41000-memory.dmp

Filesize
68KB

Download
memory/940-44-0x0000000007D70000-0x0000000007D7E000-memory.dmp

Filesize
56KB

Download
memory/940-45-0x0000000007D80000-0x0000000007D94000-memory.dmp

Filesize
80KB

Download
memory/940-46-0x0000000007E70000-0x0000000007E8A000-memory.dmp

Filesize
104KB

Download
memory/940-47-0x0000000007E60000-0x0000000007E68000-memory.dmp

Filesize
32KB

Download
memory/940-50-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/940-1-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/940-2-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/940-3-0x0000000005860000-0x0000000005E88000-memory.dmp

Filesize
6.2MB

Download
memory/940-153-0x0000000005A60000-0x0000000005A74000-memory.dmp

Filesize
80KB

Download
memory/940-152-0x0000000005A10000-0x0000000005A21000-memory.dmp

Filesize
68KB

Download
memory/940-151-0x0000000006E80000-0x0000000006F23000-memory.dmp

Filesize
652KB

Download
memory/940-18-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/940-17-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/940-0-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/940-16-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/940-139-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

Filesize
304KB

Download
memory/940-4-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/940-6-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/940-128-0x0000000005550000-0x00000000058A4000-memory.dmp

Filesize
3.3MB

Download
memory/940-5-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/1084-191-0x0000000006050000-0x00000000063A4000-memory.dmp

Filesize
3.3MB

Download
memory/1084-194-0x0000000070910000-0x0000000070C64000-memory.dmp

Filesize
3.3MB

Download
memory/1084-193-0x0000000070160000-0x00000000701AC000-memory.dmp

Filesize
304KB

Download
memory/2932-91-0x0000000070A80000-0x0000000070DD4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-90-0x00000000702E0000-0x000000007032C000-memory.dmp

Filesize
304KB

Download
memory/2932-88-0x0000000005500000-0x0000000005854000-memory.dmp

Filesize
3.3MB

Download
memory/4344-63-0x00000000704A0000-0x00000000707F4000-memory.dmp

Filesize
3.3MB

Download
memory/4344-73-0x0000000007470000-0x0000000007513000-memory.dmp

Filesize
652KB

Download
memory/4344-62-0x00000000702E0000-0x000000007032C000-memory.dmp

Filesize
304KB

Download
memory/4344-60-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/4344-75-0x00000000077E0000-0x00000000077F4000-memory.dmp

Filesize
80KB

Download
memory/4344-61-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/4344-74-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/4672-180-0x0000000005A10000-0x0000000005A24000-memory.dmp

Filesize
80KB

Download
memory/4672-178-0x0000000006E20000-0x0000000006EC3000-memory.dmp

Filesize
652KB

Download
memory/4672-179-0x00000000059D0000-0x00000000059E1000-memory.dmp

Filesize
68KB

Download
memory/4672-168-0x00000000708F0000-0x0000000070C44000-memory.dmp

Filesize
3.3MB

Download
memory/4672-167-0x0000000070160000-0x00000000701AC000-memory.dmp

Filesize
304KB

Download
memory/4672-166-0x0000000005C00000-0x0000000005C4C000-memory.dmp

Filesize
304KB

Download
memory/4672-160-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/4848-112-0x00000000702E0000-0x000000007032C000-memory.dmp

Filesize
304KB

Download
memory/4848-113-0x0000000070A80000-0x0000000070DD4000-memory.dmp

Filesize
3.3MB

Download