glupteba | 30d781083f98cf9197b61b69f5bca602c94a24192e763c471ba37ad490c561d2

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2025, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Size

9.1MB
MD5

c58f25c810c785f05813475023121031
SHA1

6df0a077acb531e0be99bc471150cbe0afbd0679
SHA256

30d781083f98cf9197b61b69f5bca602c94a24192e763c471ba37ad490c561d2
SHA512

8f07a198dd1da03c98f6890654804400f4bff688d3c09e1ddbfcf8a06e5cb382e06864458e1060bdedb37d7443d27da3a80c9c18efa32f82575901a0d84d34b6
SSDEEP

98304:GHxMZDJ1TRpxYVX9u2IazANfdhZytTD5iqm:sxEvYjVzAN1hwN

Score

10^/10

glupteba defense_evasion discovery dropper execution loader persistence privilege_escalation rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Glupteba family
glupteba

Glupteba payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000024220-127.dat	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5952	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
4996	csrss.exe
2960	injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit defense_evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
File opened for modification	C:\Windows\rss	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5820	powershell.exe
5364	powershell.exe
2356	powershell.exe
552	powershell.exe
5012	powershell.exe
5408	powershell.exe
5020	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4648	schtasks.exe
5868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5820	powershell.exe
5820	powershell.exe
5948	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
5948	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
5364	powershell.exe
5364	powershell.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2356	powershell.exe
2356	powershell.exe
552	powershell.exe
552	powershell.exe
5012	powershell.exe
5012	powershell.exe
5408	powershell.exe
5408	powershell.exe
5020	powershell.exe
5020	powershell.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
4996	csrss.exe
4996	csrss.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
4996	csrss.exe
4996	csrss.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe
2960	injector.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	5948	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Token: SeImpersonatePrivilege	5948	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Token: SeDebugPrivilege	5364	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	5408	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4996	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5948 wrote to memory of 5820	5948	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	89
PID 5948 wrote to memory of 5820	5948	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	89
PID 5948 wrote to memory of 5820	5948	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	89
PID 2060 wrote to memory of 5364	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	94
PID 2060 wrote to memory of 5364	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	94
PID 2060 wrote to memory of 5364	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	94
PID 2060 wrote to memory of 1888	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	96
PID 2060 wrote to memory of 1888	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	96
PID 1888 wrote to memory of 5952	1888	cmd.exe	98
PID 1888 wrote to memory of 5952	1888	cmd.exe	98
PID 2060 wrote to memory of 2356	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	99
PID 2060 wrote to memory of 2356	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	99
PID 2060 wrote to memory of 2356	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	99
PID 2060 wrote to memory of 552	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	101
PID 2060 wrote to memory of 552	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	101
PID 2060 wrote to memory of 552	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	101
PID 2060 wrote to memory of 4996	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	103
PID 2060 wrote to memory of 4996	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	103
PID 2060 wrote to memory of 4996	2060	2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	103
PID 4996 wrote to memory of 5012	4996	csrss.exe	104
PID 4996 wrote to memory of 5012	4996	csrss.exe	104
PID 4996 wrote to memory of 5012	4996	csrss.exe	104
PID 4996 wrote to memory of 5408	4996	csrss.exe	109
PID 4996 wrote to memory of 5408	4996	csrss.exe	109
PID 4996 wrote to memory of 5408	4996	csrss.exe	109
PID 4996 wrote to memory of 5020	4996	csrss.exe	112
PID 4996 wrote to memory of 5020	4996	csrss.exe	112
PID 4996 wrote to memory of 5020	4996	csrss.exe	112
PID 4996 wrote to memory of 2960	4996	csrss.exe	114
PID 4996 wrote to memory of 2960	4996	csrss.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- C:\Users\Admin\AppData\Local\Temp\2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-17_c58f25c810c785f05813475023121031_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5012
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5868
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2960
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u0x4yfh1.x4r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c7184f3fc55515d97ff7a838c03939ad

SHA1
0ae5690269cd66ec15ee9b34038a6b490db09488

SHA256
abe5dfe01c23804dd11087e2302b4a247a417139e49a3a26089f586f87f567cc

SHA512
9eb2f57459f52f2ba7c8b7a023e051ae8a0270eb97a9116ceb3835759e6f9d51a0c5961b985148258e3d7cdef5344476871b709f2fbe91cba6603bb17fd3ef85

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6ba79e8062c1f1d5ed18f2063ec46ec1

SHA1
480fff4d1dcd7c30cc97b0d22549a823b3afd944

SHA256
249ee27fe5daea764dd25ced616b6c175c9dbe55c950062952eea3ac6ff6d515

SHA512
6adfe749904c771943ca7a309a934cd20b40db0a13ac7d6f3cdeeb6c5c198bf63483d45331ffdfa360790efedc8df63ee9815b058592451dca9c7793b7e2d062

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
27d179c959461ac30f6fa235bb5526bd

SHA1
50b0c46890f633876e10c635565e783230a608a8

SHA256
1d3a597d9a5e61a109a81117aa2119faa2875c988c9cc7fe8e96f21f32cf2a85

SHA512
409fc6affff84cfbfb2887a8c136ca7a975a4523b8f1985991c43126b0a1d18363a2137d51c532058f677817765ffc9dc2666cb39fb73475ed927c3f64203f4a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
443e7bd59010166026ac35cba77880e1

SHA1
ecb229f5d671c0b1729f2232a899bfa1f87c1c25

SHA256
a571e0f52f9d1e658700b10f0064b8bd7594180ade42f144838b44f8e0e6737d

SHA512
d8baa6e1bbad3fc941ff09216bc9ecb498d78fbfff34b8910cd4aef628b8d63633e4610e351e33917d3693e2ef92f686245d030a27ea44d2a53905cd0c80fe3c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c9844afa306a66813b2d0ffc9fbc3873

SHA1
130ff9d3bdcda0426497519b3d0b9ce59dde952a

SHA256
7f3a65845befbc1df0dfaee730b5897559cf8c7a3ae27432f25c8ae246aa668c

SHA512
374f6550e76041c73c027315796c26a57bf94231b55d2695b8d5bb91654839bc9c34a1b725d9e5a600c76979e4df1b7e63fd55ec2122cbeeefd200ca68dc0403

Download Submit
C:\Windows\rss\csrss.exe

Filesize
9.1MB

MD5
c58f25c810c785f05813475023121031

SHA1
6df0a077acb531e0be99bc471150cbe0afbd0679

SHA256
30d781083f98cf9197b61b69f5bca602c94a24192e763c471ba37ad490c561d2

SHA512
8f07a198dd1da03c98f6890654804400f4bff688d3c09e1ddbfcf8a06e5cb382e06864458e1060bdedb37d7443d27da3a80c9c18efa32f82575901a0d84d34b6

Download Submit
memory/552-113-0x0000000070190000-0x00000000701DC000-memory.dmp

Filesize
304KB

Download
memory/552-114-0x0000000070930000-0x0000000070C84000-memory.dmp

Filesize
3.3MB

Download
memory/2356-89-0x0000000005830000-0x0000000005B84000-memory.dmp

Filesize
3.3MB

Download
memory/2356-91-0x0000000070190000-0x00000000701DC000-memory.dmp

Filesize
304KB

Download
memory/2356-92-0x0000000070320000-0x0000000070674000-memory.dmp

Filesize
3.3MB

Download
memory/5012-154-0x0000000005340000-0x0000000005354000-memory.dmp

Filesize
80KB

Download
memory/5012-138-0x00000000055A0000-0x00000000058F4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-152-0x0000000006D50000-0x0000000006DF3000-memory.dmp

Filesize
652KB

Download
memory/5012-153-0x0000000007050000-0x0000000007061000-memory.dmp

Filesize
68KB

Download
memory/5012-140-0x0000000005E70000-0x0000000005EBC000-memory.dmp

Filesize
304KB

Download
memory/5012-141-0x00000000700F0000-0x000000007013C000-memory.dmp

Filesize
304KB

Download
memory/5012-142-0x0000000070270000-0x00000000705C4000-memory.dmp

Filesize
3.3MB

Download
memory/5020-192-0x00000000058D0000-0x0000000005C24000-memory.dmp

Filesize
3.3MB

Download
memory/5020-194-0x0000000070010000-0x000000007005C000-memory.dmp

Filesize
304KB

Download
memory/5020-195-0x00000000707A0000-0x0000000070AF4000-memory.dmp

Filesize
3.3MB

Download
memory/5364-62-0x0000000006DA0000-0x0000000006DEC000-memory.dmp

Filesize
304KB

Download
memory/5364-61-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/5364-74-0x0000000007AB0000-0x0000000007B53000-memory.dmp

Filesize
652KB

Download
memory/5364-64-0x0000000070930000-0x0000000070C84000-memory.dmp

Filesize
3.3MB

Download
memory/5364-75-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

Filesize
68KB

Download
memory/5364-63-0x0000000070190000-0x00000000701DC000-memory.dmp

Filesize
304KB

Download
memory/5364-76-0x0000000007E00000-0x0000000007E14000-memory.dmp

Filesize
80KB

Download
memory/5408-179-0x0000000007040000-0x00000000070E3000-memory.dmp

Filesize
652KB

Download
memory/5408-165-0x00000000058D0000-0x0000000005C24000-memory.dmp

Filesize
3.3MB

Download
memory/5408-167-0x0000000006330000-0x000000000637C000-memory.dmp

Filesize
304KB

Download
memory/5408-168-0x0000000070010000-0x000000007005C000-memory.dmp

Filesize
304KB

Download
memory/5408-169-0x0000000070190000-0x00000000704E4000-memory.dmp

Filesize
3.3MB

Download
memory/5408-180-0x0000000005680000-0x0000000005691000-memory.dmp

Filesize
68KB

Download
memory/5408-181-0x0000000005C30000-0x0000000005C44000-memory.dmp

Filesize
80KB

Download
memory/5820-24-0x00000000072B0000-0x00000000072E2000-memory.dmp

Filesize
200KB

Download
memory/5820-19-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

Filesize
304KB

Download
memory/5820-41-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/5820-40-0x0000000007400000-0x000000000740A000-memory.dmp

Filesize
40KB

Download
memory/5820-39-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/5820-38-0x0000000007310000-0x00000000073B3000-memory.dmp

Filesize
652KB

Download
memory/5820-37-0x00000000072F0000-0x000000000730E000-memory.dmp

Filesize
120KB

Download
memory/5820-27-0x0000000070640000-0x0000000070994000-memory.dmp

Filesize
3.3MB

Download
memory/5820-26-0x0000000070090000-0x00000000700DC000-memory.dmp

Filesize
304KB

Download
memory/5820-42-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/5820-25-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/5820-23-0x00000000070F0000-0x000000000710A000-memory.dmp

Filesize
104KB

Download
memory/5820-22-0x0000000007770000-0x0000000007DEA000-memory.dmp

Filesize
6.5MB

Download
memory/5820-21-0x0000000007070000-0x00000000070E6000-memory.dmp

Filesize
472KB

Download
memory/5820-20-0x00000000062A0000-0x00000000062E4000-memory.dmp

Filesize
272KB

Download
memory/5820-0-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/5820-18-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/5820-17-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/5820-6-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/5820-51-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/5820-7-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/5820-48-0x0000000007560000-0x0000000007568000-memory.dmp

Filesize
32KB

Download
memory/5820-47-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/5820-46-0x0000000007490000-0x00000000074A4000-memory.dmp

Filesize
80KB

Download
memory/5820-45-0x0000000007480000-0x000000000748E000-memory.dmp

Filesize
56KB

Download
memory/5820-44-0x0000000007440000-0x0000000007451000-memory.dmp

Filesize
68KB

Download
memory/5820-43-0x00000000074C0000-0x0000000007556000-memory.dmp

Filesize
600KB

Download
memory/5820-5-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/5820-4-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/5820-3-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/5820-2-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/5820-1-0x00000000026D0000-0x0000000002706000-memory.dmp

Filesize
216KB

Download