glupteba | 7bae35b6fa35180dc42458a694ad1fc142b6d970bb4b927999b848aa83e7c9fe

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Size

9.1MB
MD5

7b47039f00f36085670862083e85add0
SHA1

ceae93e8e3cdf8e32158e362f54faaf4596c76d0
SHA256

7bae35b6fa35180dc42458a694ad1fc142b6d970bb4b927999b848aa83e7c9fe
SHA512

6257a31c1a5c92b9e141e5146537ffecdb90cc4a27d900a031073abe0a24b39b301556102dd551c83f36c8079536b0825842ea74ce285106b49bef3346e7a95a
SSDEEP

98304:GHxMZDJ1TRpxYVX9u2IazANf6hZytTD5iq6t:sxEvYjVzANihwNm

Score

10^/10

glupteba defense_evasion discovery dropper execution loader persistence privilege_escalation rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Glupteba family
glupteba

Glupteba payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023f8f-129.dat	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
732	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
4412	csrss.exe
3740	injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit defense_evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
File created	C:\Windows\rss\csrss.exe	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4592	powershell.exe
4276	powershell.exe
1324	powershell.exe
4584	powershell.exe
4856	powershell.exe
5112	powershell.exe
4976	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
632	schtasks.exe
4312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1324	powershell.exe
1324	powershell.exe
1364	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
1364	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
4856	powershell.exe
4856	powershell.exe
4856	powershell.exe
5112	powershell.exe
5112	powershell.exe
5112	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4592	powershell.exe
4592	powershell.exe
4276	powershell.exe
4276	powershell.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
4412	csrss.exe
4412	csrss.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
4412	csrss.exe
4412	csrss.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe
3740	injector.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1364	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Token: SeImpersonatePrivilege	1364	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeSystemEnvironmentPrivilege	4412	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1324	1364	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	89
PID 1364 wrote to memory of 1324	1364	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	89
PID 1364 wrote to memory of 1324	1364	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	89
PID 2320 wrote to memory of 4584	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	98
PID 2320 wrote to memory of 4584	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	98
PID 2320 wrote to memory of 4584	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	98
PID 2320 wrote to memory of 4668	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	101
PID 2320 wrote to memory of 4668	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	101
PID 4668 wrote to memory of 732	4668	cmd.exe	103
PID 4668 wrote to memory of 732	4668	cmd.exe	103
PID 2320 wrote to memory of 4856	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	104
PID 2320 wrote to memory of 4856	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	104
PID 2320 wrote to memory of 4856	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	104
PID 2320 wrote to memory of 5112	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	106
PID 2320 wrote to memory of 5112	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	106
PID 2320 wrote to memory of 5112	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	106
PID 2320 wrote to memory of 4412	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	109
PID 2320 wrote to memory of 4412	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	109
PID 2320 wrote to memory of 4412	2320	2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	109
PID 4412 wrote to memory of 4976	4412	csrss.exe	110
PID 4412 wrote to memory of 4976	4412	csrss.exe	110
PID 4412 wrote to memory of 4976	4412	csrss.exe	110
PID 4412 wrote to memory of 4592	4412	csrss.exe	115
PID 4412 wrote to memory of 4592	4412	csrss.exe	115
PID 4412 wrote to memory of 4592	4412	csrss.exe	115
PID 4412 wrote to memory of 4276	4412	csrss.exe	118
PID 4412 wrote to memory of 4276	4412	csrss.exe	118
PID 4412 wrote to memory of 4276	4412	csrss.exe	118
PID 4412 wrote to memory of 3740	4412	csrss.exe	120
PID 4412 wrote to memory of 3740	4412	csrss.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-21_7b47039f00f36085670862083e85add0_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4976
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:632
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3740
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ddyuyrb1.ufo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
03ad34b254bbc091a95162bbdb009923

SHA1
613b89f7575ae71ae0a3c4d01e0efea204944276

SHA256
12d7a6dddee45163a9b308bd4ceba81e37a863cfabcfa1132487dbb4e6eda750

SHA512
f90103b27d450a1f567dcd30fee74fe13c3f3eda5b764b97f82a7dc7cc30d506d06b021c2beb3b37e7d96cd1a003751e11537c35f82d3d4b9b48aa128a2c7c26

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
cd68f3522b4da76923440ce51718f947

SHA1
76b59df6924b61a93ed2c1bb44dfaa68ceefc4b2

SHA256
7d1043c845b638dc0b217b0c5c66653c9a3c8fc861f3e9574288393d8b0e3b7b

SHA512
b8a78805dc648574ed3bbd56c41fc85f6c5e3eeb745237584cefe64566bb771d0715440b051b4a6155c3f4126ca49adc0b075ad22041fc0fe9b7daa001fe11cd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
614347b9728c1ff9dc4b0ba885b5b8e4

SHA1
05530bcd5232f94462da4c78384748dbf74c7954

SHA256
c8dfcda5b96186c39ad6ef850b0d4b41c74d096c9125353ca57aba0d6c6205df

SHA512
b842954a469f0e5b6897871d1c0a823e1b5d430ebbcd56c63fd2c41a30e9ff0a571a2bf92dc254001741e7693571e6f551814d97a3f78a25244fb0cdbe12688c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2193d1c2eaf525a8b98b6c86b1c16f1d

SHA1
17d6154ee38744cc30aedd925edaacf9d0fbc8f9

SHA256
df2854eb265172ce36985e2b17dc8da8134b191f06b4e43f14eb8b71ab9000d9

SHA512
88d38c1866f34e12ae6cd73773d8a73f6b38ffaea0e0adef59fb8f62414f31d04e2dde4ca52b5ccdd5c513ff67709e65be8a5e9ef7a774d38c80a8f65be104a8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f19477b20954107597c3eeab3356c3a6

SHA1
7ec760940118b6d36595aa6f721685b6075b4ea1

SHA256
7dca92e3dc366b946fe58c5a297a774b87f828ca743b49fe12e9ab939970bc08

SHA512
2122f88a3a1be3842923908fbb145a043362281720ea34bacebfcccd1ef8ceb1e1e12fe968565a416cacbfb3e1389af27bde9aa2a52f1749e8592b09c187590d

Download Submit
C:\Windows\rss\csrss.exe

Filesize
9.1MB

MD5
7b47039f00f36085670862083e85add0

SHA1
ceae93e8e3cdf8e32158e362f54faaf4596c76d0

SHA256
7bae35b6fa35180dc42458a694ad1fc142b6d970bb4b927999b848aa83e7c9fe

SHA512
6257a31c1a5c92b9e141e5146537ffecdb90cc4a27d900a031073abe0a24b39b301556102dd551c83f36c8079536b0825842ea74ce285106b49bef3346e7a95a

Download Submit
memory/1324-19-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/1324-42-0x0000000007500000-0x0000000007596000-memory.dmp

Filesize
600KB

Download
memory/1324-17-0x0000000005700000-0x0000000005A54000-memory.dmp

Filesize
3.3MB

Download
memory/1324-20-0x0000000006270000-0x00000000062B4000-memory.dmp

Filesize
272KB

Download
memory/1324-21-0x0000000007040000-0x00000000070B6000-memory.dmp

Filesize
472KB

Download
memory/1324-23-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/1324-22-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/1324-37-0x00000000072E0000-0x00000000072FE000-memory.dmp

Filesize
120KB

Download
memory/1324-27-0x0000000070620000-0x0000000070974000-memory.dmp

Filesize
3.3MB

Download
memory/1324-26-0x00000000704A0000-0x00000000704EC000-memory.dmp

Filesize
304KB

Download
memory/1324-38-0x0000000007300000-0x00000000073A3000-memory.dmp

Filesize
652KB

Download
memory/1324-25-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-39-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-24-0x00000000072A0000-0x00000000072D2000-memory.dmp

Filesize
200KB

Download
memory/1324-40-0x00000000073F0000-0x00000000073FA000-memory.dmp

Filesize
40KB

Download
memory/1324-41-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-43-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-18-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/1324-44-0x0000000007400000-0x0000000007411000-memory.dmp

Filesize
68KB

Download
memory/1324-45-0x0000000007440000-0x000000000744E000-memory.dmp

Filesize
56KB

Download
memory/1324-46-0x0000000007460000-0x0000000007474000-memory.dmp

Filesize
80KB

Download
memory/1324-48-0x00000000074A0000-0x00000000074A8000-memory.dmp

Filesize
32KB

Download
memory/1324-47-0x00000000074B0000-0x00000000074CA000-memory.dmp

Filesize
104KB

Download
memory/1324-51-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-12-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-0-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/1324-1-0x0000000002730000-0x0000000002766000-memory.dmp

Filesize
216KB

Download
memory/1324-3-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-6-0x0000000004E50000-0x0000000004EB6000-memory.dmp

Filesize
408KB

Download
memory/1324-2-0x0000000004EE0000-0x0000000005508000-memory.dmp

Filesize
6.2MB

Download
memory/1324-5-0x0000000004DE0000-0x0000000004E46000-memory.dmp

Filesize
408KB

Download
memory/1324-4-0x0000000004C30000-0x0000000004C52000-memory.dmp

Filesize
136KB

Download
memory/4276-184-0x00000000060B0000-0x0000000006404000-memory.dmp

Filesize
3.3MB

Download
memory/4276-195-0x0000000070420000-0x000000007046C000-memory.dmp

Filesize
304KB

Download
memory/4276-196-0x0000000070BB0000-0x0000000070F04000-memory.dmp

Filesize
3.3MB

Download
memory/4584-62-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/4584-76-0x00000000079B0000-0x00000000079C4000-memory.dmp

Filesize
80KB

Download
memory/4584-52-0x0000000005DA0000-0x00000000060F4000-memory.dmp

Filesize
3.3MB

Download
memory/4584-74-0x0000000007640000-0x00000000076E3000-memory.dmp

Filesize
652KB

Download
memory/4584-64-0x0000000070D30000-0x0000000071084000-memory.dmp

Filesize
3.3MB

Download
memory/4584-63-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/4584-75-0x0000000007960000-0x0000000007971000-memory.dmp

Filesize
68KB

Download
memory/4592-182-0x0000000005960000-0x0000000005974000-memory.dmp

Filesize
80KB

Download
memory/4592-181-0x0000000007100000-0x0000000007111000-memory.dmp

Filesize
68KB

Download
memory/4592-180-0x0000000006DF0000-0x0000000006E93000-memory.dmp

Filesize
652KB

Download
memory/4592-170-0x0000000071160000-0x00000000714B4000-memory.dmp

Filesize
3.3MB

Download
memory/4592-169-0x0000000070420000-0x000000007046C000-memory.dmp

Filesize
304KB

Download
memory/4592-168-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/4592-162-0x00000000054B0000-0x0000000005804000-memory.dmp

Filesize
3.3MB

Download
memory/4856-89-0x0000000005950000-0x0000000005CA4000-memory.dmp

Filesize
3.3MB

Download
memory/4856-91-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/4856-92-0x0000000070720000-0x0000000070A74000-memory.dmp

Filesize
3.3MB

Download
memory/4976-155-0x0000000005E50000-0x0000000005E64000-memory.dmp

Filesize
80KB

Download
memory/4976-154-0x00000000075C0000-0x00000000075D1000-memory.dmp

Filesize
68KB

Download
memory/4976-153-0x00000000072C0000-0x0000000007363000-memory.dmp

Filesize
652KB

Download
memory/4976-143-0x00000000706A0000-0x00000000709F4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-142-0x0000000070500000-0x000000007054C000-memory.dmp

Filesize
304KB

Download
memory/4976-141-0x00000000065D0000-0x000000000661C000-memory.dmp

Filesize
304KB

Download
memory/4976-139-0x0000000005A50000-0x0000000005DA4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-108-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-114-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/5112-115-0x0000000071320000-0x0000000071674000-memory.dmp

Filesize
3.3MB

Download