glupteba | aacafa4db9a782ec4a36ad05fd36d7860460a0808f8c99711468cf295a2ed768

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Size

9.1MB
MD5

d8619186a38fc417025e032d2106997c
SHA1

e655177f6952b366078d4f35fd521ac3c114bdd6
SHA256

aacafa4db9a782ec4a36ad05fd36d7860460a0808f8c99711468cf295a2ed768
SHA512

d60a3459e4d7875ef904e2a24948ab32eb201d77a4386bf24e21993226b7998b7f0c72a18f86d39753471361c8e43966b27b7a2388a1d796b254dc1819dc0a93
SSDEEP

98304:GHxMZDJ1TRpxYVX9u2IazANfAhZytTD5iqkv:sxEvYjVzANIhwN2

Score

10^/10

glupteba defense_evasion discovery dropper execution loader persistence privilege_escalation rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Glupteba family
glupteba

Glupteba payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000242d5-127.dat	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5500	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	csrss.exe
4832	injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit defense_evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
File created	C:\Windows\rss\csrss.exe	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe
3068	powershell.exe
5804	powershell.exe
5196	powershell.exe
2732	powershell.exe
3368	powershell.exe
620	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2824	schtasks.exe
5096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	powershell.exe
3068	powershell.exe
6088	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
6088	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
5804	powershell.exe
5804	powershell.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
5196	powershell.exe
5196	powershell.exe
2732	powershell.exe
2732	powershell.exe
3368	powershell.exe
3368	powershell.exe
620	powershell.exe
620	powershell.exe
2752	powershell.exe
2752	powershell.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
2992	csrss.exe
2992	csrss.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
2992	csrss.exe
2992	csrss.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe
4832	injector.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	6088	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Token: SeImpersonatePrivilege	6088	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Token: SeDebugPrivilege	5804	powershell.exe
Token: SeDebugPrivilege	5196	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeSystemEnvironmentPrivilege	2992	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 6088 wrote to memory of 3068	6088	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	90
PID 6088 wrote to memory of 3068	6088	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	90
PID 6088 wrote to memory of 3068	6088	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	90
PID 2232 wrote to memory of 5804	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	97
PID 2232 wrote to memory of 5804	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	97
PID 2232 wrote to memory of 5804	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	97
PID 2232 wrote to memory of 4692	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	100
PID 2232 wrote to memory of 4692	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	100
PID 4692 wrote to memory of 5500	4692	cmd.exe	102
PID 4692 wrote to memory of 5500	4692	cmd.exe	102
PID 2232 wrote to memory of 5196	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	104
PID 2232 wrote to memory of 5196	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	104
PID 2232 wrote to memory of 5196	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	104
PID 2232 wrote to memory of 2732	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	106
PID 2232 wrote to memory of 2732	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	106
PID 2232 wrote to memory of 2732	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	106
PID 2232 wrote to memory of 2992	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	109
PID 2232 wrote to memory of 2992	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	109
PID 2232 wrote to memory of 2992	2232	2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	109
PID 2992 wrote to memory of 3368	2992	csrss.exe	110
PID 2992 wrote to memory of 3368	2992	csrss.exe	110
PID 2992 wrote to memory of 3368	2992	csrss.exe	110
PID 2992 wrote to memory of 620	2992	csrss.exe	115
PID 2992 wrote to memory of 620	2992	csrss.exe	115
PID 2992 wrote to memory of 620	2992	csrss.exe	115
PID 2992 wrote to memory of 2752	2992	csrss.exe	118
PID 2992 wrote to memory of 2752	2992	csrss.exe	118
PID 2992 wrote to memory of 2752	2992	csrss.exe	118
PID 2992 wrote to memory of 4832	2992	csrss.exe	120
PID 2992 wrote to memory of 4832	2992	csrss.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-24_d8619186a38fc417025e032d2106997c_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5804
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3368
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2824
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:620
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4832
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqej5iax.g0t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
88f2955f1f8f2a4f8b516b7afd4aeefd

SHA1
20145a7e0b6b32671c52847f5da0158284ac292a

SHA256
f7226fa361976677055dd49eab7a0a676003e3c844afb22eb17c12dd8b97574a

SHA512
65c79968765f372dedac2f96d169404d75e89982effb980a96a31911ba4b02d6ff1ae30dc8575e0bf87e74c4809e706fbd587cb309ea17c4ee177c703992a8ec

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
dbe611c51311278120f3f5cad317afa5

SHA1
afc748ca442a6d9b6a8a539d76ea3ae387d77667

SHA256
f27042f455689c11ca5eb4daf8ede8cdc7b53950e3833dbb39749babb331acbd

SHA512
37e17ba6ff776be0caeed157ceb963af8bf0ebb8bb52248d4fe147e004236598b6fdd0b329dd33d47df98b29de43a690eef9524978bee81e9b3284f46b065c4f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
39ec7041c0fb606b3541bcb7457995d1

SHA1
32d09eaa2a11477aaf5a892ed9149f0bfb66fba2

SHA256
6c8d5ea4f6ab3512a6d8fcba495570587a4a2c3a677abc25e7f2c3fae49d6000

SHA512
95810ff197ad8ded0bcb0b17057e7100506a419c9b7e780e57fc166cd1775be9eaed6e2d38c47c4bcaa49039a1deb042cd1ffc50fa699ba039ed827617a74d8b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
a8cbe859b794a4cb0c8b6179eb663073

SHA1
7591cc5fef657a4e680115bb0b2e2dd39e6d8432

SHA256
8e5d6abf997cf55dcdbce60de3b59596c0e229f89f2175d9589c9360a5e616d2

SHA512
a4a697ab4b5e6f22b6a9bb6d6c2afdfaf2249629cd8a32f2dc5b30c45e717a30b63c0b9411539552e6a71dd3b2932818da2ca8a8b94b5940eda5b2fdd3f421c0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9400ad60eb716e6297c1c940030e8bc1

SHA1
4a41b0cbfcd4c7176649d9f353cac970aa983fdc

SHA256
035d399b5a1eb7988be282fb4eb532df3b2e04a471204d5e0d246607a783ed21

SHA512
620a5c7fa1aeafbabde43558c46ae34f5cdbf1712c4a67792ae983d1fdac1079b50ebebfaee355976165817f09aab89af9e0c6869025a2cc3532a68e4251b4f6

Download Submit
C:\Windows\rss\csrss.exe

Filesize
9.1MB

MD5
d8619186a38fc417025e032d2106997c

SHA1
e655177f6952b366078d4f35fd521ac3c114bdd6

SHA256
aacafa4db9a782ec4a36ad05fd36d7860460a0808f8c99711468cf295a2ed768

SHA512
d60a3459e4d7875ef904e2a24948ab32eb201d77a4386bf24e21993226b7998b7f0c72a18f86d39753471361c8e43966b27b7a2388a1d796b254dc1819dc0a93

Download Submit
memory/620-179-0x0000000007140000-0x00000000071E3000-memory.dmp

Filesize
652KB

Download
memory/620-168-0x00000000707E0000-0x000000007082C000-memory.dmp

Filesize
304KB

Download
memory/620-167-0x0000000005F40000-0x0000000005F8C000-memory.dmp

Filesize
304KB

Download
memory/620-169-0x0000000070F70000-0x00000000712C4000-memory.dmp

Filesize
3.3MB

Download
memory/620-165-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/620-180-0x0000000007460000-0x0000000007471000-memory.dmp

Filesize
68KB

Download
memory/620-181-0x0000000005CC0000-0x0000000005CD4000-memory.dmp

Filesize
80KB

Download
memory/2732-111-0x0000000005440000-0x0000000005794000-memory.dmp

Filesize
3.3MB

Download
memory/2732-113-0x0000000070960000-0x00000000709AC000-memory.dmp

Filesize
304KB

Download
memory/2732-114-0x0000000071100000-0x0000000071454000-memory.dmp

Filesize
3.3MB

Download
memory/2752-193-0x00000000707E0000-0x000000007082C000-memory.dmp

Filesize
304KB

Download
memory/2752-194-0x0000000070F70000-0x00000000712C4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-21-0x0000000007140000-0x00000000071B6000-memory.dmp

Filesize
472KB

Download
memory/3068-25-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/3068-40-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3068-41-0x00000000074E0000-0x00000000074EA000-memory.dmp

Filesize
40KB

Download
memory/3068-42-0x00000000075F0000-0x0000000007686000-memory.dmp

Filesize
600KB

Download
memory/3068-43-0x00000000074F0000-0x0000000007501000-memory.dmp

Filesize
68KB

Download
memory/3068-44-0x0000000007530000-0x000000000753E000-memory.dmp

Filesize
56KB

Download
memory/3068-45-0x0000000007550000-0x0000000007564000-memory.dmp

Filesize
80KB

Download
memory/3068-46-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/3068-47-0x0000000007580000-0x0000000007588000-memory.dmp

Filesize
32KB

Download
memory/3068-50-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3068-38-0x00000000073F0000-0x0000000007493000-memory.dmp

Filesize
652KB

Download
memory/3068-39-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3068-37-0x00000000073D0000-0x00000000073EE000-memory.dmp

Filesize
120KB

Download
memory/3068-24-0x0000000007390000-0x00000000073C2000-memory.dmp

Filesize
200KB

Download
memory/3068-27-0x0000000070FA0000-0x00000000712F4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-26-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3068-23-0x00000000071E0000-0x00000000071FA000-memory.dmp

Filesize
104KB

Download
memory/3068-22-0x0000000007840000-0x0000000007EBA000-memory.dmp

Filesize
6.5MB

Download
memory/3068-20-0x00000000063C0000-0x0000000006404000-memory.dmp

Filesize
272KB

Download
memory/3068-19-0x0000000005E50000-0x0000000005E9C000-memory.dmp

Filesize
304KB

Download
memory/3068-18-0x0000000005E20000-0x0000000005E3E000-memory.dmp

Filesize
120KB

Download
memory/3068-17-0x00000000057B0000-0x0000000005B04000-memory.dmp

Filesize
3.3MB

Download
memory/3068-7-0x0000000004F50000-0x0000000004FB6000-memory.dmp

Filesize
408KB

Download
memory/3068-6-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/3068-4-0x0000000004E30000-0x0000000004E52000-memory.dmp

Filesize
136KB

Download
memory/3068-5-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3068-2-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3068-3-0x0000000005080000-0x00000000056A8000-memory.dmp

Filesize
6.2MB

Download
memory/3068-1-0x0000000002850000-0x0000000002886000-memory.dmp

Filesize
216KB

Download
memory/3068-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/3368-140-0x0000000006BE0000-0x0000000006C2C000-memory.dmp

Filesize
304KB

Download
memory/3368-142-0x0000000071080000-0x00000000713D4000-memory.dmp

Filesize
3.3MB

Download
memory/3368-152-0x0000000007B40000-0x0000000007BE3000-memory.dmp

Filesize
652KB

Download
memory/3368-153-0x0000000007E90000-0x0000000007EA1000-memory.dmp

Filesize
68KB

Download
memory/3368-154-0x00000000066D0000-0x00000000066E4000-memory.dmp

Filesize
80KB

Download
memory/3368-141-0x00000000708C0000-0x000000007090C000-memory.dmp

Filesize
304KB

Download
memory/3368-138-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/5196-91-0x00000000710A0000-0x00000000713F4000-memory.dmp

Filesize
3.3MB

Download
memory/5196-90-0x0000000070960000-0x00000000709AC000-memory.dmp

Filesize
304KB

Download
memory/5196-88-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/5804-75-0x0000000006FB0000-0x0000000006FC4000-memory.dmp

Filesize
80KB

Download
memory/5804-74-0x0000000006F60000-0x0000000006F71000-memory.dmp

Filesize
68KB

Download
memory/5804-73-0x0000000006C60000-0x0000000006D03000-memory.dmp

Filesize
652KB

Download
memory/5804-63-0x0000000071120000-0x0000000071474000-memory.dmp

Filesize
3.3MB

Download
memory/5804-62-0x0000000070960000-0x00000000709AC000-memory.dmp

Filesize
304KB

Download
memory/5804-61-0x0000000005A90000-0x0000000005ADC000-memory.dmp

Filesize
304KB

Download
memory/5804-60-0x0000000005350000-0x00000000056A4000-memory.dmp

Filesize
3.3MB

Download