svcstealer | 5d810742b237cff382603e72f539db2e9da10200392cdae2814c69570b87e10d

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe
Size

8.2MB
MD5

0c346b920e9e8cb2aec79f266136a2c6
SHA1

d6d1647b92a99cb2ba4825ff9de3bc9565d2ad2a
SHA256

5d810742b237cff382603e72f539db2e9da10200392cdae2814c69570b87e10d
SHA512

58db68f5fd6662cd680d2c78110cc360500366b1f34416d5673e766337b3306356ecd0bd9e519632b09ad5f4269d6c859aa39c19bf2be87f6e568a6705c0c51a
SSDEEP

196608:AbGj0roFYs/IU8M9onJ5hrZER7QEzv5NFohQ9pavG3S:pjWwI3M9c5hlER8ENPoQ9peG3S

Score

10^/10

svcstealer discovery downloader persistence pyinstaller stealer

Malware Config

Extracted

Family

svcstealer

176.113.115.149

185.81.68.156

Signatures

Detects SvcStealer Payload 64 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral2/files/0x0009000000023713-7.dat	family_svcstealer
behavioral2/memory/3460-31-0x00000000030A0000-0x00000000031AB000-memory.dmp	family_svcstealer
behavioral2/memory/3460-38-0x00000000030A0000-0x00000000031AB000-memory.dmp	family_svcstealer
behavioral2/memory/3460-44-0x00000000082C0000-0x0000000008301000-memory.dmp	family_svcstealer
behavioral2/memory/3160-47-0x00007FF7479B0000-0x00007FF747AB5000-memory.dmp	family_svcstealer
behavioral2/memory/2904-63-0x00007FF73EAA0000-0x00007FF73EBA5000-memory.dmp	family_svcstealer
behavioral2/memory/3460-43-0x00000000030A0000-0x00000000031AB000-memory.dmp	family_svcstealer
behavioral2/memory/3460-35-0x00000000030A0000-0x00000000031AB000-memory.dmp	family_svcstealer
behavioral2/memory/3460-32-0x00000000031B0000-0x00000000031E3000-memory.dmp	family_svcstealer
behavioral2/memory/4848-130-0x00007FF7479B0000-0x00007FF747AB5000-memory.dmp	family_svcstealer
behavioral2/memory/3460-22-0x00000000030A0000-0x00000000031AB000-memory.dmp	family_svcstealer
behavioral2/memory/3460-21-0x00000000030A0000-0x00000000031AB000-memory.dmp	family_svcstealer
behavioral2/memory/3160-15-0x00007FF7479B0000-0x00007FF747AB5000-memory.dmp	family_svcstealer
behavioral2/memory/2140-147-0x00007FF722540000-0x00007FF722645000-memory.dmp	family_svcstealer
behavioral2/memory/2140-148-0x00007FF722540000-0x00007FF722645000-memory.dmp	family_svcstealer
behavioral2/memory/3460-151-0x00000000030A0000-0x00000000031AB000-memory.dmp	family_svcstealer
behavioral2/files/0x00100000000240fc-162.dat	family_svcstealer
behavioral2/memory/992-166-0x00007FF7BF180000-0x00007FF7BF285000-memory.dmp	family_svcstealer
behavioral2/memory/992-168-0x00007FF7BF180000-0x00007FF7BF285000-memory.dmp	family_svcstealer
behavioral2/memory/6100-167-0x00007FF7BF180000-0x00007FF7BF285000-memory.dmp	family_svcstealer
behavioral2/memory/3460-165-0x00000000030A0000-0x00000000031AB000-memory.dmp	family_svcstealer
behavioral2/memory/5368-177-0x00007FF6A2970000-0x00007FF6A2A75000-memory.dmp	family_svcstealer
behavioral2/memory/5368-178-0x00007FF6A2970000-0x00007FF6A2A75000-memory.dmp	family_svcstealer
behavioral2/memory/3508-185-0x00007FF771010000-0x00007FF771115000-memory.dmp	family_svcstealer
behavioral2/memory/3508-186-0x00007FF771010000-0x00007FF771115000-memory.dmp	family_svcstealer
behavioral2/memory/2604-193-0x00007FF73DB30000-0x00007FF73DC35000-memory.dmp	family_svcstealer
behavioral2/memory/2604-194-0x00007FF73DB30000-0x00007FF73DC35000-memory.dmp	family_svcstealer
behavioral2/memory/6000-201-0x00007FF6D19A0000-0x00007FF6D1AA5000-memory.dmp	family_svcstealer
behavioral2/memory/6000-202-0x00007FF6D19A0000-0x00007FF6D1AA5000-memory.dmp	family_svcstealer
behavioral2/memory/5992-209-0x00007FF760AC0000-0x00007FF760BC5000-memory.dmp	family_svcstealer
behavioral2/memory/5992-210-0x00007FF760AC0000-0x00007FF760BC5000-memory.dmp	family_svcstealer
behavioral2/memory/4824-217-0x00007FF651410000-0x00007FF651515000-memory.dmp	family_svcstealer
behavioral2/memory/4824-218-0x00007FF651410000-0x00007FF651515000-memory.dmp	family_svcstealer
behavioral2/memory/4672-226-0x00007FF7721C0000-0x00007FF7722C5000-memory.dmp	family_svcstealer
behavioral2/memory/4672-225-0x00007FF7721C0000-0x00007FF7722C5000-memory.dmp	family_svcstealer
behavioral2/memory/2332-233-0x00007FF639E80000-0x00007FF639F85000-memory.dmp	family_svcstealer
behavioral2/memory/2332-234-0x00007FF639E80000-0x00007FF639F85000-memory.dmp	family_svcstealer
behavioral2/memory/4460-241-0x00007FF60B930000-0x00007FF60BA35000-memory.dmp	family_svcstealer
behavioral2/memory/4460-242-0x00007FF60B930000-0x00007FF60BA35000-memory.dmp	family_svcstealer
behavioral2/memory/5228-250-0x00007FF757CD0000-0x00007FF757DD5000-memory.dmp	family_svcstealer
behavioral2/memory/5228-249-0x00007FF757CD0000-0x00007FF757DD5000-memory.dmp	family_svcstealer
behavioral2/memory/4840-257-0x00007FF71BEB0000-0x00007FF71BFB5000-memory.dmp	family_svcstealer
behavioral2/memory/4840-258-0x00007FF71BEB0000-0x00007FF71BFB5000-memory.dmp	family_svcstealer
behavioral2/memory/5080-265-0x00007FF6F7000000-0x00007FF6F7105000-memory.dmp	family_svcstealer
behavioral2/memory/5080-266-0x00007FF6F7000000-0x00007FF6F7105000-memory.dmp	family_svcstealer
behavioral2/memory/740-273-0x00007FF712620000-0x00007FF712725000-memory.dmp	family_svcstealer
behavioral2/memory/740-274-0x00007FF712620000-0x00007FF712725000-memory.dmp	family_svcstealer
behavioral2/memory/404-281-0x00007FF6A31F0000-0x00007FF6A32F5000-memory.dmp	family_svcstealer
behavioral2/memory/404-282-0x00007FF6A31F0000-0x00007FF6A32F5000-memory.dmp	family_svcstealer
behavioral2/memory/5188-290-0x00007FF700C60000-0x00007FF700D65000-memory.dmp	family_svcstealer
behavioral2/memory/5188-289-0x00007FF700C60000-0x00007FF700D65000-memory.dmp	family_svcstealer
behavioral2/memory/3876-297-0x00007FF7DFAF0000-0x00007FF7DFBF5000-memory.dmp	family_svcstealer
behavioral2/memory/5980-304-0x00007FF658700000-0x00007FF658805000-memory.dmp	family_svcstealer
behavioral2/memory/5980-305-0x00007FF658700000-0x00007FF658805000-memory.dmp	family_svcstealer
behavioral2/memory/5996-312-0x00007FF70BC10000-0x00007FF70BD15000-memory.dmp	family_svcstealer
behavioral2/memory/5996-313-0x00007FF70BC10000-0x00007FF70BD15000-memory.dmp	family_svcstealer
behavioral2/memory/5020-320-0x00007FF7D7ED0000-0x00007FF7D7FD5000-memory.dmp	family_svcstealer
behavioral2/memory/5020-321-0x00007FF7D7ED0000-0x00007FF7D7FD5000-memory.dmp	family_svcstealer
behavioral2/memory/4688-328-0x00007FF62D840000-0x00007FF62D945000-memory.dmp	family_svcstealer
behavioral2/memory/4688-329-0x00007FF62D840000-0x00007FF62D945000-memory.dmp	family_svcstealer
behavioral2/memory/5968-336-0x00007FF708B40000-0x00007FF708C45000-memory.dmp	family_svcstealer
behavioral2/memory/5968-337-0x00007FF708B40000-0x00007FF708C45000-memory.dmp	family_svcstealer
behavioral2/memory/1984-345-0x00007FF6545C0000-0x00007FF6546C5000-memory.dmp	family_svcstealer
behavioral2/memory/1984-344-0x00007FF6545C0000-0x00007FF6546C5000-memory.dmp	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe

Executes dropped EXE 64 IoCs

pid	Process
3160	vcvfgdx.exe
2548	dfdered.exe
1956	gdfgert.exe
940	Launcher.exe
2904	ebfabcdcac.exe
1180	ebfabcdcac.exe
1652	gdfgert.exe
3700	winserv.exe
2736	Launcher.exe
4848	vcvfgdx.exe
2140	ebfabcdcac.exe
992	ebfabcdcac.exe
6100	ebfabcdcac.exe
5368	ebfabcdcac.exe
3508	ebfabcdcac.exe
2604	ebfabcdcac.exe
6000	ebfabcdcac.exe
5992	ebfabcdcac.exe
4824	ebfabcdcac.exe
4672	ebfabcdcac.exe
2332	ebfabcdcac.exe
4460	ebfabcdcac.exe
5228	ebfabcdcac.exe
4840	ebfabcdcac.exe
5080	ebfabcdcac.exe
740	ebfabcdcac.exe
404	ebfabcdcac.exe
5188	ebfabcdcac.exe
3876	ebfabcdcac.exe
5980	ebfabcdcac.exe
5996	ebfabcdcac.exe
5020	ebfabcdcac.exe
4688	ebfabcdcac.exe
5968	ebfabcdcac.exe
1984	ebfabcdcac.exe
5092	ebfabcdcac.exe
4908	ebfabcdcac.exe
5756	ebfabcdcac.exe
3584	ebfabcdcac.exe
1792	ebfabcdcac.exe
3240	ebfabcdcac.exe
1576	6FDD.tmp.exe
3940	ebfabcdcac.exe
2708	ebfabcdcac.exe
5368	ebfabcdcac.exe
5248	ebfabcdcac.exe
656	ebfabcdcac.exe
1976	ebfabcdcac.exe
1240	ebfabcdcac.exe
2904	ebfabcdcac.exe
4384	ebfabcdcac.exe
4616	ebfabcdcac.exe
4612	ebfabcdcac.exe
2596	ebfabcdcac.exe
5340	ebfabcdcac.exe
4840	ebfabcdcac.exe
2956	ebfabcdcac.exe
3152	ebfabcdcac.exe
1152	ebfabcdcac.exe
5564	ebfabcdcac.exe
1864	ebfabcdcac.exe
5000	ebfabcdcac.exe
5200	ebfabcdcac.exe
3136	ebfabcdcac.exe

Loads dropped DLL 5 IoCs

pid	Process
2736	Launcher.exe
2736	Launcher.exe
2736	Launcher.exe
2736	Launcher.exe
2736	Launcher.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebfabcdcac = "\"C:\\Users\\Admin\\AppData\\Roaming\\vcvfgdx.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebfabcdcac = "\"C:\\ProgramData\\ebfabcdcac.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemServices = "C:\\Users\\Admin\\AppData\\Roaming\\gdfgert.exe"	gdfgert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemServices = "C:\\Users\\Admin\\AppData\\Roaming\\Winserv\\winserv.exe"	gdfgert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebfabcdcac = "\"C:\\ProgramData\\ebfabcdcac.exe\""	vcvfgdx.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000700000002429f-51.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdfgert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdfgert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5B57.tmp.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3160	vcvfgdx.exe
3160	vcvfgdx.exe
3460	Explorer.EXE
3460	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3460	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3460	Explorer.EXE
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3160	4500	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe	87
PID 4500 wrote to memory of 3160	4500	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe	87
PID 4500 wrote to memory of 2548	4500	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe	88
PID 4500 wrote to memory of 2548	4500	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe	88
PID 3160 wrote to memory of 3460	3160	vcvfgdx.exe	56
PID 3460 wrote to memory of 1984	3460	Explorer.EXE	89
PID 3460 wrote to memory of 1984	3460	Explorer.EXE	89
PID 3460 wrote to memory of 5752	3460	Explorer.EXE	90
PID 3460 wrote to memory of 5752	3460	Explorer.EXE	90
PID 3460 wrote to memory of 5816	3460	Explorer.EXE	91
PID 3460 wrote to memory of 5816	3460	Explorer.EXE	91
PID 4500 wrote to memory of 1956	4500	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe	92
PID 4500 wrote to memory of 1956	4500	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe	92
PID 4500 wrote to memory of 1956	4500	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe	92
PID 4500 wrote to memory of 940	4500	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe	96
PID 4500 wrote to memory of 940	4500	2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe	96
PID 3460 wrote to memory of 5340	3460	Explorer.EXE	97
PID 3460 wrote to memory of 5340	3460	Explorer.EXE	97
PID 3460 wrote to memory of 5128	3460	Explorer.EXE	100
PID 3460 wrote to memory of 5128	3460	Explorer.EXE	100
PID 5816 wrote to memory of 2904	5816	cmd.exe	103
PID 5816 wrote to memory of 2904	5816	cmd.exe	103
PID 1984 wrote to memory of 1180	1984	cmd.exe	102
PID 1984 wrote to memory of 1180	1984	cmd.exe	102
PID 5340 wrote to memory of 1652	5340	cmd.exe	104
PID 5340 wrote to memory of 1652	5340	cmd.exe	104
PID 5340 wrote to memory of 1652	5340	cmd.exe	104
PID 5128 wrote to memory of 3700	5128	cmd.exe	105
PID 5128 wrote to memory of 3700	5128	cmd.exe	105
PID 5128 wrote to memory of 3700	5128	cmd.exe	105
PID 940 wrote to memory of 2736	940	Launcher.exe	106
PID 940 wrote to memory of 2736	940	Launcher.exe	106
PID 5752 wrote to memory of 4848	5752	cmd.exe	107
PID 5752 wrote to memory of 4848	5752	cmd.exe	107
PID 2736 wrote to memory of 3752	2736	Launcher.exe	108
PID 2736 wrote to memory of 3752	2736	Launcher.exe	108
PID 2736 wrote to memory of 556	2736	Launcher.exe	110
PID 2736 wrote to memory of 556	2736	Launcher.exe	110
PID 556 wrote to memory of 5756	556	cmd.exe	111
PID 556 wrote to memory of 5756	556	cmd.exe	111
PID 2736 wrote to memory of 2508	2736	Launcher.exe	112
PID 2736 wrote to memory of 2508	2736	Launcher.exe	112
PID 3460 wrote to memory of 2160	3460	Explorer.EXE	115
PID 3460 wrote to memory of 2160	3460	Explorer.EXE	115
PID 2160 wrote to memory of 2140	2160	cmd.exe	117
PID 2160 wrote to memory of 2140	2160	cmd.exe	117
PID 3460 wrote to memory of 3940	3460	Explorer.EXE	121
PID 3460 wrote to memory of 3940	3460	Explorer.EXE	121
PID 3460 wrote to memory of 2680	3460	Explorer.EXE	123
PID 3460 wrote to memory of 2680	3460	Explorer.EXE	123
PID 3940 wrote to memory of 992	3940	cmd.exe	125
PID 3940 wrote to memory of 992	3940	cmd.exe	125
PID 2680 wrote to memory of 6100	2680	cmd.exe	126
PID 2680 wrote to memory of 6100	2680	cmd.exe	126
PID 3460 wrote to memory of 3208	3460	Explorer.EXE	129
PID 3460 wrote to memory of 3208	3460	Explorer.EXE	129
PID 3208 wrote to memory of 5368	3208	cmd.exe	131
PID 3208 wrote to memory of 5368	3208	cmd.exe	131
PID 3460 wrote to memory of 5676	3460	Explorer.EXE	133
PID 3460 wrote to memory of 5676	3460	Explorer.EXE	133
PID 5676 wrote to memory of 3508	5676	cmd.exe	135
PID 5676 wrote to memory of 3508	5676	cmd.exe	135
PID 3460 wrote to memory of 3868	3460	Explorer.EXE	136
PID 3460 wrote to memory of 3868	3460	Explorer.EXE	136

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-31_0c346b920e9e8cb2aec79f266136a2c6_black-basta_cobalt-strike_rhadamanthys_satacom.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Users\Admin\AppData\Roaming\vcvfgdx.exe
    "C:\Users\Admin\AppData\Roaming\vcvfgdx.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3160
- - C:\Users\Admin\AppData\Roaming\dfdered.exe
    "C:\Users\Admin\AppData\Roaming\dfdered.exe"
    3⤵
    - Executes dropped EXE
    PID:2548
- - C:\Users\Admin\AppData\Roaming\gdfgert.exe
    "C:\Users\Admin\AppData\Roaming\gdfgert.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1956
- - C:\Users\Admin\AppData\Roaming\Launcher.exe
    "C:\Users\Admin\AppData\Roaming\Launcher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Roaming\Launcher.exe
      "C:\Users\Admin\AppData\Roaming\Launcher.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:3752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mode con cols=92 lines=52
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\system32\mode.com
        
        mode con cols=92 lines=52
        6⤵
        
        PID:5756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ExodusSecret Miner || easy#7245
        5⤵
        
        PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\vcvfgdx.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5752
- - C:\Users\Admin\AppData\Roaming\vcvfgdx.exe
    C:\Users\Admin\AppData\Roaming\vcvfgdx.exe
    3⤵
    - Executes dropped EXE
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5816
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\gdfgert.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5340
- - C:\Users\Admin\AppData\Roaming\gdfgert.exe
    C:\Users\Admin\AppData\Roaming\gdfgert.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5128
- - C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
    C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:6100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5676
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3868
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1108
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:6000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3900
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4536
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4612
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3432
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4716
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4848
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:736
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:860
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2204
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2680
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5572
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2512
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4456
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2320
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5524
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4792
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4692
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3968
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3700
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5152
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:736
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5956
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4976
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1504
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3240
- C:\Users\Admin\AppData\Local\Temp\6FDD.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\6FDD.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3676
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5460
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:936
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3588
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5296
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2208
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5104
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:924
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5020
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4956
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4548
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4508
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3432
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2280
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5396
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4940
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4864
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4128
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5552
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5744
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1576
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5084
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5916
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4328
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3548
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2336
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4324
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5808
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:6000
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5428
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:6004
- C:\Users\Admin\AppData\Local\Temp\5B57.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\5B57.tmp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:512
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1180
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4708
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4720
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4452
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3396
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4908
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3036
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5560
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3560
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2428
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:6072
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1728
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1860
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ebfabcdcac.cfg

Filesize
18B

MD5
93bc7f3d9db36386d813bc6f756667e8

SHA1
e3bc027d364562422ba410ef60e8b919695b2646

SHA256
cbc4935c0b7ba7ef2c68848a3d77039da3839631ce10104e9845e0049ad925ed

SHA512
6c1ea21c3fcd062881231d351cf3b1f0748bf88729e3f66b54d0fe096c70a631aa1bc9d26b974c3976d0cc71c1e1cac4bb8a526771929f68f77460b75b745883

Download Submit
C:\ProgramData\ebfabcdcac.exe

Filesize
1021KB

MD5
942e285920589ef847f851c6b6bf5f19

SHA1
2e71b51c07d0b5b9c4fbfef187565c77af8164d8

SHA256
32146febb4fdc0f80c8460696c5063d3dcbf1af3989f599b31cba52680cf2aff

SHA512
c4623e113eaa98dcf8a487ebff515f88251892c4d1ffd35959d77811c1e6a959015e3a73dcacae83fadcb1ba1eb86951b4e32fabef05584b18db2fc3705bc8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.tmp.exe

Filesize
253KB

MD5
5381a870d74ee49586aa9632e93c232b

SHA1
f2ee6d461102d3353077d3d6f08bbda2b8dfb1ed

SHA256
e90f2a5eae99811b65dc284734e0e295708d89bfef9a003b3ab2f8bc42e1fa9c

SHA512
c611262eb7badc08486a6416dd470f14d09c5c86c04076a472d32da52bf2cc21344dd4130f85a83cb25556383528ce57ac94ad0de36cef6a67f1bdb9e87a65a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9402\VCRUNTIME140.dll

Filesize
99KB

MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9402\_ctypes.pyd

Filesize
122KB

MD5
e0d998692181bec54514a2a401a0e524

SHA1
dfb1e90819a8ee91dece39825cce1454d8d7a617

SHA256
ff842a40a8793b2789b4a4aabc67fdfbe9f50e85709499cd014f728a0d68d0bf

SHA512
cadf5b58afce39230205812be44b4dea12a8582a9974b51520b4ea2f5635082bd5d944433cdea46c84e9a4700577b36cb792cf712a9b64dde9c8be66f212baaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9402\base_library.zip

Filesize
1006KB

MD5
c72798f7f5174bcd6bbfb597042805af

SHA1
a10482ec0d77daef84326c26aeb3fe838a5b273d

SHA256
829cdd4b2ba0766ee710d35cb051302ebd7b128600f69b238690084e6c50a459

SHA512
d4b63ea626c2cb12de420b7cd1527257f181895414940f345f8b76924f0222c2e26ba36e0c097842bd9f5b9d61daafff6f74eadd697d0e24c580ed33f17c553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9402\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9402\python39.dll

Filesize
4.3MB

MD5
e109740cbfae4dd7078e0f27a67309eb

SHA1
fae7eb891c78168e3afb3793eb2f86a9293eb789

SHA256
9904ecd7f7b5dfe4661e81c8c4dde4a634dbd899e34f7cbdc0f618ba95b44733

SHA512
aa4c0eb42c1f7028adfb8a6ad0f2dec4cc51c960f4861876602f69690fc4cbf2c99402727e54c84429bf11fd47b31804ca5c2b07876fd5c6a6aafbdaf819cfbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9402\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Roaming\Launcher.exe

Filesize
6.3MB

MD5
a548c4494880923d0dec9a331678a696

SHA1
8b2b615fe14be5a46407ff865e2080783e0f2f16

SHA256
e1762ea0e8d5688928793f1a74a31761471547b7fb107fe6ca848414bc0f0a24

SHA512
848d9c41d5346ab2fa351cb531efaf06a1d11c453d979b1c818e27c40b05cd18f50a59553865c3319402f36961e794c63ebf5f8eaaf1066109f5cf28efa0b648

Download Submit
C:\Users\Admin\AppData\Roaming\dfdered.exe

Filesize
253KB

MD5
04f0e96686f922863b7ef2e9f1711ef3

SHA1
c3f04bcf4b755883d513431fa46fc35319168380

SHA256
61b0f2da503e7355d189a1873ece11e8ca5dfa6a2d951949cb6661ebc492fad6

SHA512
247cd0e03f29673628da1bdf7d68ee65a6431b322798215e473676e364f82f7b568301ff434fb415b72ebf6122aa1e712ef854d399adcc3516649bdcdc9da811

Download Submit
C:\Users\Admin\AppData\Roaming\gdfgert.exe

Filesize
177KB

MD5
7e9ed3c50c8e0e120388b446c8c084cd

SHA1
deadd8a9e166eef5646a2d8a487923235730c20c

SHA256
4c9ea189732fe7852418d913983ac63adbf61fc4d6bace1502a6439c9c485bb3

SHA512
e01c9ae4129df111f37a4745089d8d3de974479a7aae69236215bcd711dafa59881386c0d9c0839795706767dac3fdeb9115859ee94196ef308ea45065c41487

Download Submit
C:\Users\Admin\AppData\Roaming\vcvfgdx.exe

Filesize
1021KB

MD5
3170af4764a5d6f80a9b183efdc37f7d

SHA1
aad6de818d47a0bd85bbfa18322ddc82d6a4ff4c

SHA256
b33b65687466e7bd6df8281e086f79e2c515e2a9ccd862a2ac706ad8515439ca

SHA512
12d577a8f5c5bc2c55885968fd17c4445ae8407d5a4110677d425e343bd895326f81b179043da25ee4bcdd643e2122998e3a83c3570e218058f19519aa3d085a

Download Submit
memory/404-282-0x00007FF6A31F0000-0x00007FF6A32F5000-memory.dmp

Filesize
1.0MB

Download
memory/404-281-0x00007FF6A31F0000-0x00007FF6A32F5000-memory.dmp

Filesize
1.0MB

Download
memory/656-449-0x00007FF77D780000-0x00007FF77D885000-memory.dmp

Filesize
1.0MB

Download
memory/656-448-0x00007FF77D780000-0x00007FF77D885000-memory.dmp

Filesize
1.0MB

Download
memory/740-273-0x00007FF712620000-0x00007FF712725000-memory.dmp

Filesize
1.0MB

Download
memory/740-274-0x00007FF712620000-0x00007FF712725000-memory.dmp

Filesize
1.0MB

Download
memory/992-166-0x00007FF7BF180000-0x00007FF7BF285000-memory.dmp

Filesize
1.0MB

Download
memory/992-168-0x00007FF7BF180000-0x00007FF7BF285000-memory.dmp

Filesize
1.0MB

Download
memory/1240-462-0x00007FF673200000-0x00007FF673305000-memory.dmp

Filesize
1.0MB

Download
memory/1240-463-0x00007FF673200000-0x00007FF673305000-memory.dmp

Filesize
1.0MB

Download
memory/1792-384-0x00007FF6DBCB0000-0x00007FF6DBDB5000-memory.dmp

Filesize
1.0MB

Download
memory/1792-385-0x00007FF6DBCB0000-0x00007FF6DBDB5000-memory.dmp

Filesize
1.0MB

Download
memory/1976-455-0x00007FF6C72A0000-0x00007FF6C73A5000-memory.dmp

Filesize
1.0MB

Download
memory/1976-456-0x00007FF6C72A0000-0x00007FF6C73A5000-memory.dmp

Filesize
1.0MB

Download
memory/1984-344-0x00007FF6545C0000-0x00007FF6546C5000-memory.dmp

Filesize
1.0MB

Download
memory/1984-345-0x00007FF6545C0000-0x00007FF6546C5000-memory.dmp

Filesize
1.0MB

Download
memory/2140-148-0x00007FF722540000-0x00007FF722645000-memory.dmp

Filesize
1.0MB

Download
memory/2140-147-0x00007FF722540000-0x00007FF722645000-memory.dmp

Filesize
1.0MB

Download
memory/2332-234-0x00007FF639E80000-0x00007FF639F85000-memory.dmp

Filesize
1.0MB

Download
memory/2332-233-0x00007FF639E80000-0x00007FF639F85000-memory.dmp

Filesize
1.0MB

Download
memory/2596-497-0x00007FF7687B0000-0x00007FF7688B5000-memory.dmp

Filesize
1.0MB

Download
memory/2596-498-0x00007FF7687B0000-0x00007FF7688B5000-memory.dmp

Filesize
1.0MB

Download
memory/2604-194-0x00007FF73DB30000-0x00007FF73DC35000-memory.dmp

Filesize
1.0MB

Download
memory/2604-193-0x00007FF73DB30000-0x00007FF73DC35000-memory.dmp

Filesize
1.0MB

Download
memory/2708-425-0x00007FF644BA0000-0x00007FF644CA5000-memory.dmp

Filesize
1.0MB

Download
memory/2708-426-0x00007FF644BA0000-0x00007FF644CA5000-memory.dmp

Filesize
1.0MB

Download
memory/2904-63-0x00007FF73EAA0000-0x00007FF73EBA5000-memory.dmp

Filesize
1.0MB

Download
memory/2904-470-0x00007FF614A40000-0x00007FF614B45000-memory.dmp

Filesize
1.0MB

Download
memory/2904-469-0x00007FF614A40000-0x00007FF614B45000-memory.dmp

Filesize
1.0MB

Download
memory/3160-47-0x00007FF7479B0000-0x00007FF747AB5000-memory.dmp

Filesize
1.0MB

Download
memory/3160-15-0x00007FF7479B0000-0x00007FF747AB5000-memory.dmp

Filesize
1.0MB

Download
memory/3240-393-0x00007FF7368C0000-0x00007FF7369C5000-memory.dmp

Filesize
1.0MB

Download
memory/3240-392-0x00007FF7368C0000-0x00007FF7369C5000-memory.dmp

Filesize
1.0MB

Download
memory/3460-44-0x00000000082C0000-0x0000000008301000-memory.dmp

Filesize
260KB

Download
memory/3460-31-0x00000000030A0000-0x00000000031AB000-memory.dmp

Filesize
1.0MB

Download
memory/3460-151-0x00000000030A0000-0x00000000031AB000-memory.dmp

Filesize
1.0MB

Download
memory/3460-35-0x00000000030A0000-0x00000000031AB000-memory.dmp

Filesize
1.0MB

Download
memory/3460-34-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3460-21-0x00000000030A0000-0x00000000031AB000-memory.dmp

Filesize
1.0MB

Download
memory/3460-165-0x00000000030A0000-0x00000000031AB000-memory.dmp

Filesize
1.0MB

Download
memory/3460-145-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/3460-56-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/3460-22-0x00000000030A0000-0x00000000031AB000-memory.dmp

Filesize
1.0MB

Download
memory/3460-32-0x00000000031B0000-0x00000000031E3000-memory.dmp

Filesize
204KB

Download
memory/3460-43-0x00000000030A0000-0x00000000031AB000-memory.dmp

Filesize
1.0MB

Download
memory/3460-38-0x00000000030A0000-0x00000000031AB000-memory.dmp

Filesize
1.0MB

Download
memory/3460-37-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/3460-57-0x00007FFDA4730000-0x00007FFDA4731000-memory.dmp

Filesize
4KB

Download
memory/3460-60-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3460-30-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3508-185-0x00007FF771010000-0x00007FF771115000-memory.dmp

Filesize
1.0MB

Download
memory/3508-186-0x00007FF771010000-0x00007FF771115000-memory.dmp

Filesize
1.0MB

Download
memory/3584-376-0x00007FF72C5D0000-0x00007FF72C6D5000-memory.dmp

Filesize
1.0MB

Download
memory/3584-377-0x00007FF72C5D0000-0x00007FF72C6D5000-memory.dmp

Filesize
1.0MB

Download
memory/3876-297-0x00007FF7DFAF0000-0x00007FF7DFBF5000-memory.dmp

Filesize
1.0MB

Download
memory/3940-418-0x00007FF737260000-0x00007FF737365000-memory.dmp

Filesize
1.0MB

Download
memory/3940-417-0x00007FF737260000-0x00007FF737365000-memory.dmp

Filesize
1.0MB

Download
memory/4384-476-0x00007FF7EDB20000-0x00007FF7EDC25000-memory.dmp

Filesize
1.0MB

Download
memory/4384-477-0x00007FF7EDB20000-0x00007FF7EDC25000-memory.dmp

Filesize
1.0MB

Download
memory/4460-242-0x00007FF60B930000-0x00007FF60BA35000-memory.dmp

Filesize
1.0MB

Download
memory/4460-241-0x00007FF60B930000-0x00007FF60BA35000-memory.dmp

Filesize
1.0MB

Download
memory/4612-490-0x00007FF7607F0000-0x00007FF7608F5000-memory.dmp

Filesize
1.0MB

Download
memory/4612-491-0x00007FF7607F0000-0x00007FF7608F5000-memory.dmp

Filesize
1.0MB

Download
memory/4616-483-0x00007FF687780000-0x00007FF687885000-memory.dmp

Filesize
1.0MB

Download
memory/4616-484-0x00007FF687780000-0x00007FF687885000-memory.dmp

Filesize
1.0MB

Download
memory/4672-225-0x00007FF7721C0000-0x00007FF7722C5000-memory.dmp

Filesize
1.0MB

Download
memory/4672-226-0x00007FF7721C0000-0x00007FF7722C5000-memory.dmp

Filesize
1.0MB

Download
memory/4688-329-0x00007FF62D840000-0x00007FF62D945000-memory.dmp

Filesize
1.0MB

Download
memory/4688-328-0x00007FF62D840000-0x00007FF62D945000-memory.dmp

Filesize
1.0MB

Download
memory/4824-217-0x00007FF651410000-0x00007FF651515000-memory.dmp

Filesize
1.0MB

Download
memory/4824-218-0x00007FF651410000-0x00007FF651515000-memory.dmp

Filesize
1.0MB

Download
memory/4840-257-0x00007FF71BEB0000-0x00007FF71BFB5000-memory.dmp

Filesize
1.0MB

Download
memory/4840-512-0x00007FF7EC740000-0x00007FF7EC845000-memory.dmp

Filesize
1.0MB

Download
memory/4840-511-0x00007FF7EC740000-0x00007FF7EC845000-memory.dmp

Filesize
1.0MB

Download
memory/4840-258-0x00007FF71BEB0000-0x00007FF71BFB5000-memory.dmp

Filesize
1.0MB

Download
memory/4848-130-0x00007FF7479B0000-0x00007FF747AB5000-memory.dmp

Filesize
1.0MB

Download
memory/4908-360-0x00007FF728810000-0x00007FF728915000-memory.dmp

Filesize
1.0MB

Download
memory/4908-361-0x00007FF728810000-0x00007FF728915000-memory.dmp

Filesize
1.0MB

Download
memory/5020-320-0x00007FF7D7ED0000-0x00007FF7D7FD5000-memory.dmp

Filesize
1.0MB

Download
memory/5020-321-0x00007FF7D7ED0000-0x00007FF7D7FD5000-memory.dmp

Filesize
1.0MB

Download
memory/5080-265-0x00007FF6F7000000-0x00007FF6F7105000-memory.dmp

Filesize
1.0MB

Download
memory/5080-266-0x00007FF6F7000000-0x00007FF6F7105000-memory.dmp

Filesize
1.0MB

Download
memory/5092-353-0x00007FF6E18F0000-0x00007FF6E19F5000-memory.dmp

Filesize
1.0MB

Download
memory/5092-352-0x00007FF6E18F0000-0x00007FF6E19F5000-memory.dmp

Filesize
1.0MB

Download
memory/5188-289-0x00007FF700C60000-0x00007FF700D65000-memory.dmp

Filesize
1.0MB

Download
memory/5188-290-0x00007FF700C60000-0x00007FF700D65000-memory.dmp

Filesize
1.0MB

Download
memory/5228-250-0x00007FF757CD0000-0x00007FF757DD5000-memory.dmp

Filesize
1.0MB

Download
memory/5228-249-0x00007FF757CD0000-0x00007FF757DD5000-memory.dmp

Filesize
1.0MB

Download
memory/5248-442-0x00007FF6F8D40000-0x00007FF6F8E45000-memory.dmp

Filesize
1.0MB

Download
memory/5248-441-0x00007FF6F8D40000-0x00007FF6F8E45000-memory.dmp

Filesize
1.0MB

Download
memory/5340-504-0x00007FF7BDFF0000-0x00007FF7BE0F5000-memory.dmp

Filesize
1.0MB

Download
memory/5340-505-0x00007FF7BDFF0000-0x00007FF7BE0F5000-memory.dmp

Filesize
1.0MB

Download
memory/5368-434-0x00007FF674020000-0x00007FF674125000-memory.dmp

Filesize
1.0MB

Download
memory/5368-433-0x00007FF674020000-0x00007FF674125000-memory.dmp

Filesize
1.0MB

Download
memory/5368-177-0x00007FF6A2970000-0x00007FF6A2A75000-memory.dmp

Filesize
1.0MB

Download
memory/5368-178-0x00007FF6A2970000-0x00007FF6A2A75000-memory.dmp

Filesize
1.0MB

Download
memory/5756-369-0x00007FF76BEA0000-0x00007FF76BFA5000-memory.dmp

Filesize
1.0MB

Download
memory/5756-368-0x00007FF76BEA0000-0x00007FF76BFA5000-memory.dmp

Filesize
1.0MB

Download
memory/5968-336-0x00007FF708B40000-0x00007FF708C45000-memory.dmp

Filesize
1.0MB

Download
memory/5968-337-0x00007FF708B40000-0x00007FF708C45000-memory.dmp

Filesize
1.0MB

Download
memory/5980-304-0x00007FF658700000-0x00007FF658805000-memory.dmp

Filesize
1.0MB

Download
memory/5980-305-0x00007FF658700000-0x00007FF658805000-memory.dmp

Filesize
1.0MB

Download
memory/5992-209-0x00007FF760AC0000-0x00007FF760BC5000-memory.dmp

Filesize
1.0MB

Download
memory/5992-210-0x00007FF760AC0000-0x00007FF760BC5000-memory.dmp

Filesize
1.0MB

Download
memory/5996-312-0x00007FF70BC10000-0x00007FF70BD15000-memory.dmp

Filesize
1.0MB

Download
memory/5996-313-0x00007FF70BC10000-0x00007FF70BD15000-memory.dmp

Filesize
1.0MB

Download
memory/6000-201-0x00007FF6D19A0000-0x00007FF6D1AA5000-memory.dmp

Filesize
1.0MB

Download
memory/6000-202-0x00007FF6D19A0000-0x00007FF6D1AA5000-memory.dmp

Filesize
1.0MB

Download
memory/6100-167-0x00007FF7BF180000-0x00007FF7BF285000-memory.dmp

Filesize
1.0MB

Download