svcstealer | b97db6af674f67d377c78906e262c2b3cb8b8c80c9edbb585c3ed8c81387d90e

Analysis

max time kernel
73s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe
Size

10.8MB
MD5

bb4bfab94400b5d96f99fe242c63d5cd
SHA1

1835f0f12c6cc142611f367d723a45cb7aa805d9
SHA256

b97db6af674f67d377c78906e262c2b3cb8b8c80c9edbb585c3ed8c81387d90e
SHA512

1e9c8470e48b2add8cb44c6b41b5f68ed6bf9e190a34b6bbc00a6eb32eabbb571882113aec85fcc65a168dc28b3ca9c080d6a5d1de6685b6fe7c089a552023d8
SSDEEP

196608:VvZnQHQZg0HiouWJysVYvsOaoyMxxvjDDAx0al2dxwMFnVpdVpqmN:HngCHi9WJdoyMxtDDAxBI7VhsU

Score

10^/10

svcstealer discovery downloader persistence pyinstaller spyware stealer

Malware Config

Extracted

Family

svcstealer

Version

3.1

185.81.68.156

176.113.115.149

Attributes

url_paths
/svcstealer/get.php

Extracted

Family

svcstealer

176.113.115.149

185.81.68.156

http://176.113.115.149/bin/bot64.bin

Extracted

Family

svcstealer

Version

3.0

185.81.68.147

185.81.68.148

185.81.68.156

176.113.115.149

Attributes

url_paths
/svcstealer/get.php

Signatures

Detects SvcStealer Payload 64 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral1/files/0x00070000000229db-9.dat	family_svcstealer
behavioral1/files/0x000700000002426f-17.dat	family_svcstealer
behavioral1/memory/3448-37-0x0000000002670000-0x0000000002715000-memory.dmp	family_svcstealer
behavioral1/files/0x0007000000024271-49.dat	family_svcstealer
behavioral1/memory/2056-181-0x00007FF7B1E60000-0x00007FF7B1EFF000-memory.dmp	family_svcstealer
behavioral1/memory/6012-183-0x00007FF63F500000-0x00007FF63F59F000-memory.dmp	family_svcstealer
behavioral1/memory/3448-218-0x0000000008CF0000-0x0000000008D43000-memory.dmp	family_svcstealer
behavioral1/memory/2764-229-0x00007FF7118C0000-0x00007FF7118CA000-memory.dmp	family_svcstealer
behavioral1/files/0x00080000000242ab-236.dat	family_svcstealer
behavioral1/memory/4460-239-0x00007FF797B30000-0x00007FF797BCF000-memory.dmp	family_svcstealer
behavioral1/memory/4460-240-0x00007FF797B30000-0x00007FF797BCF000-memory.dmp	family_svcstealer
behavioral1/memory/3448-257-0x0000000002930000-0x0000000002983000-memory.dmp	family_svcstealer
behavioral1/memory/2764-258-0x00007FF7118C0000-0x00007FF7118CA000-memory.dmp	family_svcstealer
behavioral1/memory/3448-264-0x0000000009E50000-0x0000000009EA3000-memory.dmp	family_svcstealer
behavioral1/memory/2764-230-0x00007FF7118C0000-0x00007FF7118CA000-memory.dmp	family_svcstealer
behavioral1/memory/2764-223-0x00007FF7118C0000-0x00007FF7118CA000-memory.dmp	family_svcstealer
behavioral1/memory/3448-280-0x000000000A540000-0x000000000A593000-memory.dmp	family_svcstealer
behavioral1/memory/3448-206-0x0000000008BA0000-0x0000000008BE4000-memory.dmp	family_svcstealer
behavioral1/memory/3448-283-0x000000000A9E0000-0x000000000AA33000-memory.dmp	family_svcstealer
behavioral1/memory/4860-311-0x00007FF7C8580000-0x00007FF7C861F000-memory.dmp	family_svcstealer
behavioral1/memory/4860-310-0x00007FF7C8580000-0x00007FF7C861F000-memory.dmp	family_svcstealer
behavioral1/memory/4768-335-0x00007FF729480000-0x00007FF72951F000-memory.dmp	family_svcstealer
behavioral1/memory/4768-334-0x00007FF729480000-0x00007FF72951F000-memory.dmp	family_svcstealer
behavioral1/files/0x00070000000242d8-131.dat	family_svcstealer
behavioral1/files/0x00070000000242d3-115.dat	family_svcstealer
behavioral1/files/0x00070000000242d1-112.dat	family_svcstealer
behavioral1/memory/3448-27-0x0000000002670000-0x0000000002715000-memory.dmp	family_svcstealer
behavioral1/memory/3448-25-0x0000000002670000-0x0000000002715000-memory.dmp	family_svcstealer
behavioral1/memory/3448-20-0x0000000002670000-0x0000000002715000-memory.dmp	family_svcstealer
behavioral1/memory/2040-34-0x00007FF63F500000-0x00007FF63F59F000-memory.dmp	family_svcstealer
behavioral1/memory/3448-28-0x0000000002670000-0x0000000002715000-memory.dmp	family_svcstealer
behavioral1/memory/3448-21-0x0000000002670000-0x0000000002715000-memory.dmp	family_svcstealer
behavioral1/memory/4960-346-0x00007FF76DB20000-0x00007FF76DBBF000-memory.dmp	family_svcstealer
behavioral1/memory/4960-345-0x00007FF76DB20000-0x00007FF76DBBF000-memory.dmp	family_svcstealer
behavioral1/memory/756-368-0x00007FF7D0150000-0x00007FF7D01EF000-memory.dmp	family_svcstealer
behavioral1/memory/756-367-0x00007FF7D0150000-0x00007FF7D01EF000-memory.dmp	family_svcstealer
behavioral1/memory/2248-392-0x00007FF78C550000-0x00007FF78C5EF000-memory.dmp	family_svcstealer
behavioral1/memory/2248-391-0x00007FF78C550000-0x00007FF78C5EF000-memory.dmp	family_svcstealer
behavioral1/memory/3680-456-0x00007FF638830000-0x00007FF6388CF000-memory.dmp	family_svcstealer
behavioral1/memory/3680-455-0x00007FF638830000-0x00007FF6388CF000-memory.dmp	family_svcstealer
behavioral1/memory/548-479-0x00007FF724620000-0x00007FF7246BF000-memory.dmp	family_svcstealer
behavioral1/memory/548-478-0x00007FF724620000-0x00007FF7246BF000-memory.dmp	family_svcstealer
behavioral1/memory/4832-501-0x00007FF605DC0000-0x00007FF605E5F000-memory.dmp	family_svcstealer
behavioral1/memory/4832-500-0x00007FF605DC0000-0x00007FF605E5F000-memory.dmp	family_svcstealer
behavioral1/memory/764-523-0x00007FF7BEF90000-0x00007FF7BF02F000-memory.dmp	family_svcstealer
behavioral1/memory/764-524-0x00007FF7BEF90000-0x00007FF7BF02F000-memory.dmp	family_svcstealer
behavioral1/memory/3052-541-0x00007FF7EFF50000-0x00007FF7EFFEF000-memory.dmp	family_svcstealer
behavioral1/memory/3052-542-0x00007FF7EFF50000-0x00007FF7EFFEF000-memory.dmp	family_svcstealer
behavioral1/memory/100-552-0x00007FF6B77C0000-0x00007FF6B785F000-memory.dmp	family_svcstealer
behavioral1/memory/100-553-0x00007FF6B77C0000-0x00007FF6B785F000-memory.dmp	family_svcstealer
behavioral1/memory/5528-575-0x00007FF780110000-0x00007FF7801AF000-memory.dmp	family_svcstealer
behavioral1/memory/5528-574-0x00007FF780110000-0x00007FF7801AF000-memory.dmp	family_svcstealer
behavioral1/memory/3488-592-0x00007FF6D95B0000-0x00007FF6D964F000-memory.dmp	family_svcstealer
behavioral1/memory/3488-591-0x00007FF6D95B0000-0x00007FF6D964F000-memory.dmp	family_svcstealer
behavioral1/memory/4536-620-0x00007FF6FAFE0000-0x00007FF6FB07F000-memory.dmp	family_svcstealer
behavioral1/memory/4536-619-0x00007FF6FAFE0000-0x00007FF6FB07F000-memory.dmp	family_svcstealer
behavioral1/memory/3476-631-0x00007FF6A6B20000-0x00007FF6A6BBF000-memory.dmp	family_svcstealer
behavioral1/memory/3476-630-0x00007FF6A6B20000-0x00007FF6A6BBF000-memory.dmp	family_svcstealer
behavioral1/memory/5388-654-0x00007FF7A4640000-0x00007FF7A46DF000-memory.dmp	family_svcstealer
behavioral1/memory/5388-653-0x00007FF7A4640000-0x00007FF7A46DF000-memory.dmp	family_svcstealer
behavioral1/memory/2872-677-0x00007FF62BDF0000-0x00007FF62BE8F000-memory.dmp	family_svcstealer
behavioral1/memory/2872-676-0x00007FF62BDF0000-0x00007FF62BE8F000-memory.dmp	family_svcstealer
behavioral1/memory/4724-694-0x00007FF640EE0000-0x00007FF640F7F000-memory.dmp	family_svcstealer
behavioral1/memory/4724-692-0x00007FF640EE0000-0x00007FF640F7F000-memory.dmp	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Blocklisted process makes network request 41 IoCs

flow	pid	Process
5	4892	syssxavvpcp.exe
9	1592	Process not Found
11	5248	fdfdfdfdfdfeee.exe
12	2764	msiexec.exe
24	6060	msiexec.exe
25	1592	Process not Found
33	932	msiexec.exe
277	4104	F4D2EECB61274217651120.exe
279	3044	msiexec.exe
282	5064	msiexec.exe
286	3628	F4D2EECB61274217651120.exe
40	1736	msiexec.exe
44	4736	msiexec.exe
296	452	msiexec.exe
48	2152	msiexec.exe
51	2972	msiexec.exe
53	2936	msiexec.exe
55	5800	F4D2EECB61274217651120.exe
57	2876	msiexec.exe
59	2764	msiexec.exe
66	5884	msiexec.exe
71	5504	F4D2EECB61274217651120.exe
75	4892	msiexec.exe
79	2564	msiexec.exe
320	4856	msiexec.exe
96	4620	msiexec.exe
98	2764	msiexec.exe
100	5364	msiexec.exe
104	1928	msiexec.exe
106	4356	msiexec.exe
109	4324	msiexec.exe
111	1856	msiexec.exe
114	2764	msiexec.exe
339	4696	msiexec.exe
344	5244	msiexec.exe
123	4340	F4D2EECB61274217651120.exe
124	3412	msiexec.exe
126	4400	F4D2EECB61274217651120.exe
127	3408	msiexec.exe
130	2764	msiexec.exe
134	6096	msiexec.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
11	5248	fdfdfdfdfdfeee.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	fdfdfdfdfdfeee.exe

Executes dropped EXE 64 IoCs

pid	Process
5248	fdfdfdfdfdfeee.exe
2040	bvbvbvbvbvbccc.exe
1648	trtrtrtrtrtrteee.exe
4616	LauncherApp.exe
4892	syssxavvpcp.exe
4604	sysxxcchceck.exe
5860	syxxbsxtccx.exe
4628	ComboEeFlauncher.exe
5780	trtrtrtrtrtrteee.exe
4516	sysxchceck.exe
4592	sysxapcpteam.exe
2824	syxstccx.exe
4772	Launcher.exe
2056	dfbfceebc.exe
6012	bvbvbvbvbvbccc.exe
5804	dfbfceebc.exe
3876	winsvc.exe
544	syxxbsxtccx.exe
1560	F4D2EECB61274217651120.exe
4460	dfbfceebc.exe
5196	F4D2EECB61274217651120.exe
4792	temp_20814.exe
4860	dfbfceebc.exe
4736	temp_20817.exe
4104	F4D2EECB61274217651120.exe
4768	dfbfceebc.exe
1840	F4D2EECB61274217651120.exe
4960	dfbfceebc.exe
756	dfbfceebc.exe
3628	F4D2EECB61274217651120.exe
2248	dfbfceebc.exe
1044	temp_20817.exe
3624	temp_20817.exe
4792	F4D2EECB61274217651120.exe
3680	dfbfceebc.exe
4644	F4D2EECB61274217651120.exe
548	dfbfceebc.exe
4832	dfbfceebc.exe
2348	F4D2EECB61274217651120.exe
764	dfbfceebc.exe
2352	F4D2EECB61274217651120.exe
3052	dfbfceebc.exe
4088	F4D2EECB61274217651120.exe
100	dfbfceebc.exe
5528	dfbfceebc.exe
5800	F4D2EECB61274217651120.exe
3488	dfbfceebc.exe
4632	F4D2EECB61274217651120.exe
4536	dfbfceebc.exe
3476	dfbfceebc.exe
5504	F4D2EECB61274217651120.exe
5388	dfbfceebc.exe
5480	F4D2EECB61274217651120.exe
2872	dfbfceebc.exe
4568	F4D2EECB61274217651120.exe
4724	dfbfceebc.exe
3564	dfbfceebc.exe
3672	F4D2EECB61274217651120.exe
3460	dfbfceebc.exe
1508	F4D2EECB61274217651120.exe
6016	dfbfceebc.exe
5916	F4D2EECB61274217651120.exe
2784	dfbfceebc.exe
4568	dfbfceebc.exe

Loads dropped DLL 10 IoCs

pid	Process
5780	trtrtrtrtrtrteee.exe
5780	trtrtrtrtrtrteee.exe
5780	trtrtrtrtrtrteee.exe
5780	trtrtrtrtrtrteee.exe
5780	trtrtrtrtrtrteee.exe
3624	temp_20817.exe
3624	temp_20817.exe
3624	temp_20817.exe
3624	temp_20817.exe
3624	temp_20817.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfbfceebc = "\"C:\\ProgramData\\dfbfceebc.exe\""	bvbvbvbvbvbccc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfbfceebc = "\"C:\\ProgramData\\bvbvbvbvbvbccc.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfbfceebc = "\"C:\\ProgramData\\dfbfceebc.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\Users\\Admin\\AppData\\Roaming\\syxxbsxtccx.exe"	syxxbsxtccx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\ProgramData\\Winsrv\\winsvc.exe"	syxxbsxtccx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\F4D2EECB61274217651120\\F4D2EECB61274217651120.exe"	syssxavvpcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\F4D2EECB61274217651120\\F4D2EECB61274217651120.exe"	msiexec.exe

Suspicious use of SetThreadContext 28 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 2764	4892	syssxavvpcp.exe	115
PID 1560 set thread context of 6060	1560	F4D2EECB61274217651120.exe	128
PID 5196 set thread context of 932	5196	F4D2EECB61274217651120.exe	133
PID 4104 set thread context of 3044	4104	F4D2EECB61274217651120.exe	143
PID 1840 set thread context of 5064	1840	F4D2EECB61274217651120.exe	154
PID 3628 set thread context of 1736	3628	F4D2EECB61274217651120.exe	163
PID 4792 set thread context of 4736	4792	F4D2EECB61274217651120.exe	175
PID 4644 set thread context of 452	4644	F4D2EECB61274217651120.exe	182
PID 2348 set thread context of 2152	2348	F4D2EECB61274217651120.exe	189
PID 2352 set thread context of 2972	2352	F4D2EECB61274217651120.exe	196
PID 4088 set thread context of 2936	4088	F4D2EECB61274217651120.exe	206
PID 5800 set thread context of 2876	5800	F4D2EECB61274217651120.exe	213
PID 4632 set thread context of 5884	4632	F4D2EECB61274217651120.exe	221
PID 5504 set thread context of 4892	5504	F4D2EECB61274217651120.exe	231
PID 5480 set thread context of 2564	5480	F4D2EECB61274217651120.exe	239
PID 4568 set thread context of 4856	4568	F4D2EECB61274217651120.exe	251
PID 3672 set thread context of 4620	3672	F4D2EECB61274217651120.exe	263
PID 1508 set thread context of 5364	1508	F4D2EECB61274217651120.exe	270
PID 5916 set thread context of 1928	5916	F4D2EECB61274217651120.exe	280
PID 4640 set thread context of 4356	4640	F4D2EECB61274217651120.exe	287
PID 4536 set thread context of 4324	4536	F4D2EECB61274217651120.exe	369
PID 4984 set thread context of 1856	4984	F4D2EECB61274217651120.exe	304
PID 4252 set thread context of 6032	4252	F4D2EECB61274217651120.exe	387
PID 2012 set thread context of 4696	2012	F4D2EECB61274217651120.exe	318
PID 4604 set thread context of 5244	4604	F4D2EECB61274217651120.exe	328
PID 4340 set thread context of 3412	4340	F4D2EECB61274217651120.exe	335
PID 4400 set thread context of 3408	4400	F4D2EECB61274217651120.exe	344
PID 4088 set thread context of 6096	4088	F4D2EECB61274217651120.exe	352

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000024270-36.dat	pyinstaller
behavioral1/files/0x000c000000024051-398.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syxstccx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syxxbsxtccx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_20814.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syxxbsxtccx.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
2040	bvbvbvbvbvbccc.exe
5248	fdfdfdfdfdfeee.exe
2040	bvbvbvbvbvbccc.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
4892	syssxavvpcp.exe
4892	syssxavvpcp.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
2764	msiexec.exe
1560	F4D2EECB61274217651120.exe
1560	F4D2EECB61274217651120.exe
6060	msiexec.exe
6060	msiexec.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe
5248	fdfdfdfdfdfeee.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3448	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4892	syssxavvpcp.exe
Token: SeSecurityPrivilege	4892	syssxavvpcp.exe
Token: SeTakeOwnershipPrivilege	4892	syssxavvpcp.exe
Token: SeLoadDriverPrivilege	4892	syssxavvpcp.exe
Token: SeSystemProfilePrivilege	4892	syssxavvpcp.exe
Token: SeSystemtimePrivilege	4892	syssxavvpcp.exe
Token: SeProfSingleProcessPrivilege	4892	syssxavvpcp.exe
Token: SeIncBasePriorityPrivilege	4892	syssxavvpcp.exe
Token: SeCreatePagefilePrivilege	4892	syssxavvpcp.exe
Token: SeBackupPrivilege	4892	syssxavvpcp.exe
Token: SeRestorePrivilege	4892	syssxavvpcp.exe
Token: SeShutdownPrivilege	4892	syssxavvpcp.exe
Token: SeDebugPrivilege	4892	syssxavvpcp.exe
Token: SeSystemEnvironmentPrivilege	4892	syssxavvpcp.exe
Token: SeRemoteShutdownPrivilege	4892	syssxavvpcp.exe
Token: SeUndockPrivilege	4892	syssxavvpcp.exe
Token: SeManageVolumePrivilege	4892	syssxavvpcp.exe
Token: 33	4892	syssxavvpcp.exe
Token: 34	4892	syssxavvpcp.exe
Token: 35	4892	syssxavvpcp.exe
Token: 36	4892	syssxavvpcp.exe
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2764	msiexec.exe
Token: SeSecurityPrivilege	2764	msiexec.exe
Token: SeTakeOwnershipPrivilege	2764	msiexec.exe
Token: SeLoadDriverPrivilege	2764	msiexec.exe
Token: SeSystemProfilePrivilege	2764	msiexec.exe
Token: SeSystemtimePrivilege	2764	msiexec.exe
Token: SeProfSingleProcessPrivilege	2764	msiexec.exe
Token: SeIncBasePriorityPrivilege	2764	msiexec.exe
Token: SeCreatePagefilePrivilege	2764	msiexec.exe
Token: SeBackupPrivilege	2764	msiexec.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeShutdownPrivilege	2764	msiexec.exe
Token: SeDebugPrivilege	2764	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2764	msiexec.exe
Token: SeRemoteShutdownPrivilege	2764	msiexec.exe
Token: SeUndockPrivilege	2764	msiexec.exe
Token: SeManageVolumePrivilege	2764	msiexec.exe
Token: 33	2764	msiexec.exe
Token: 34	2764	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 5248	1924	2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe	274
PID 1924 wrote to memory of 5248	1924	2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe	274
PID 1924 wrote to memory of 2040	1924	2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe	443
PID 1924 wrote to memory of 2040	1924	2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe	443
PID 2040 wrote to memory of 3448	2040	bvbvbvbvbvbccc.exe	56
PID 3448 wrote to memory of 3232	3448	Explorer.EXE	308
PID 3448 wrote to memory of 3232	3448	Explorer.EXE	308
PID 3448 wrote to memory of 2816	3448	Explorer.EXE	89
PID 3448 wrote to memory of 2816	3448	Explorer.EXE	89
PID 3448 wrote to memory of 1544	3448	Explorer.EXE	90
PID 3448 wrote to memory of 1544	3448	Explorer.EXE	90
PID 1924 wrote to memory of 1648	1924	2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe	297
PID 1924 wrote to memory of 1648	1924	2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe	297
PID 1924 wrote to memory of 4616	1924	2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe	95
PID 1924 wrote to memory of 4616	1924	2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe	95
PID 4616 wrote to memory of 4892	4616	LauncherApp.exe	231
PID 4616 wrote to memory of 4892	4616	LauncherApp.exe	231
PID 4616 wrote to memory of 4604	4616	LauncherApp.exe	324
PID 4616 wrote to memory of 4604	4616	LauncherApp.exe	324
PID 4616 wrote to memory of 5860	4616	LauncherApp.exe	98
PID 4616 wrote to memory of 5860	4616	LauncherApp.exe	98
PID 4616 wrote to memory of 5860	4616	LauncherApp.exe	98
PID 4616 wrote to memory of 4628	4616	LauncherApp.exe	359
PID 4616 wrote to memory of 4628	4616	LauncherApp.exe	359
PID 1648 wrote to memory of 5780	1648	trtrtrtrtrtrteee.exe	101
PID 1648 wrote to memory of 5780	1648	trtrtrtrtrtrteee.exe	101
PID 4628 wrote to memory of 4516	4628	ComboEeFlauncher.exe	100
PID 4628 wrote to memory of 4516	4628	ComboEeFlauncher.exe	100
PID 4628 wrote to memory of 4592	4628	ComboEeFlauncher.exe	102
PID 4628 wrote to memory of 4592	4628	ComboEeFlauncher.exe	102
PID 4628 wrote to memory of 2824	4628	ComboEeFlauncher.exe	103
PID 4628 wrote to memory of 2824	4628	ComboEeFlauncher.exe	103
PID 4628 wrote to memory of 2824	4628	ComboEeFlauncher.exe	103
PID 4628 wrote to memory of 4772	4628	ComboEeFlauncher.exe	104
PID 4628 wrote to memory of 4772	4628	ComboEeFlauncher.exe	104
PID 4628 wrote to memory of 4772	4628	ComboEeFlauncher.exe	104
PID 3448 wrote to memory of 2840	3448	Explorer.EXE	528
PID 3448 wrote to memory of 2840	3448	Explorer.EXE	528
PID 3448 wrote to memory of 3724	3448	Explorer.EXE	108
PID 3448 wrote to memory of 3724	3448	Explorer.EXE	108
PID 1544 wrote to memory of 2056	1544	cmd.exe	111
PID 1544 wrote to memory of 2056	1544	cmd.exe	111
PID 2816 wrote to memory of 6012	2816	cmd.exe	112
PID 3232 wrote to memory of 5804	3232	cmd.exe	113
PID 3232 wrote to memory of 5804	3232	cmd.exe	113
PID 2816 wrote to memory of 6012	2816	cmd.exe	112
PID 4892 wrote to memory of 3448	4892	syssxavvpcp.exe	56
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 4892 wrote to memory of 2764	4892	syssxavvpcp.exe	115
PID 3448 wrote to memory of 3436	3448	Explorer.EXE	450
PID 3448 wrote to memory of 3436	3448	Explorer.EXE	450
PID 3724 wrote to memory of 3876	3724	cmd.exe	233
PID 3724 wrote to memory of 3876	3724	cmd.exe	233
PID 3724 wrote to memory of 3876	3724	cmd.exe	233
PID 2840 wrote to memory of 544	2840	cmd.exe	119

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-31_bb4bfab94400b5d96f99fe242c63d5cd_black-basta_cobalt-strike_rhadamanthys_satacom.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\ProgramData\fdfdfdfdfdfeee.exe
    "C:\ProgramData\fdfdfdfdfdfeee.exe"
    3⤵
    - Blocklisted process makes network request
    - Downloads MZ/PE file
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\temp_20814.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_20814.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\temp_20817.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_20817.exe"
      4⤵
      Executes dropped EXE
      PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\temp_20817.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_20817.exe"
      4⤵
      Executes dropped EXE
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\temp_20817.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_20817.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3624
- - C:\ProgramData\bvbvbvbvbvbccc.exe
    "C:\ProgramData\bvbvbvbvbvbccc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2040
- - C:\ProgramData\trtrtrtrtrtrteee.exe
    "C:\ProgramData\trtrtrtrtrtrteee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\ProgramData\trtrtrtrtrtrteee.exe
      "C:\ProgramData\trtrtrtrtrtrteee.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5780
- - C:\Users\Admin\AppData\Local\Temp\LauncherApp.exe
    "C:\Users\Admin\AppData\Local\Temp\LauncherApp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Users\Admin\AppData\Roaming\syssxavvpcp.exe
      "C:\Users\Admin\AppData\Roaming\syssxavvpcp.exe"
      4⤵
      Blocklisted process makes network request
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\system32\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe"
        5⤵
        Blocklisted process makes network request
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
  - - C:\Users\Admin\AppData\Roaming\sysxxcchceck.exe
      "C:\Users\Admin\AppData\Roaming\sysxxcchceck.exe"
      4⤵
      Executes dropped EXE
      PID:4604
  - - C:\Users\Admin\AppData\Roaming\syxxbsxtccx.exe
      "C:\Users\Admin\AppData\Roaming\syxxbsxtccx.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5860
  - - C:\Users\Admin\AppData\Local\Temp\ComboEeFlauncher.exe
      "ComboEeFlauncher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Users\Admin\AppData\Roaming\sysxchceck.exe
        
        "C:\Users\Admin\AppData\Roaming\sysxchceck.exe"
        5⤵
        Executes dropped EXE
        
        PID:4516
    - - C:\Users\Admin\AppData\Roaming\sysxapcpteam.exe
        
        "C:\Users\Admin\AppData\Roaming\sysxapcpteam.exe"
        5⤵
        Executes dropped EXE
        
        PID:4592
    - - C:\Users\Admin\AppData\Roaming\syxstccx.exe
        
        "C:\Users\Admin\AppData\Roaming\syxstccx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\Launcher.exe
        
        "Launcher.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\68BC.tmp\68BD.tmp\68BE.bat C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
        6⤵
        
        PID:5292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\bvbvbvbvbvbccc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\ProgramData\bvbvbvbvbvbccc.exe
    C:\ProgramData\bvbvbvbvbvbccc.exe
    3⤵
    - Executes dropped EXE
    PID:6012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\syxxbsxtccx.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Roaming\syxxbsxtccx.exe
    C:\Users\Admin\AppData\Roaming\syxxbsxtccx.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\Winsrv\winsvc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\ProgramData\Winsrv\winsvc.exe
    C:\ProgramData\Winsrv\winsvc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1560
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:6060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1048
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5196
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3680
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5432
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4104
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3036
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5340
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1840
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1480
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4360
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:3632
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3628
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1516
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:3284
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4792
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4720
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:404
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4644
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2924
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5380
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:1012
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2348
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3184
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5284
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2352
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3904
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5272
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4088
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2340
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2788
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5000
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5800
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4640
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4860
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:1972
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4632
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4932
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5072
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4756
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5504
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3876
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4844
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4360
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5480
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2012
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:1044
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4568
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4628
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4992
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3672
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:404
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:3184
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1508
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:5364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3628
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:6016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5248
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5916
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:364
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4916
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5800
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:4640
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:4356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4028
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4104
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:4536
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5380
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:624
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:4984
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2648
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4212
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:3232
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:4252
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:6032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5148
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:1136
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:2012
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4692
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4228
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:4604
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:5244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2112
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4768
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    PID:4340
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4784
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2348
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4964
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    PID:4400
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4804
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:2532
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:4088
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Blocklisted process makes network request
      PID:6096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1772
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5844
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:512
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:4628
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:3816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5924
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5276
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:3640
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5372
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2844
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4840
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:2608
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4400
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:2744
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:4644
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3868
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:6032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:3296
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:2412
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1068
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:828
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5740
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:3816
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1884
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4708
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:2916
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:3976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3600
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4080
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5284
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:2608
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:5720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5388
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3064
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:1492
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:6052
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4724
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:1552
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:6092
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3624
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4332
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:3616
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:5604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5464
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2040
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4056
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:4908
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:3940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3436
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:1952
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:2508
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4496
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:3912
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:4384
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1948
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4912
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:6088
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4800
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5504
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:4540
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5032
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2924
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5368
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:3984
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:1976
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5108
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5588
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:364
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:5272
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1592
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:6092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5180
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:948
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1644
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:868
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:392
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:2356
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:5260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5352
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:1248
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:4768
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1824
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4828
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1516
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:5784
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2840
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1972
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2532
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:3444
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:5580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4668
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4692
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:624
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5604
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:5924
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4632
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:3672
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2816
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1612
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:3608
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:3792
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:5500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2384
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:376
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:5968
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:5196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3864
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4684
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:4964
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:4692
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2508
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:6012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5232
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe
    3⤵
    PID:3432

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bvbvbvbvbvbccc.exe

Filesize
615KB

MD5
8d69a1215e6253e21648aeb3df501d3d

SHA1
17c2a3ed3fdbcdb3ccfabcf40ed40b0294790849

SHA256
d1c4b620bddea17608512439f5d182f76318b6c85486af6d588c41bed14e27ab

SHA512
eed8f96dbbaa5c56d0e1f39fc0fa9d1a71136c2ac10c87a88be7f9884d6bce52975cb2731eb6a90ce374ae0050975ec74e7e114a3f7b44dab41e8f9c13159abd

Download Submit
C:\ProgramData\fdfdfdfdfdfeee.exe

Filesize
1.2MB

MD5
1639bd7a1ca79ca231b0328601283638

SHA1
49c9304e08fef4417ce00e1e9488694d57a2af58

SHA256
c60a67219adc05e3ca87964af5a3012cbf7bd515f27e78418f48fb09b730d9be

SHA512
8f4e74a40ea64505f8f1e36ca9ecbc3ab1d5d779cf4d8b5027a471a8ac98c970e0cda209d2c6321b8003ccdcace81fc671f0a05b75dabc4806b9486c643973cb

Download Submit
C:\ProgramData\trtrtrtrtrtrteee.exe

Filesize
5.6MB

MD5
27a2b49582305cba865aa3df6fb1d1cb

SHA1
4f20c25ef27026b793993c423ab70580a89ecb0e

SHA256
83fc66ef3b1f81e9eb9fedf13781face99f2aaf0359798bfa5dcc39965493dfd

SHA512
e0913e7e8c83a1f91dce3c85b88bc5d89bfe783999edeedb6fb88670479f0c851b963a2992fdcc1551c367017093ea9134e3b61e050bee1f77aaaf97ade2eacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ComboEeFlauncher.exe

Filesize
1.7MB

MD5
4f43922d15dfeada357e79ecc70f9b6f

SHA1
1baa25c151101834f864147f8b227da3cae661b6

SHA256
49791f07d26fbb35d82ce073efe2694792bd922ea30b38d4ea49f6acfd628080

SHA512
7e5d06adb3aaf46d4342875a145aeba63b7607bd967ff167b6bab9b8b2e7706d4c8485f9902442dae42d45814e70498f69068b3f8c4b9c4de80ae5f98b2bc4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Launcher.exe

Filesize
157KB

MD5
af9d02427a5b19b7d026c698afc6185c

SHA1
7a344387e317f5db32a712820f0fdb9e22244337

SHA256
fbffdc8089d72b7eea5186ec422a4ba52e5ea76bcd42130125fd85ccf7ffa460

SHA512
bdb8de76fb427f7453dac4d1280532509f4367ff5a58995effea969c7e19d57c3223798229dd762bcba8296139339bdfa9cbbf853eb6874db37ee925b4075549

Download Submit
C:\Users\Admin\AppData\Local\Temp\LauncherApp.exe

Filesize
3.2MB

MD5
62ba2396feea7a7dd8b57ce158a1530d

SHA1
dcacb96ac106445077c1bf908bd33af499801061

SHA256
c48737436e8431feb75ec1ed44c9483f2655535ae7db812903c246c1ca2eb731

SHA512
12d18d6f3a4532d3e0638a0ae72b4744c066a6e94807ea8dd05f30fddc993b7ee7d3a0df461e37b8f1c586ce3ce32e9890906a08f8fb11066115286c1990e218

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
b56d69079d2001c1b2af272774b53a64

SHA1
67ede1c5a71412b11847f79f5a684eabaf00de01

SHA256
f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143

SHA512
7eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
5af784f599437629deea9fe4e8eb4799

SHA1
3c891b920fd2703edd6881117ea035ced5a619f6

SHA256
7e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c

SHA512
4df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
e1ca15cf0597c6743b3876af23a96960

SHA1
301231f7250431bd122b12ed34a8d4e8bb379457

SHA256
990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d

SHA512
7c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
8d6599d7c4897dcd0217070cca074574

SHA1
25eacaaa4c6f89945e97388796a8c85ba6fb01fb

SHA256
a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928

SHA512
e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-file-l1-1-0.dll

Filesize
22KB

MD5
642b29701907e98e2aa7d36eba7d78b8

SHA1
16f46b0e057816f3592f9c0a6671111ea2f35114

SHA256
5d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c

SHA512
1beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
7bc1b8712e266db746914db48b27ef9c

SHA1
c76eb162c23865b3f1bd7978f7979d6ba09ccb60

SHA256
f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9

SHA512
db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
b071e761cea670d89d7ae80e016ce7e6

SHA1
c675be753dbef1624100f16674c2221a20cf07dd

SHA256
63fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e

SHA512
f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
1dccf27f2967601ce6666c8611317f03

SHA1
d8246df2ed9ec4a8a719fd4b1db4fd8a71ef679b

SHA256
6a83ab9a413afd74d77a090f52784b0128527bee9cb0a4224c59d5c75fc18387

SHA512
70b96d69d609211f8b9e05fa510ea7d574ae8da3a6498f5c982aee71635b8a749162247055b7ba21a884bfa06c1415b68912c463f0f1b6ffb9049f3532386877

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
19KB

MD5
569a7ac3f6824a04282ff708c629a6d2

SHA1
fc0d78de1075dfd4c1024a72074d09576d4d4181

SHA256
84c579a8263a87991ca1d3aee2845e1c262fb4b849606358062093d08afdc7a2

SHA512
e9cbff82e32540f9230cead9063acb1aceb7ccc9f3338c0b7ad10b0ac70ff5b47c15944d0dce33ea8405554aa9b75de30b26ae2ca55db159d45b6e64bc02a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
623283471b12f1bdb83e25dbafaf9c16

SHA1
ecbba66f4dca89a3faa3e242e30aefac8de02153

SHA256
9ca500775fee9ff69b960d65040b8dc415a2efde2982a9251ee6a3e8de625bc7

SHA512
54b69ffa2c263be4ddadca62fa2867fea6148949d64c2634745db3dcbc1ba0ecf7167f02fa53efd69eaaee81d617d914f370f26ca16ee5850853f70c69e9a61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
19KB

MD5
61f70f2d1e3f22e976053df5f3d8ecb7

SHA1
7d224b7f404cde960e6b7a1c449b41050c8e9c58

SHA256
2695761b010d22fdfda2b5e73cf0ac7328ccc62b4b28101d5c10155dd9a48020

SHA512
1ddc568590e9954db198f102be99eabb4133b49e9f3b464f2fc7f31cc77d06d5a7132152f4b331332c42f241562ee6c7bf1c2d68e546db3f59ab47eaf83a22cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
20KB

MD5
1322690996cf4b2b7275a7950bad9856

SHA1
502e05ed81e3629ea3ed26ee84a4e7c07f663735

SHA256
5660030ee4c18b1610fb9f46e66f44d3fc1cf714ecce235525f08f627b3738d7

SHA512
7edc06bfa9e633351291b449b283659e5dd9e706dd57ade354bce3af55df4842491af27c7721b2acc6948078bdfc8e9736fec46e0641af368d419c7ed6aebd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
95612a8a419c61480b670d6767e72d09

SHA1
3b94d1745aff6aafeff87fed7f23e45473f9afc9

SHA256
6781071119d66757efa996317167904697216ad72d7c031af4337138a61258d4

SHA512
570f15c2c5aa599332dd4cfb3c90da0dd565ca9053ecf1c2c05316a7f623615dd153497e93b38df94971c8abf2e25bc1aaaf3311f1cda432f2670b32c767012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
d6ad0f2652460f428c0e8fc40b6f6115

SHA1
1a5152871abc5cf3d4868a218de665105563775e

SHA256
4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

SHA512
ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-profile-l1-1-0.dll

Filesize
18KB

MD5
654d95515ab099639f2739685cb35977

SHA1
9951854a5cf407051ce6cd44767bfd9bd5c4b0cc

SHA256
c4868e4cebdf86126377a45bd829d88449b4aa031c9b1c05edc47d6d395949d4

SHA512
9c9dd64a3ad1136ba62cca14fc27574faaebc3de1e371a86b83599260424a966dfd813991a5ef0b2342e0401cb99ce83cd82c19fcae73c7decdb92bac1fb58a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
19KB

MD5
e6b7681ccc718ddb69c48abe8709fdd6

SHA1
a518b705746b2c6276f56a2f1c996360b837d548

SHA256
4b532729988224fe5d98056cd94fc3e8b4ba496519f461ef5d9d0ff9d9402d4b

SHA512
89b20affaa23e674543f0f2e9b0a8b3ecd9a8a095e19d50e11c52cb205dafdbf2672892fd35b1c45f16e78ae9b61525de67dbe7673f8ca450aa8c42feeac0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-string-l1-1-0.dll

Filesize
19KB

MD5
bcb412464f01467f1066e94085957f42

SHA1
716c11b5d759d59dbfec116874e382d69f9a25b6

SHA256
f040b6e07935b67599ea7e32859a3e93db37ff4195b28b4451ad0d274db6330e

SHA512
79ec0c5ee21680843c8b7f22da3155b7607d5be269f8a51056cc5f060ad3a48ced3b6829117262aba1a90e692374b59ddfe92105d14179f631efc0c863bfdecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
b98598657162de8fbc1536568f1e5a4f

SHA1
f7c020220025101638fd690d86c53d895a03e53c

SHA256
f596c72be43db3a722b7c7a0fd3a4d5aea68267003986fbfd278702af88efa74

SHA512
ad5f46a3f4f6e64a5dcb85c328f1b8daefa94fc33f59922328fdcfedc04a8759f16a1a839027f74b7d7016406c20ac47569277620d6b909e09999021b669a0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-synch-l1-2-0.dll

Filesize
19KB

MD5
b751571148923d943f828a1deb459e24

SHA1
d4160404c2aa6aeaf3492738f5a6ce476a0584a6

SHA256
b394b1142d060322048fb6a8ac6281e4576c0e37be8da772bc970f352dd22a20

SHA512
26e252ff0c01e1e398ebddcc5683a58cdd139161f2b63b65bde6c3e943e85c0820b24486859c2c597af6189de38ca7fe6fa700975be0650cb53c791cd2481c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
20KB

MD5
8aea681e0e2b9abbf73a924003247dbb

SHA1
5bafc2e0a3906723f9b12834b054e6f44d7ff49f

SHA256
286068a999fe179ee91b289360dd76e89365900b130a50e8651a9b7ece80b36d

SHA512
08c83a729036c94148d9a5cbc03647fa2adea4fba1bbb514c06f85ca804eefbf36c909cb6edc1171da8d4d5e4389e15e52571baa6987d1f1353377f509e269ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
eab486e4719b916cad05d64cd4e72e43

SHA1
876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

SHA256
05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

SHA512
c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-core-util-l1-1-0.dll

Filesize
19KB

MD5
edd61ff85d75794dc92877f793a2cef6

SHA1
de9f1738fc8bf2d19aa202e34512ec24c1ccb635

SHA256
8aca888849e9089a3a56fa867b16b071951693ab886843cfb61bd7a5b08a1ece

SHA512
6cef9b256cdca1a401971ca5706adf395961b2d3407c1fff23e6c16f7e2ce6d85d946843a53532848fcc087c18009c08f651c6eb38112778a2b4b33e8c64796c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
22bfe210b767a667b0f3ed692a536e4e

SHA1
88e0ff9c141d8484b5e34eaaa5e4be0b414b8adf

SHA256
f1a2499cc238e52d69c63a43d1e61847cf852173fe95c155056cfbd2cb76abc3

SHA512
cbea3c690049a73b1a713a2183ff15d13b09982f8dd128546fd3db264af4252ccd390021dee54435f06827450da4bd388bd6ff11b084c0b43d50b181c928fd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
da5e087677c8ebbc0062eac758dfed49

SHA1
ca69d48efa07090acb7ae7c1608f61e8d26d3985

SHA256
08a43a53a66d8acb2e107e6fc71213cedd180363055a2dc5081fe5a837940dce

SHA512
6262e9a0808d8f64e5f2dfad5242cd307e2f5eaa78f0a768f325e65c98db056c312d79f0b3e63c74e364af913a832c1d90f4604fe26cc5fb05f3a5a661b12573

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
33a0fe1943c5a325f93679d6e9237fee

SHA1
737d2537d602308fc022dbc0c29aa607bcdec702

SHA256
5af7aa065ffdbf98d139246e198601bfde025d11a6c878201f4b99876d6c7eac

SHA512
cab7fcaa305a9ace1f1cc7077b97526bebc0921adf23273e74cd42d7fe99401d4f7ede8ecb9847b6734a13760b9ebe4dbd2465a3db3139ed232dbef68fb62c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_20814.exe

Filesize
177KB

MD5
4d38d0416a7392711f340e87f22ea4ba

SHA1
85d501d7fd5fc843e96be88caf6c1f1054aa2f28

SHA256
95b64cf5502b24d592c79f2611b76d5d8035c8061c4af6b1ff6800ec2b46442f

SHA512
3a86a6521fb856220875c9bac2c01ce82e7e67e515285273f7687596dc6c169949af8703d835654506c8205bcf6d372403c9ea925c0bf2969f11227d7cacb5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_20817.exe

Filesize
253KB

MD5
5381a870d74ee49586aa9632e93c232b

SHA1
f2ee6d461102d3353077d3d6f08bbda2b8dfb1ed

SHA256
e90f2a5eae99811b65dc284734e0e295708d89bfef9a003b3ab2f8bc42e1fa9c

SHA512
c611262eb7badc08486a6416dd470f14d09c5c86c04076a472d32da52bf2cc21344dd4130f85a83cb25556383528ce57ac94ad0de36cef6a67f1bdb9e87a65a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_20817.exe

Filesize
5.6MB

MD5
f6d5cc794c2a2eb47b84e1dfc26c988a

SHA1
dd0fd87afef860b482909c08332794aff35c288a

SHA256
631190fc83321193d8cb31f592b33919c9e3fbfa19ce0c29f9e86c1a4c2e5892

SHA512
8cadf6f0b2e75be2d6392aef2526458750e5b9c3a180b9362803ae2b3d75094db5a29dd8db5305a43def16e2cd3ec1c6adafdb4aaa07d5c8f3ca3a6546fa19a7

Download Submit
C:\Users\Admin\AppData\Roaming\F4D2EECB61274217651120\F4D2EECB61274217651120.exe

Filesize
25KB

MD5
8a7af78cee9b6487d1cef5abfd008b1b

SHA1
826eddefbf2656698a11629fd2b90f75fe7ebcb7

SHA256
67ccdfa102ca31649309bf0639c6de858383b2889a0fa86c31e3ac6b3457739c

SHA512
111a2844692c010ca88713d2b44fdf748c6ecc05295602c6555878a244542d599a7126bbc26e8a654bdfb9cd53e957ca6a06d25b9ea17c533b156ef2d3882f80

Download Submit
C:\Users\Admin\AppData\Roaming\sysxapcpteam.exe

Filesize
47KB

MD5
b1e7e0afb0365013733d63cf65e2e15a

SHA1
9b51472ff1eb2a38c63f3123c0d4293ac1b395cd

SHA256
1b6576188caf59cdb9be2d86525f4f6023f8eb5c0c9a581cb035f8349418f9fa

SHA512
20ed3cdbb9d0cde50313b8e23e6454d19e0a3496e264c64ab3ff039b8970db94e8c1fb4bfbdb3056151b5a4d7f4adbc1b1c57ae4c09ce8c2413c4ca2b53630ec

Download Submit
C:\Users\Admin\AppData\Roaming\sysxchceck.exe

Filesize
1.2MB

MD5
159db0681c9dc50d8a4c63f567dfa210

SHA1
25855d977d2be440e8e4d3aec0eb0169d9812647

SHA256
7d7dc21105802162f2b8c870d156ee001ab892a76b1c0e08db8218350137fe6a

SHA512
645e6090a9e5108a95bdcc7309b9349173dbf4a84ce40b39e5ca35ff0c1aec91a0668928b8fab4b83ddc5bef565519eddfa8de55084bb04233f17c4232a19d91

Download Submit
C:\Users\Admin\AppData\Roaming\sysxxcchceck.exe

Filesize
1.2MB

MD5
0535262fe0f5413494a58aca9ce939b2

SHA1
c680c17065c5dbc6ee633f81e02c5d91b2539edc

SHA256
0e545c02f20c83526f7f7f424f527e3faa103017cfe046c1f3b7e4ccd842829b

SHA512
148cc284361eed3ec1c21415226cf47dd721b04362c3c562caeba75bf419574e8a1304c3d03927533dfd48feef36581b0649967eb548f75eeb11e46bb49f9604

Download Submit
C:\Users\Admin\AppData\Roaming\syxstccx.exe

Filesize
177KB

MD5
cf603c525f7598b21cd3ad7021fcd633

SHA1
b0b08ed51b425c43d48789de4731dd65c01cb306

SHA256
a29b1f89dd560490b1bcaef327206e85330d41decff0c3997e025978213c4e80

SHA512
b2c20baf72ecac07bfeed3143ece84f4059c876964ba1a194c38bbf03d2cbf667c6580db5cd0304aafe948075cd596fd595267fc665d166f4452c13893473fc3

Download Submit
C:\Users\Admin\AppData\Roaming\syxxbsxtccx.exe

Filesize
175KB

MD5
421082a69f2904a743664e58906b6504

SHA1
9fe739b9b7babfcadfe98cd2f8ce77e30dd7771b

SHA256
06e56563a4fab2b78642ce7c5ab19c75c72b5f7e9bfb0e658e95579b75b3d2c2

SHA512
fb039bf608f2fa7d2bb14047dd744d6129fed09c4dd006471636eba463cd9b84e42aa3d875db463a76ee3d10e548d6c8ebf735ccea4004ec084b78a71e8b7869

Download Submit
memory/100-552-0x00007FF6B77C0000-0x00007FF6B785F000-memory.dmp

Filesize
636KB

Download
memory/100-553-0x00007FF6B77C0000-0x00007FF6B785F000-memory.dmp

Filesize
636KB

Download
memory/548-478-0x00007FF724620000-0x00007FF7246BF000-memory.dmp

Filesize
636KB

Download
memory/548-479-0x00007FF724620000-0x00007FF7246BF000-memory.dmp

Filesize
636KB

Download
memory/756-367-0x00007FF7D0150000-0x00007FF7D01EF000-memory.dmp

Filesize
636KB

Download
memory/756-368-0x00007FF7D0150000-0x00007FF7D01EF000-memory.dmp

Filesize
636KB

Download
memory/764-524-0x00007FF7BEF90000-0x00007FF7BF02F000-memory.dmp

Filesize
636KB

Download
memory/764-523-0x00007FF7BEF90000-0x00007FF7BF02F000-memory.dmp

Filesize
636KB

Download
memory/1480-1054-0x00007FF7ABD00000-0x00007FF7ABD9F000-memory.dmp

Filesize
636KB

Download
memory/1480-1056-0x00007FF7ABD00000-0x00007FF7ABD9F000-memory.dmp

Filesize
636KB

Download
memory/1612-1197-0x00007FF70B7D0000-0x00007FF70B86F000-memory.dmp

Filesize
636KB

Download
memory/1612-1196-0x00007FF70B7D0000-0x00007FF70B86F000-memory.dmp

Filesize
636KB

Download
memory/1648-823-0x00007FF69A010000-0x00007FF69A0AF000-memory.dmp

Filesize
636KB

Download
memory/1648-824-0x00007FF69A010000-0x00007FF69A0AF000-memory.dmp

Filesize
636KB

Download
memory/2040-34-0x00007FF63F500000-0x00007FF63F59F000-memory.dmp

Filesize
636KB

Download
memory/2056-181-0x00007FF7B1E60000-0x00007FF7B1EFF000-memory.dmp

Filesize
636KB

Download
memory/2132-914-0x00007FF72C810000-0x00007FF72C8AF000-memory.dmp

Filesize
636KB

Download
memory/2132-913-0x00007FF72C810000-0x00007FF72C8AF000-memory.dmp

Filesize
636KB

Download
memory/2248-391-0x00007FF78C550000-0x00007FF78C5EF000-memory.dmp

Filesize
636KB

Download
memory/2248-392-0x00007FF78C550000-0x00007FF78C5EF000-memory.dmp

Filesize
636KB

Download
memory/2356-1145-0x00007FF7D6B20000-0x00007FF7D6BBF000-memory.dmp

Filesize
636KB

Download
memory/2356-1144-0x00007FF7D6B20000-0x00007FF7D6BBF000-memory.dmp

Filesize
636KB

Download
memory/2508-856-0x00007FF681D50000-0x00007FF681DEF000-memory.dmp

Filesize
636KB

Download
memory/2508-857-0x00007FF681D50000-0x00007FF681DEF000-memory.dmp

Filesize
636KB

Download
memory/2764-223-0x00007FF7118C0000-0x00007FF7118CA000-memory.dmp

Filesize
40KB

Download
memory/2764-230-0x00007FF7118C0000-0x00007FF7118CA000-memory.dmp

Filesize
40KB

Download
memory/2764-229-0x00007FF7118C0000-0x00007FF7118CA000-memory.dmp

Filesize
40KB

Download
memory/2764-258-0x00007FF7118C0000-0x00007FF7118CA000-memory.dmp

Filesize
40KB

Download
memory/2764-222-0x0000017494360000-0x0000017494361000-memory.dmp

Filesize
4KB

Download
memory/2784-761-0x00007FF624840000-0x00007FF6248DF000-memory.dmp

Filesize
636KB

Download
memory/2784-760-0x00007FF624840000-0x00007FF6248DF000-memory.dmp

Filesize
636KB

Download
memory/2872-676-0x00007FF62BDF0000-0x00007FF62BE8F000-memory.dmp

Filesize
636KB

Download
memory/2872-677-0x00007FF62BDF0000-0x00007FF62BE8F000-memory.dmp

Filesize
636KB

Download
memory/2940-834-0x00007FF775560000-0x00007FF7755FF000-memory.dmp

Filesize
636KB

Download
memory/2940-835-0x00007FF775560000-0x00007FF7755FF000-memory.dmp

Filesize
636KB

Download
memory/3052-542-0x00007FF7EFF50000-0x00007FF7EFFEF000-memory.dmp

Filesize
636KB

Download
memory/3052-541-0x00007FF7EFF50000-0x00007FF7EFFEF000-memory.dmp

Filesize
636KB

Download
memory/3420-1167-0x00007FF6867D0000-0x00007FF68686F000-memory.dmp

Filesize
636KB

Download
memory/3420-1168-0x00007FF6867D0000-0x00007FF68686F000-memory.dmp

Filesize
636KB

Download
memory/3448-24-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3448-264-0x0000000009E50000-0x0000000009EA3000-memory.dmp

Filesize
332KB

Download
memory/3448-21-0x0000000002670000-0x0000000002715000-memory.dmp

Filesize
660KB

Download
memory/3448-218-0x0000000008CF0000-0x0000000008D43000-memory.dmp

Filesize
332KB

Download
memory/3448-221-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/3448-151-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3448-28-0x0000000002670000-0x0000000002715000-memory.dmp

Filesize
660KB

Download
memory/3448-280-0x000000000A540000-0x000000000A593000-memory.dmp

Filesize
332KB

Download
memory/3448-206-0x0000000008BA0000-0x0000000008BE4000-memory.dmp

Filesize
272KB

Download
memory/3448-140-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3448-20-0x0000000002670000-0x0000000002715000-memory.dmp

Filesize
660KB

Download
memory/3448-283-0x000000000A9E0000-0x000000000AA33000-memory.dmp

Filesize
332KB

Download
memory/3448-37-0x0000000002670000-0x0000000002715000-memory.dmp

Filesize
660KB

Download
memory/3448-238-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3448-25-0x0000000002670000-0x0000000002715000-memory.dmp

Filesize
660KB

Download
memory/3448-257-0x0000000002930000-0x0000000002983000-memory.dmp

Filesize
332KB

Download
memory/3448-32-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/3448-26-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/3448-27-0x0000000002670000-0x0000000002715000-memory.dmp

Filesize
660KB

Download
memory/3460-727-0x00007FF614050000-0x00007FF6140EF000-memory.dmp

Filesize
636KB

Download
memory/3460-728-0x00007FF614050000-0x00007FF6140EF000-memory.dmp

Filesize
636KB

Download
memory/3476-631-0x00007FF6A6B20000-0x00007FF6A6BBF000-memory.dmp

Filesize
636KB

Download
memory/3476-630-0x00007FF6A6B20000-0x00007FF6A6BBF000-memory.dmp

Filesize
636KB

Download
memory/3488-591-0x00007FF6D95B0000-0x00007FF6D964F000-memory.dmp

Filesize
636KB

Download
memory/3488-592-0x00007FF6D95B0000-0x00007FF6D964F000-memory.dmp

Filesize
636KB

Download
memory/3536-1184-0x00007FF62FD50000-0x00007FF62FDEF000-memory.dmp

Filesize
636KB

Download
memory/3536-1185-0x00007FF62FD50000-0x00007FF62FDEF000-memory.dmp

Filesize
636KB

Download
memory/3564-704-0x00007FF7F1370000-0x00007FF7F140F000-memory.dmp

Filesize
636KB

Download
memory/3564-703-0x00007FF7F1370000-0x00007FF7F140F000-memory.dmp

Filesize
636KB

Download
memory/3680-456-0x00007FF638830000-0x00007FF6388CF000-memory.dmp

Filesize
636KB

Download
memory/3680-455-0x00007FF638830000-0x00007FF6388CF000-memory.dmp

Filesize
636KB

Download
memory/3748-884-0x00007FF7C7540000-0x00007FF7C75DF000-memory.dmp

Filesize
636KB

Download
memory/3748-885-0x00007FF7C7540000-0x00007FF7C75DF000-memory.dmp

Filesize
636KB

Download
memory/3792-991-0x00007FF68A8C0000-0x00007FF68A95F000-memory.dmp

Filesize
636KB

Download
memory/3976-935-0x00007FF604F80000-0x00007FF60501F000-memory.dmp

Filesize
636KB

Download
memory/3976-936-0x00007FF604F80000-0x00007FF60501F000-memory.dmp

Filesize
636KB

Download
memory/4056-1066-0x00007FF792460000-0x00007FF7924FF000-memory.dmp

Filesize
636KB

Download
memory/4056-1065-0x00007FF792460000-0x00007FF7924FF000-memory.dmp

Filesize
636KB

Download
memory/4084-1088-0x00007FF752400000-0x00007FF75249F000-memory.dmp

Filesize
636KB

Download
memory/4084-1089-0x00007FF752400000-0x00007FF75249F000-memory.dmp

Filesize
636KB

Download
memory/4364-805-0x00007FF6EB100000-0x00007FF6EB19F000-memory.dmp

Filesize
636KB

Download
memory/4364-806-0x00007FF6EB100000-0x00007FF6EB19F000-memory.dmp

Filesize
636KB

Download
memory/4460-240-0x00007FF797B30000-0x00007FF797BCF000-memory.dmp

Filesize
636KB

Download
memory/4460-239-0x00007FF797B30000-0x00007FF797BCF000-memory.dmp

Filesize
636KB

Download
memory/4528-976-0x00007FF75ADD0000-0x00007FF75AE6F000-memory.dmp

Filesize
636KB

Download
memory/4528-975-0x00007FF75ADD0000-0x00007FF75AE6F000-memory.dmp

Filesize
636KB

Download
memory/4536-619-0x00007FF6FAFE0000-0x00007FF6FB07F000-memory.dmp

Filesize
636KB

Download
memory/4536-620-0x00007FF6FAFE0000-0x00007FF6FB07F000-memory.dmp

Filesize
636KB

Download
memory/4568-1122-0x00007FF6F60D0000-0x00007FF6F616F000-memory.dmp

Filesize
636KB

Download
memory/4568-1123-0x00007FF6F60D0000-0x00007FF6F616F000-memory.dmp

Filesize
636KB

Download
memory/4568-782-0x00007FF7618A0000-0x00007FF76193F000-memory.dmp

Filesize
636KB

Download
memory/4568-783-0x00007FF7618A0000-0x00007FF76193F000-memory.dmp

Filesize
636KB

Download
memory/4592-139-0x00007FF7B14E0000-0x00007FF7B14F1000-memory.dmp

Filesize
68KB

Download
memory/4612-1039-0x00007FF753640000-0x00007FF7536DF000-memory.dmp

Filesize
636KB

Download
memory/4612-1038-0x00007FF753640000-0x00007FF7536DF000-memory.dmp

Filesize
636KB

Download
memory/4684-1013-0x00007FF6AAFB0000-0x00007FF6AB04F000-memory.dmp

Filesize
636KB

Download
memory/4684-1014-0x00007FF6AAFB0000-0x00007FF6AB04F000-memory.dmp

Filesize
636KB

Download
memory/4724-692-0x00007FF640EE0000-0x00007FF640F7F000-memory.dmp

Filesize
636KB

Download
memory/4724-694-0x00007FF640EE0000-0x00007FF640F7F000-memory.dmp

Filesize
636KB

Download
memory/4768-335-0x00007FF729480000-0x00007FF72951F000-memory.dmp

Filesize
636KB

Download
memory/4768-334-0x00007FF729480000-0x00007FF72951F000-memory.dmp

Filesize
636KB

Download
memory/4832-500-0x00007FF605DC0000-0x00007FF605E5F000-memory.dmp

Filesize
636KB

Download
memory/4832-501-0x00007FF605DC0000-0x00007FF605E5F000-memory.dmp

Filesize
636KB

Download
memory/4860-310-0x00007FF7C8580000-0x00007FF7C861F000-memory.dmp

Filesize
636KB

Download
memory/4860-311-0x00007FF7C8580000-0x00007FF7C861F000-memory.dmp

Filesize
636KB

Download
memory/4960-346-0x00007FF76DB20000-0x00007FF76DBBF000-memory.dmp

Filesize
636KB

Download
memory/4960-345-0x00007FF76DB20000-0x00007FF76DBBF000-memory.dmp

Filesize
636KB

Download
memory/5072-958-0x00007FF650D80000-0x00007FF650E1F000-memory.dmp

Filesize
636KB

Download
memory/5072-959-0x00007FF650D80000-0x00007FF650E1F000-memory.dmp

Filesize
636KB

Download
memory/5388-653-0x00007FF7A4640000-0x00007FF7A46DF000-memory.dmp

Filesize
636KB

Download
memory/5388-654-0x00007FF7A4640000-0x00007FF7A46DF000-memory.dmp

Filesize
636KB

Download
memory/5528-574-0x00007FF780110000-0x00007FF7801AF000-memory.dmp

Filesize
636KB

Download
memory/5528-575-0x00007FF780110000-0x00007FF7801AF000-memory.dmp

Filesize
636KB

Download
memory/5728-901-0x00007FF77BB50000-0x00007FF77BBEF000-memory.dmp

Filesize
636KB

Download
memory/5728-902-0x00007FF77BB50000-0x00007FF77BBEF000-memory.dmp

Filesize
636KB

Download
memory/6012-183-0x00007FF63F500000-0x00007FF63F59F000-memory.dmp

Filesize
636KB

Download
memory/6016-749-0x00007FF68F7F0000-0x00007FF68F88F000-memory.dmp

Filesize
636KB

Download
memory/6016-750-0x00007FF68F7F0000-0x00007FF68F88F000-memory.dmp

Filesize
636KB

Download
memory/6032-1113-0x00007FF685D80000-0x00007FF685E1F000-memory.dmp

Filesize
636KB

Download
memory/6032-1112-0x00007FF685D80000-0x00007FF685E1F000-memory.dmp

Filesize
636KB

Download