svcstealer | acb84a0336a45dc387209935852c267abba63b86d820c6a8ea5cbcce0dd7d5e4

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USDT Flasher Private v2.2.exe
Size

1.9MB
MD5

051d7528b34a6a04c5a99ebde64adcb4
SHA1

4ceee7ca158359a5ac373442c83b3942d97c5124
SHA256

acb84a0336a45dc387209935852c267abba63b86d820c6a8ea5cbcce0dd7d5e4
SHA512

15cfe52738281764625e04cbb65ab1143d63587fa5a7546d2b016e93801584e82506871bb2810738583ecdb88a92e2bc60ceb106db696028f1f22221a8449c5b
SSDEEP

24576:gPgvWGZl9tJ5Mo2QhG3aMUFgEsNj9dfF2b6OZBfebd6bIt3MZ2N6zKnBDB+obJwK:0+hZd0Nj9vi6WGkb43uz49B+obC+/v

Score

10^/10

svcstealer discovery downloader persistence spyware stealer

Malware Config

Extracted

Family

svcstealer

176.113.115.149

185.81.68.156

Extracted

Family

svcstealer

Version

3.3

185.81.68.156

176.113.115.149

Attributes

url_paths
/svcstealer/get.php

Signatures

Detects SvcStealer Payload 64 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral1/files/0x002a000000023707-6.dat	family_svcstealer
behavioral1/memory/3296-12-0x00007FF65F240000-0x00007FF65F345000-memory.dmp	family_svcstealer
behavioral1/memory/3296-39-0x00007FF65F240000-0x00007FF65F345000-memory.dmp	family_svcstealer
behavioral1/memory/3404-38-0x00000000027C0000-0x0000000002801000-memory.dmp	family_svcstealer
behavioral1/memory/3404-37-0x0000000007E10000-0x0000000007F1B000-memory.dmp	family_svcstealer
behavioral1/memory/3404-28-0x0000000007E10000-0x0000000007F1B000-memory.dmp	family_svcstealer
behavioral1/memory/3404-27-0x0000000007E10000-0x0000000007F1B000-memory.dmp	family_svcstealer
behavioral1/memory/3404-24-0x0000000002780000-0x00000000027B3000-memory.dmp	family_svcstealer
behavioral1/memory/3404-23-0x0000000007E10000-0x0000000007F1B000-memory.dmp	family_svcstealer
behavioral1/memory/3404-19-0x0000000007E10000-0x0000000007F1B000-memory.dmp	family_svcstealer
behavioral1/memory/3404-18-0x0000000007E10000-0x0000000007F1B000-memory.dmp	family_svcstealer
behavioral1/memory/3404-32-0x0000000007E10000-0x0000000007F1B000-memory.dmp	family_svcstealer
behavioral1/memory/4564-55-0x00007FF6BFA20000-0x00007FF6BFB25000-memory.dmp	family_svcstealer
behavioral1/memory/4564-56-0x00007FF6BFA20000-0x00007FF6BFB25000-memory.dmp	family_svcstealer
behavioral1/memory/4540-58-0x00007FF65F240000-0x00007FF65F345000-memory.dmp	family_svcstealer
behavioral1/memory/2040-71-0x00007FF7AE450000-0x00007FF7AE555000-memory.dmp	family_svcstealer
behavioral1/memory/2040-72-0x00007FF7AE450000-0x00007FF7AE555000-memory.dmp	family_svcstealer
behavioral1/memory/2024-76-0x00007FF624EA0000-0x00007FF624FA5000-memory.dmp	family_svcstealer
behavioral1/memory/2024-77-0x00007FF624EA0000-0x00007FF624FA5000-memory.dmp	family_svcstealer
behavioral1/memory/2424-88-0x00007FF752520000-0x00007FF752625000-memory.dmp	family_svcstealer
behavioral1/memory/2424-89-0x00007FF752520000-0x00007FF752625000-memory.dmp	family_svcstealer
behavioral1/memory/5908-94-0x00007FF7B4B00000-0x00007FF7B4C05000-memory.dmp	family_svcstealer
behavioral1/memory/5908-95-0x00007FF7B4B00000-0x00007FF7B4C05000-memory.dmp	family_svcstealer
behavioral1/memory/3856-99-0x00007FF614D40000-0x00007FF614E45000-memory.dmp	family_svcstealer
behavioral1/memory/3856-100-0x00007FF614D40000-0x00007FF614E45000-memory.dmp	family_svcstealer
behavioral1/memory/4260-104-0x00007FF722F10000-0x00007FF723015000-memory.dmp	family_svcstealer
behavioral1/memory/4260-105-0x00007FF722F10000-0x00007FF723015000-memory.dmp	family_svcstealer
behavioral1/memory/3528-109-0x00007FF685580000-0x00007FF685685000-memory.dmp	family_svcstealer
behavioral1/memory/3528-110-0x00007FF685580000-0x00007FF685685000-memory.dmp	family_svcstealer
behavioral1/memory/5916-115-0x00007FF7CC4E0000-0x00007FF7CC5E5000-memory.dmp	family_svcstealer
behavioral1/memory/5916-114-0x00007FF7CC4E0000-0x00007FF7CC5E5000-memory.dmp	family_svcstealer
behavioral1/memory/1460-120-0x00007FF689D70000-0x00007FF689E75000-memory.dmp	family_svcstealer
behavioral1/memory/1460-119-0x00007FF689D70000-0x00007FF689E75000-memory.dmp	family_svcstealer
behavioral1/memory/524-125-0x00007FF7F6790000-0x00007FF7F6895000-memory.dmp	family_svcstealer
behavioral1/memory/524-124-0x00007FF7F6790000-0x00007FF7F6895000-memory.dmp	family_svcstealer
behavioral1/memory/1844-129-0x00007FF709C80000-0x00007FF709D85000-memory.dmp	family_svcstealer
behavioral1/memory/1844-130-0x00007FF709C80000-0x00007FF709D85000-memory.dmp	family_svcstealer
behavioral1/memory/3512-134-0x00007FF65F300000-0x00007FF65F405000-memory.dmp	family_svcstealer
behavioral1/memory/3512-135-0x00007FF65F300000-0x00007FF65F405000-memory.dmp	family_svcstealer
behavioral1/memory/2236-139-0x00007FF62E5F0000-0x00007FF62E6F5000-memory.dmp	family_svcstealer
behavioral1/memory/2236-140-0x00007FF62E5F0000-0x00007FF62E6F5000-memory.dmp	family_svcstealer
behavioral1/memory/5860-144-0x00007FF664930000-0x00007FF664A35000-memory.dmp	family_svcstealer
behavioral1/memory/5708-148-0x00007FF761D00000-0x00007FF761E05000-memory.dmp	family_svcstealer
behavioral1/memory/5708-149-0x00007FF761D00000-0x00007FF761E05000-memory.dmp	family_svcstealer
behavioral1/memory/5948-169-0x00007FF76BEA0000-0x00007FF76BFA5000-memory.dmp	family_svcstealer
behavioral1/memory/5948-170-0x00007FF76BEA0000-0x00007FF76BFA5000-memory.dmp	family_svcstealer
behavioral1/memory/2672-174-0x00007FF687320000-0x00007FF687425000-memory.dmp	family_svcstealer
behavioral1/memory/2672-175-0x00007FF687320000-0x00007FF687425000-memory.dmp	family_svcstealer
behavioral1/memory/2424-180-0x00007FF79B6B0000-0x00007FF79B7B5000-memory.dmp	family_svcstealer
behavioral1/memory/1748-184-0x00007FF64A800000-0x00007FF64A905000-memory.dmp	family_svcstealer
behavioral1/memory/1748-185-0x00007FF64A800000-0x00007FF64A905000-memory.dmp	family_svcstealer
behavioral1/memory/1372-189-0x00007FF6A3550000-0x00007FF6A3655000-memory.dmp	family_svcstealer
behavioral1/memory/1372-190-0x00007FF6A3550000-0x00007FF6A3655000-memory.dmp	family_svcstealer
behavioral1/memory/1640-194-0x00007FF6DCDA0000-0x00007FF6DCEA5000-memory.dmp	family_svcstealer
behavioral1/memory/1640-195-0x00007FF6DCDA0000-0x00007FF6DCEA5000-memory.dmp	family_svcstealer
behavioral1/memory/4920-200-0x00007FF669A60000-0x00007FF669B65000-memory.dmp	family_svcstealer
behavioral1/memory/4920-199-0x00007FF669A60000-0x00007FF669B65000-memory.dmp	family_svcstealer
behavioral1/memory/6124-205-0x00007FF6B1660000-0x00007FF6B1765000-memory.dmp	family_svcstealer
behavioral1/memory/6124-204-0x00007FF6B1660000-0x00007FF6B1765000-memory.dmp	family_svcstealer
behavioral1/memory/4900-209-0x00007FF75CE40000-0x00007FF75CF45000-memory.dmp	family_svcstealer
behavioral1/memory/4900-210-0x00007FF75CE40000-0x00007FF75CF45000-memory.dmp	family_svcstealer
behavioral1/memory/6020-214-0x00007FF6666B0000-0x00007FF6667B5000-memory.dmp	family_svcstealer
behavioral1/memory/6020-215-0x00007FF6666B0000-0x00007FF6667B5000-memory.dmp	family_svcstealer
behavioral1/memory/224-219-0x00007FF6DF4D0000-0x00007FF6DF5D5000-memory.dmp	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Downloads MZ/PE file 1 IoCs

flow	pid	Process
65	3448	6BA7.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	USDT Flasher Private v2.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	6BA7.tmp.exe

Executes dropped EXE 64 IoCs

pid	Process
3296	uyghgvf.exe
5108	bnbnjhc.exe
2940	bvbvcdd.exe
4564	ebfabcdcac.exe
4540	uyghgvf.exe
4776	ebfabcdcac.exe
4788	winserv.exe
4764	bvbvcdd.exe
2040	ebfabcdcac.exe
2024	ebfabcdcac.exe
3264	6A33.tmp.exe
2424	ebfabcdcac.exe
5908	ebfabcdcac.exe
3856	ebfabcdcac.exe
4260	ebfabcdcac.exe
3528	ebfabcdcac.exe
5916	ebfabcdcac.exe
1460	ebfabcdcac.exe
524	ebfabcdcac.exe
1844	ebfabcdcac.exe
3512	ebfabcdcac.exe
2236	ebfabcdcac.exe
5860	ebfabcdcac.exe
5708	ebfabcdcac.exe
5948	ebfabcdcac.exe
2672	ebfabcdcac.exe
2424	ebfabcdcac.exe
1748	ebfabcdcac.exe
1372	ebfabcdcac.exe
1640	ebfabcdcac.exe
4920	ebfabcdcac.exe
6124	ebfabcdcac.exe
4900	ebfabcdcac.exe
6020	ebfabcdcac.exe
224	ebfabcdcac.exe
2512	ebfabcdcac.exe
4748	ebfabcdcac.exe
1028	ebfabcdcac.exe
4708	ebfabcdcac.exe
4812	ebfabcdcac.exe
1732	ebfabcdcac.exe
2024	ebfabcdcac.exe
4636	ebfabcdcac.exe
2432	ebfabcdcac.exe
3448	6BA7.tmp.exe
2436	ebfabcdcac.exe
5980	ebfabcdcac.exe
3888	ebfabcdcac.exe
5280	ebfabcdcac.exe
3348	temp_460.exe
2388	temp_463.exe
2252	ebfabcdcac.exe
2088	ebfabcdcac.exe
4248	ebfabcdcac.exe
4764	ebfabcdcac.exe
2648	ebfabcdcac.exe
3636	ebfabcdcac.exe
5664	ebfabcdcac.exe
3596	ebfabcdcac.exe
1656	ebfabcdcac.exe
4836	ebfabcdcac.exe
2828	ebfabcdcac.exe
536	ebfabcdcac.exe
3752	ebfabcdcac.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebfabcdcac = "\"C:\\ProgramData\\ebfabcdcac.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemServices = "C:\\Users\\Admin\\AppData\\Roaming\\bvbvcdd.exe"	bvbvcdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemServices = "C:\\Users\\Admin\\AppData\\Roaming\\Winserv\\winserv.exe"	bvbvcdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebfabcdcac = "\"C:\\ProgramData\\ebfabcdcac.exe\""	uyghgvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebfabcdcac = "\"C:\\Users\\Admin\\AppData\\Roaming\\uyghgvf.exe\""	Explorer.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvbvcdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6A33.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_460.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvbvcdd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3296	uyghgvf.exe
3296	uyghgvf.exe
3404	Explorer.EXE
3404	Explorer.EXE
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe
3448	6BA7.tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3404	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3404	Explorer.EXE
3404	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3296	2912	USDT Flasher Private v2.2.exe	87
PID 2912 wrote to memory of 3296	2912	USDT Flasher Private v2.2.exe	87
PID 2912 wrote to memory of 5108	2912	USDT Flasher Private v2.2.exe	88
PID 2912 wrote to memory of 5108	2912	USDT Flasher Private v2.2.exe	88
PID 3296 wrote to memory of 3404	3296	uyghgvf.exe	56
PID 3404 wrote to memory of 668	3404	Explorer.EXE	89
PID 3404 wrote to memory of 668	3404	Explorer.EXE	89
PID 3404 wrote to memory of 4916	3404	Explorer.EXE	90
PID 3404 wrote to memory of 4916	3404	Explorer.EXE	90
PID 3404 wrote to memory of 4680	3404	Explorer.EXE	91
PID 3404 wrote to memory of 4680	3404	Explorer.EXE	91
PID 2912 wrote to memory of 2940	2912	USDT Flasher Private v2.2.exe	95
PID 2912 wrote to memory of 2940	2912	USDT Flasher Private v2.2.exe	95
PID 2912 wrote to memory of 2940	2912	USDT Flasher Private v2.2.exe	95
PID 3404 wrote to memory of 536	3404	Explorer.EXE	96
PID 3404 wrote to memory of 536	3404	Explorer.EXE	96
PID 3404 wrote to memory of 3364	3404	Explorer.EXE	98
PID 3404 wrote to memory of 3364	3404	Explorer.EXE	98
PID 668 wrote to memory of 4564	668	cmd.exe	100
PID 668 wrote to memory of 4564	668	cmd.exe	100
PID 4916 wrote to memory of 4540	4916	cmd.exe	101
PID 4916 wrote to memory of 4540	4916	cmd.exe	101
PID 536 wrote to memory of 4764	536	cmd.exe	102
PID 536 wrote to memory of 4764	536	cmd.exe	102
PID 536 wrote to memory of 4764	536	cmd.exe	102
PID 4680 wrote to memory of 4776	4680	cmd.exe	103
PID 4680 wrote to memory of 4776	4680	cmd.exe	103
PID 3364 wrote to memory of 4788	3364	cmd.exe	104
PID 3364 wrote to memory of 4788	3364	cmd.exe	104
PID 3364 wrote to memory of 4788	3364	cmd.exe	104
PID 3404 wrote to memory of 4836	3404	Explorer.EXE	108
PID 3404 wrote to memory of 4836	3404	Explorer.EXE	108
PID 4836 wrote to memory of 2040	4836	cmd.exe	110
PID 4836 wrote to memory of 2040	4836	cmd.exe	110
PID 3404 wrote to memory of 6008	3404	Explorer.EXE	117
PID 3404 wrote to memory of 6008	3404	Explorer.EXE	117
PID 6008 wrote to memory of 2024	6008	cmd.exe	119
PID 6008 wrote to memory of 2024	6008	cmd.exe	119
PID 3404 wrote to memory of 2032	3404	Explorer.EXE	123
PID 3404 wrote to memory of 2032	3404	Explorer.EXE	123
PID 3404 wrote to memory of 3264	3404	Explorer.EXE	125
PID 3404 wrote to memory of 3264	3404	Explorer.EXE	125
PID 3404 wrote to memory of 3264	3404	Explorer.EXE	125
PID 2032 wrote to memory of 2424	2032	cmd.exe	126
PID 2032 wrote to memory of 2424	2032	cmd.exe	126
PID 3404 wrote to memory of 2148	3404	Explorer.EXE	128
PID 3404 wrote to memory of 2148	3404	Explorer.EXE	128
PID 2148 wrote to memory of 5908	2148	cmd.exe	130
PID 2148 wrote to memory of 5908	2148	cmd.exe	130
PID 3404 wrote to memory of 4508	3404	Explorer.EXE	131
PID 3404 wrote to memory of 4508	3404	Explorer.EXE	131
PID 4508 wrote to memory of 3856	4508	cmd.exe	133
PID 4508 wrote to memory of 3856	4508	cmd.exe	133
PID 3404 wrote to memory of 3932	3404	Explorer.EXE	136
PID 3404 wrote to memory of 3932	3404	Explorer.EXE	136
PID 3932 wrote to memory of 4260	3932	cmd.exe	138
PID 3932 wrote to memory of 4260	3932	cmd.exe	138
PID 3404 wrote to memory of 4900	3404	Explorer.EXE	139
PID 3404 wrote to memory of 4900	3404	Explorer.EXE	139
PID 4900 wrote to memory of 3528	4900	cmd.exe	141
PID 4900 wrote to memory of 3528	4900	cmd.exe	141
PID 3404 wrote to memory of 4948	3404	Explorer.EXE	142
PID 3404 wrote to memory of 4948	3404	Explorer.EXE	142
PID 4948 wrote to memory of 5916	4948	cmd.exe	144

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\USDT Flasher Private v2.2.exe
  "C:\Users\Admin\AppData\Local\Temp\USDT Flasher Private v2.2.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Roaming\uyghgvf.exe
    "C:\Users\Admin\AppData\Roaming\uyghgvf.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3296
- - C:\Users\Admin\AppData\Roaming\bnbnjhc.exe
    "C:\Users\Admin\AppData\Roaming\bnbnjhc.exe"
    3⤵
    - Executes dropped EXE
    PID:5108
- - C:\Users\Admin\AppData\Roaming\bvbvcdd.exe
    "C:\Users\Admin\AppData\Roaming\bvbvcdd.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\uyghgvf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Roaming\uyghgvf.exe
    C:\Users\Admin\AppData\Roaming\uyghgvf.exe
    3⤵
    - Executes dropped EXE
    PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bvbvcdd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Roaming\bvbvcdd.exe
    C:\Users\Admin\AppData\Roaming\bvbvcdd.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
    C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6008
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2424
- C:\Users\Admin\AppData\Local\Temp\6A33.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\6A33.tmp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5064
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2780
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2648
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3288
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4752
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5232
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5944
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2484
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2028
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5228
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5324
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3912
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2920
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4260
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1524
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:6124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4992
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3948
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:6020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1220
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4756
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2648
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2196
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4560
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1900
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2744
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3576
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5348
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2504
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2432
- C:\Users\Admin\AppData\Local\Temp\6BA7.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\6BA7.tmp.exe
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\temp_460.exe
    "C:\Users\Admin\AppData\Local\Temp\temp_460.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\temp_463.exe
    "C:\Users\Admin\AppData\Local\Temp\temp_463.exe"
    3⤵
    - Executes dropped EXE
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3264
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2476
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5236
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5336
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5096
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5064
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4652
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4788
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4580
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2236
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4976
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:5664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5008
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2428
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2140
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5724
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4860
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:3516
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    - Executes dropped EXE
    PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4988
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1632
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5228
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4056
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:6092
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2920
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1640
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5336
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2312
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4900
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2452
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:5096
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4872
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1212
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4916
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2648
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:2236
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1528
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1536
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:5284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:4592
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:924
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ebfabcdcac.exe"
  2⤵
  PID:1516
- - C:\ProgramData\ebfabcdcac.exe
    C:\ProgramData\ebfabcdcac.exe
    3⤵
    PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A33.tmp.exe

Filesize
177KB

MD5
a84b1c3b52cca1e711f6ab96b6cab2b2

SHA1
952516e5427aed05cd12c3007d45cdc46e2e1c64

SHA256
e77bd161308fe005519f0ac053698ca7e05a76a0fc1e6e2b9f569a1a2c080488

SHA512
fbca24489be96883f45929d815c72944b9983f7c6a6cf50c894c3d30428d98c0307f182648508d76cd036a6fc1b8780b1a3d3927e95a627d0772365ad553b55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BA7.tmp.exe

Filesize
1.2MB

MD5
3a17feffd22c06508d15d0e5a64afd3b

SHA1
be7b2cd6e53eb238513de7814c16b8d16f5518a0

SHA256
611a8fa6265a41af04abece17343a346e2121b627ea471bc0e02a466c7fdda35

SHA512
030481c8cd28e4d0eaabb5c13214e8410c530b72adb1a46a69cb0c1f57e78f495224039fd9edc4450e8663f5dcf28cf10faaf61657dc6d15f0a018f93fbe8308

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_463.exe

Filesize
253KB

MD5
a6799120a6cd0a439e69cef0b39766f1

SHA1
370711ba4a565d3b2bfa70d593e3ae2abfdeed9f

SHA256
e2f2eadd2865cc21f36f641be666beaab4e97ccd2c56ba522846d1dd89f3a484

SHA512
bb4e2ce1efffcc0ab3d11316f6bbb936a81c6093541a0395f995451b300a8a531bec35f56d53ff110fac6c2d9d4d515388dc1b8a42c45d1108ad179e27ca186c

Download Submit
C:\Users\Admin\AppData\Roaming\bnbnjhc.exe

Filesize
253KB

MD5
5381a870d74ee49586aa9632e93c232b

SHA1
f2ee6d461102d3353077d3d6f08bbda2b8dfb1ed

SHA256
e90f2a5eae99811b65dc284734e0e295708d89bfef9a003b3ab2f8bc42e1fa9c

SHA512
c611262eb7badc08486a6416dd470f14d09c5c86c04076a472d32da52bf2cc21344dd4130f85a83cb25556383528ce57ac94ad0de36cef6a67f1bdb9e87a65a9

Download Submit
C:\Users\Admin\AppData\Roaming\bvbvcdd.exe

Filesize
177KB

MD5
4d38d0416a7392711f340e87f22ea4ba

SHA1
85d501d7fd5fc843e96be88caf6c1f1054aa2f28

SHA256
95b64cf5502b24d592c79f2611b76d5d8035c8061c4af6b1ff6800ec2b46442f

SHA512
3a86a6521fb856220875c9bac2c01ce82e7e67e515285273f7687596dc6c169949af8703d835654506c8205bcf6d372403c9ea925c0bf2969f11227d7cacb5c0

Download Submit
C:\Users\Admin\AppData\Roaming\uyghgvf.exe

Filesize
1021KB

MD5
eb58ebd3579a53abafbe2b8326082f92

SHA1
c290f4cbb2bd1c5f6a1b7ab97620f54be52909be

SHA256
f1c97917335184a76cb5265af4e2d7a1e5ed58ff8c1d5700b2a95edca412657d

SHA512
7d4302aca65d2d2296f66b7f21c6399b21c923723cb14bcb70a53045c9e7181d3b655595fb79b94a67f7e41a7afb0e44c49732b2f0434fc66cce0fb466440ca0

Download Submit
memory/224-219-0x00007FF6DF4D0000-0x00007FF6DF5D5000-memory.dmp

Filesize
1.0MB

Download
memory/224-220-0x00007FF6DF4D0000-0x00007FF6DF5D5000-memory.dmp

Filesize
1.0MB

Download
memory/524-125-0x00007FF7F6790000-0x00007FF7F6895000-memory.dmp

Filesize
1.0MB

Download
memory/524-124-0x00007FF7F6790000-0x00007FF7F6895000-memory.dmp

Filesize
1.0MB

Download
memory/1028-251-0x00007FF7C2CA0000-0x00007FF7C2DA5000-memory.dmp

Filesize
1.0MB

Download
memory/1028-250-0x00007FF7C2CA0000-0x00007FF7C2DA5000-memory.dmp

Filesize
1.0MB

Download
memory/1372-190-0x00007FF6A3550000-0x00007FF6A3655000-memory.dmp

Filesize
1.0MB

Download
memory/1372-189-0x00007FF6A3550000-0x00007FF6A3655000-memory.dmp

Filesize
1.0MB

Download
memory/1460-119-0x00007FF689D70000-0x00007FF689E75000-memory.dmp

Filesize
1.0MB

Download
memory/1460-120-0x00007FF689D70000-0x00007FF689E75000-memory.dmp

Filesize
1.0MB

Download
memory/1640-195-0x00007FF6DCDA0000-0x00007FF6DCEA5000-memory.dmp

Filesize
1.0MB

Download
memory/1640-194-0x00007FF6DCDA0000-0x00007FF6DCEA5000-memory.dmp

Filesize
1.0MB

Download
memory/1732-266-0x00007FF73BC30000-0x00007FF73BD35000-memory.dmp

Filesize
1.0MB

Download
memory/1732-265-0x00007FF73BC30000-0x00007FF73BD35000-memory.dmp

Filesize
1.0MB

Download
memory/1748-184-0x00007FF64A800000-0x00007FF64A905000-memory.dmp

Filesize
1.0MB

Download
memory/1748-185-0x00007FF64A800000-0x00007FF64A905000-memory.dmp

Filesize
1.0MB

Download
memory/1844-129-0x00007FF709C80000-0x00007FF709D85000-memory.dmp

Filesize
1.0MB

Download
memory/1844-130-0x00007FF709C80000-0x00007FF709D85000-memory.dmp

Filesize
1.0MB

Download
memory/2024-272-0x00007FF63D210000-0x00007FF63D315000-memory.dmp

Filesize
1.0MB

Download
memory/2024-271-0x00007FF63D210000-0x00007FF63D315000-memory.dmp

Filesize
1.0MB

Download
memory/2024-76-0x00007FF624EA0000-0x00007FF624FA5000-memory.dmp

Filesize
1.0MB

Download
memory/2024-77-0x00007FF624EA0000-0x00007FF624FA5000-memory.dmp

Filesize
1.0MB

Download
memory/2040-72-0x00007FF7AE450000-0x00007FF7AE555000-memory.dmp

Filesize
1.0MB

Download
memory/2040-71-0x00007FF7AE450000-0x00007FF7AE555000-memory.dmp

Filesize
1.0MB

Download
memory/2088-392-0x00007FF6ED020000-0x00007FF6ED125000-memory.dmp

Filesize
1.0MB

Download
memory/2088-393-0x00007FF6ED020000-0x00007FF6ED125000-memory.dmp

Filesize
1.0MB

Download
memory/2236-139-0x00007FF62E5F0000-0x00007FF62E6F5000-memory.dmp

Filesize
1.0MB

Download
memory/2236-140-0x00007FF62E5F0000-0x00007FF62E6F5000-memory.dmp

Filesize
1.0MB

Download
memory/2252-388-0x00007FF7BA7E0000-0x00007FF7BA8E5000-memory.dmp

Filesize
1.0MB

Download
memory/2252-387-0x00007FF7BA7E0000-0x00007FF7BA8E5000-memory.dmp

Filesize
1.0MB

Download
memory/2424-88-0x00007FF752520000-0x00007FF752625000-memory.dmp

Filesize
1.0MB

Download
memory/2424-180-0x00007FF79B6B0000-0x00007FF79B7B5000-memory.dmp

Filesize
1.0MB

Download
memory/2424-89-0x00007FF752520000-0x00007FF752625000-memory.dmp

Filesize
1.0MB

Download
memory/2432-284-0x00007FF64FEE0000-0x00007FF64FFE5000-memory.dmp

Filesize
1.0MB

Download
memory/2432-283-0x00007FF64FEE0000-0x00007FF64FFE5000-memory.dmp

Filesize
1.0MB

Download
memory/2436-332-0x00007FF7D0960000-0x00007FF7D0A65000-memory.dmp

Filesize
1.0MB

Download
memory/2436-331-0x00007FF7D0960000-0x00007FF7D0A65000-memory.dmp

Filesize
1.0MB

Download
memory/2512-240-0x00007FF734D00000-0x00007FF734E05000-memory.dmp

Filesize
1.0MB

Download
memory/2512-241-0x00007FF734D00000-0x00007FF734E05000-memory.dmp

Filesize
1.0MB

Download
memory/2648-406-0x00007FF7A06E0000-0x00007FF7A07E5000-memory.dmp

Filesize
1.0MB

Download
memory/2648-405-0x00007FF7A06E0000-0x00007FF7A07E5000-memory.dmp

Filesize
1.0MB

Download
memory/2672-174-0x00007FF687320000-0x00007FF687425000-memory.dmp

Filesize
1.0MB

Download
memory/2672-175-0x00007FF687320000-0x00007FF687425000-memory.dmp

Filesize
1.0MB

Download
memory/3296-39-0x00007FF65F240000-0x00007FF65F345000-memory.dmp

Filesize
1.0MB

Download
memory/3296-12-0x00007FF65F240000-0x00007FF65F345000-memory.dmp

Filesize
1.0MB

Download
memory/3404-156-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-69-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/3404-28-0x0000000007E10000-0x0000000007F1B000-memory.dmp

Filesize
1.0MB

Download
memory/3404-151-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-152-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-153-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-37-0x0000000007E10000-0x0000000007F1B000-memory.dmp

Filesize
1.0MB

Download
memory/3404-155-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-154-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-157-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-158-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-161-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-159-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/3404-27-0x0000000007E10000-0x0000000007F1B000-memory.dmp

Filesize
1.0MB

Download
memory/3404-33-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/3404-50-0x00007FFA4B1A0000-0x00007FFA4B1A1000-memory.dmp

Filesize
4KB

Download
memory/3404-53-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3404-38-0x00000000027C0000-0x0000000002801000-memory.dmp

Filesize
260KB

Download
memory/3404-49-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3404-32-0x0000000007E10000-0x0000000007F1B000-memory.dmp

Filesize
1.0MB

Download
memory/3404-18-0x0000000007E10000-0x0000000007F1B000-memory.dmp

Filesize
1.0MB

Download
memory/3404-22-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3404-19-0x0000000007E10000-0x0000000007F1B000-memory.dmp

Filesize
1.0MB

Download
memory/3404-23-0x0000000007E10000-0x0000000007F1B000-memory.dmp

Filesize
1.0MB

Download
memory/3404-24-0x0000000002780000-0x00000000027B3000-memory.dmp

Filesize
204KB

Download
memory/3404-26-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3512-134-0x00007FF65F300000-0x00007FF65F405000-memory.dmp

Filesize
1.0MB

Download
memory/3512-135-0x00007FF65F300000-0x00007FF65F405000-memory.dmp

Filesize
1.0MB

Download
memory/3528-109-0x00007FF685580000-0x00007FF685685000-memory.dmp

Filesize
1.0MB

Download
memory/3528-110-0x00007FF685580000-0x00007FF685685000-memory.dmp

Filesize
1.0MB

Download
memory/3636-409-0x00007FF7720C0000-0x00007FF7721C5000-memory.dmp

Filesize
1.0MB

Download
memory/3636-410-0x00007FF7720C0000-0x00007FF7721C5000-memory.dmp

Filesize
1.0MB

Download
memory/3856-100-0x00007FF614D40000-0x00007FF614E45000-memory.dmp

Filesize
1.0MB

Download
memory/3856-99-0x00007FF614D40000-0x00007FF614E45000-memory.dmp

Filesize
1.0MB

Download
memory/3888-342-0x00007FF7275D0000-0x00007FF7276D5000-memory.dmp

Filesize
1.0MB

Download
memory/3888-341-0x00007FF7275D0000-0x00007FF7276D5000-memory.dmp

Filesize
1.0MB

Download
memory/4248-397-0x00007FF7115C0000-0x00007FF7116C5000-memory.dmp

Filesize
1.0MB

Download
memory/4248-398-0x00007FF7115C0000-0x00007FF7116C5000-memory.dmp

Filesize
1.0MB

Download
memory/4260-105-0x00007FF722F10000-0x00007FF723015000-memory.dmp

Filesize
1.0MB

Download
memory/4260-104-0x00007FF722F10000-0x00007FF723015000-memory.dmp

Filesize
1.0MB

Download
memory/4540-58-0x00007FF65F240000-0x00007FF65F345000-memory.dmp

Filesize
1.0MB

Download
memory/4564-55-0x00007FF6BFA20000-0x00007FF6BFB25000-memory.dmp

Filesize
1.0MB

Download
memory/4564-56-0x00007FF6BFA20000-0x00007FF6BFB25000-memory.dmp

Filesize
1.0MB

Download
memory/4636-277-0x00007FF7F8B50000-0x00007FF7F8C55000-memory.dmp

Filesize
1.0MB

Download
memory/4636-276-0x00007FF7F8B50000-0x00007FF7F8C55000-memory.dmp

Filesize
1.0MB

Download
memory/4708-256-0x00007FF637960000-0x00007FF637A65000-memory.dmp

Filesize
1.0MB

Download
memory/4708-255-0x00007FF637960000-0x00007FF637A65000-memory.dmp

Filesize
1.0MB

Download
memory/4748-246-0x00007FF672410000-0x00007FF672515000-memory.dmp

Filesize
1.0MB

Download
memory/4748-245-0x00007FF672410000-0x00007FF672515000-memory.dmp

Filesize
1.0MB

Download
memory/4764-403-0x00007FF7B0C60000-0x00007FF7B0D65000-memory.dmp

Filesize
1.0MB

Download
memory/4812-260-0x00007FF701330000-0x00007FF701435000-memory.dmp

Filesize
1.0MB

Download
memory/4812-261-0x00007FF701330000-0x00007FF701435000-memory.dmp

Filesize
1.0MB

Download
memory/4900-210-0x00007FF75CE40000-0x00007FF75CF45000-memory.dmp

Filesize
1.0MB

Download
memory/4900-209-0x00007FF75CE40000-0x00007FF75CF45000-memory.dmp

Filesize
1.0MB

Download
memory/4920-199-0x00007FF669A60000-0x00007FF669B65000-memory.dmp

Filesize
1.0MB

Download
memory/4920-200-0x00007FF669A60000-0x00007FF669B65000-memory.dmp

Filesize
1.0MB

Download
memory/5280-346-0x00007FF67CFF0000-0x00007FF67D0F5000-memory.dmp

Filesize
1.0MB

Download
memory/5280-347-0x00007FF67CFF0000-0x00007FF67D0F5000-memory.dmp

Filesize
1.0MB

Download
memory/5708-149-0x00007FF761D00000-0x00007FF761E05000-memory.dmp

Filesize
1.0MB

Download
memory/5708-148-0x00007FF761D00000-0x00007FF761E05000-memory.dmp

Filesize
1.0MB

Download
memory/5860-179-0x00007FF664930000-0x00007FF664A35000-memory.dmp

Filesize
1.0MB

Download
memory/5860-144-0x00007FF664930000-0x00007FF664A35000-memory.dmp

Filesize
1.0MB

Download
memory/5908-94-0x00007FF7B4B00000-0x00007FF7B4C05000-memory.dmp

Filesize
1.0MB

Download
memory/5908-95-0x00007FF7B4B00000-0x00007FF7B4C05000-memory.dmp

Filesize
1.0MB

Download
memory/5916-115-0x00007FF7CC4E0000-0x00007FF7CC5E5000-memory.dmp

Filesize
1.0MB

Download
memory/5916-114-0x00007FF7CC4E0000-0x00007FF7CC5E5000-memory.dmp

Filesize
1.0MB

Download
memory/5948-169-0x00007FF76BEA0000-0x00007FF76BFA5000-memory.dmp

Filesize
1.0MB

Download
memory/5948-170-0x00007FF76BEA0000-0x00007FF76BFA5000-memory.dmp

Filesize
1.0MB

Download
memory/5980-337-0x00007FF679AB0000-0x00007FF679BB5000-memory.dmp

Filesize
1.0MB

Download
memory/5980-336-0x00007FF679AB0000-0x00007FF679BB5000-memory.dmp

Filesize
1.0MB

Download
memory/6020-215-0x00007FF6666B0000-0x00007FF6667B5000-memory.dmp

Filesize
1.0MB

Download
memory/6020-214-0x00007FF6666B0000-0x00007FF6667B5000-memory.dmp

Filesize
1.0MB

Download
memory/6124-204-0x00007FF6B1660000-0x00007FF6B1765000-memory.dmp

Filesize
1.0MB

Download
memory/6124-205-0x00007FF6B1660000-0x00007FF6B1765000-memory.dmp

Filesize
1.0MB

Download