dcrat | d337dfe61eae50ffa8b738c867f1c6a405c1cc911274e42b3a233fb349e74a80

Analysis

max time kernel
252s
max time network
255s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2023 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lastcheatX.rar
Size

7.7MB
MD5

872b8fbd594281c5f9fd570c659afc19
SHA1

a097e2b51b3f8374bb16f33aa3dfae0b5cd321c9
SHA256

d337dfe61eae50ffa8b738c867f1c6a405c1cc911274e42b3a233fb349e74a80
SHA512

71ffbbb7cae92b182d1cce9f8d952d9d7cba9ee03c3beb7c05599fff76f2b49ee6a916a53fd296ba99bca87c8b89676a91853e4316d155bfdfeff904ea54ff76
SSDEEP

196608:NM/AubOupGXc9r8rtU+Nzz6tBB20eu5CPFUDjY71ndpHbfx:/u/WcmrPNz0o0aPRXbfx

Score

10^/10

dcrat infostealer pyinstaller rat spyware stealer

Malware Config

Signatures

DcRat 52 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.execmd.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3200	schtasks.exe
2080	schtasks.exe
4592	schtasks.exe
1676	schtasks.exe
4972	schtasks.exe
4364	schtasks.exe
4416	schtasks.exe
2260	schtasks.exe
1624	schtasks.exe
4332	schtasks.exe
2188	schtasks.exe
3040	schtasks.exe
4328	schtasks.exe
3196	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
1812	schtasks.exe
4864	schtasks.exe
2416	schtasks.exe
3016	schtasks.exe
4876	schtasks.exe
1308	schtasks.exe
4644	schtasks.exe
3472	schtasks.exe
2312	schtasks.exe
1820	schtasks.exe
2804	schtasks.exe
4808	schtasks.exe
4948	schtasks.exe
4620	schtasks.exe
3280	schtasks.exe
3456	schtasks.exe
4892	schtasks.exe
2536	schtasks.exe
212	schtasks.exe
2812	schtasks.exe
2352	schtasks.exe
1776	schtasks.exe
5012	schtasks.exe
3124	schtasks.exe
3048	schtasks.exe
2152	schtasks.exe
608	schtasks.exe
1168	schtasks.exe
3652	schtasks.exe
404	schtasks.exe
4224	schtasks.exe
916	schtasks.exe
2824	schtasks.exe
2900	schtasks.exe
4756	schtasks.exe
2928	schtasks.exe
4340	schtasks.exe

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	4292	schtasks.exe

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Comproviderdriver\hyperportsession.exe	dcrat
C:\Comproviderdriver\hyperportsession.exe	dcrat
behavioral2/memory/1904-157-0x0000000000110000-0x0000000000362000-memory.dmp	dcrat
C:\Comproviderdriver\hyperportsession.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Recovery\WindowsRE\csrss.exe	dcrat
C:\Comproviderdriver\hyperportsession.exe	dcrat
C:\odt\BackgroundTransferHost.exe	dcrat
C:\odt\BackgroundTransferHost.exe	dcrat
C:\Windows\Web\Screen\smss.exe	dcrat
C:\Windows\Web\Screen\smss.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Comproviderdriver\hyperportsession.exe	dcrat

Executes dropped EXE 15 IoCs

Processes:

Icloader.exeIcloader.exeINST.exehyperportsession.exehyperportsession.exeIcloader.exeIcloader.exeINST.exehyperportsession.exeBackgroundTransferHost.exesmss.exeIcloader.exeIcloader.exeINST.exehyperportsession.exe

pid	process
2068	Icloader.exe
2372	Icloader.exe
3152	INST.exe
1904	hyperportsession.exe
4392	hyperportsession.exe
3532	Icloader.exe
5032	Icloader.exe
1480	INST.exe
948	hyperportsession.exe
5084	BackgroundTransferHost.exe
1892	smss.exe
2544	Icloader.exe
2364	Icloader.exe
4276	INST.exe
4636	hyperportsession.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeINST.exehyperportsession.exeINST.exeWScript.exeINST.exehyperportsession.exeWScript.exehyperportsession.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	INST.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	hyperportsession.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	INST.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	INST.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	hyperportsession.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	hyperportsession.exe

Loads dropped DLL 6 IoCs

Processes:

Icloader.exeIcloader.exeIcloader.exe

pid process

2372 Icloader.exe
2372 Icloader.exe
5032 Icloader.exe
5032 Icloader.exe
2364 Icloader.exe
2364 Icloader.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2372	Icloader.exe
2372	Icloader.exe
5032	Icloader.exe
5032	Icloader.exe
2364	Icloader.exe
2364	Icloader.exe

Drops file in Program Files directory 5 IoCs

Processes:

hyperportsession.exehyperportsession.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\RuntimeBroker.exe	hyperportsession.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RuntimeBroker.exe	hyperportsession.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\9e8d7a4ca61bd9	hyperportsession.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\taskhostw.exe	hyperportsession.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\ea9f0e6c9e2dcd	hyperportsession.exe

Drops file in Windows directory 8 IoCs

Processes:

hyperportsession.exe

description	ioc	process
File created	C:\Windows\SystemResources\Windows.UI.Shell\pris\0a1fd5f707cd16	hyperportsession.exe
File created	C:\Windows\Vss\Writers\System\spoolsv.exe	hyperportsession.exe
File created	C:\Windows\Vss\Writers\System\f3b6ecef712a24	hyperportsession.exe
File created	C:\Windows\Web\Screen\smss.exe	hyperportsession.exe
File created	C:\Windows\Web\Screen\69ddcba757bf72	hyperportsession.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\Icloader.exe	hyperportsession.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\65774357fb2717	hyperportsession.exe
File created	C:\Windows\SystemResources\Windows.UI.Shell\pris\sppsvc.exe	hyperportsession.exe

Detects Pyinstaller 7 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Icloader.exe	pyinstaller
C:\Users\Admin\Desktop\Icloader.exe	pyinstaller
C:\Users\Admin\Desktop\Icloader.exe	pyinstaller
C:\Users\Admin\Desktop\Icloader.exe	pyinstaller
C:\Users\Admin\Desktop\Icloader.exe	pyinstaller
C:\Users\Admin\Desktop\Icloader.exe	pyinstaller
C:\Users\Admin\Desktop\Icloader.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4620	schtasks.exe
4332	schtasks.exe
4876	schtasks.exe
2312	schtasks.exe
2416	schtasks.exe
4416	schtasks.exe
4756	schtasks.exe
2804	schtasks.exe
2152	schtasks.exe
2812	schtasks.exe
4948	schtasks.exe
1308	schtasks.exe
3196	schtasks.exe
2928	schtasks.exe
2260	schtasks.exe
4592	schtasks.exe
3472	schtasks.exe
4364	schtasks.exe
4224	schtasks.exe
1820	schtasks.exe
2188	schtasks.exe
3124	schtasks.exe
4972	schtasks.exe
4864	schtasks.exe
2824	schtasks.exe
2900	schtasks.exe
3016	schtasks.exe
916	schtasks.exe
1776	schtasks.exe
3280	schtasks.exe
3652	schtasks.exe
1812	schtasks.exe
4892	schtasks.exe
3200	schtasks.exe
3048	schtasks.exe
4808	schtasks.exe
608	schtasks.exe
3040	schtasks.exe
1676	schtasks.exe
4328	schtasks.exe
2352	schtasks.exe
4340	schtasks.exe
2536	schtasks.exe
212	schtasks.exe
1624	schtasks.exe
4644	schtasks.exe
2080	schtasks.exe
5012	schtasks.exe
3456	schtasks.exe
404	schtasks.exe
1168	schtasks.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.exeINST.execmd.exeINST.exeINST.exehyperportsession.exe7zFM.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	INST.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file\shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\7zFM.exe\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file\shell\open	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	INST.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.rar\ = "rar_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\7zFM.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.rar	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	INST.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	hyperportsession.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\7zFM.exe	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

hyperportsession.exehyperportsession.exehyperportsession.exeBackgroundTransferHost.exe

pid	process
1904	hyperportsession.exe
4392	hyperportsession.exe
4392	hyperportsession.exe
4392	hyperportsession.exe
4392	hyperportsession.exe
4392	hyperportsession.exe
948	hyperportsession.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe
5084	BackgroundTransferHost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

4796 OpenWith.exe
116 7zFM.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

7zFM.exehyperportsession.exehyperportsession.exehyperportsession.exeBackgroundTransferHost.exesmss.exehyperportsession.exe

description	pid	process
Token: SeRestorePrivilege	116	7zFM.exe
Token: 35	116	7zFM.exe
Token: SeSecurityPrivilege	116	7zFM.exe
Token: SeSecurityPrivilege	116	7zFM.exe
Token: SeSecurityPrivilege	116	7zFM.exe
Token: SeSecurityPrivilege	116	7zFM.exe
Token: SeSecurityPrivilege	116	7zFM.exe
Token: SeDebugPrivilege	1904	hyperportsession.exe
Token: SeDebugPrivilege	4392	hyperportsession.exe
Token: SeDebugPrivilege	948	hyperportsession.exe
Token: SeDebugPrivilege	5084	BackgroundTransferHost.exe
Token: SeDebugPrivilege	1892	smss.exe
Token: SeSecurityPrivilege	116	7zFM.exe
Token: SeSecurityPrivilege	116	7zFM.exe
Token: SeDebugPrivilege	4636	hyperportsession.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

7zFM.exe

pid process

116 7zFM.exe
116 7zFM.exe
116 7zFM.exe
116 7zFM.exe
116 7zFM.exe
116 7zFM.exe
116 7zFM.exe
116 7zFM.exe

pid	process
116	7zFM.exe
116	7zFM.exe
116	7zFM.exe
116	7zFM.exe
116	7zFM.exe
116	7zFM.exe
116	7zFM.exe
116	7zFM.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

OpenWith.exe

pid	process
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exeIcloader.exeIcloader.execmd.exeINST.exeWScript.execmd.exehyperportsession.exeIcloader.exeIcloader.execmd.exeINST.exehyperportsession.exeWScript.execmd.execmd.exehyperportsession.exeIcloader.exeIcloader.execmd.exeINST.exe

description	pid	process	target process
PID 4796 wrote to memory of 116	4796	OpenWith.exe	7zFM.exe
PID 4796 wrote to memory of 116	4796	OpenWith.exe	7zFM.exe
PID 2068 wrote to memory of 2372	2068	Icloader.exe	Icloader.exe
PID 2068 wrote to memory of 2372	2068	Icloader.exe	Icloader.exe
PID 2372 wrote to memory of 4560	2372	Icloader.exe	cmd.exe
PID 2372 wrote to memory of 4560	2372	Icloader.exe	cmd.exe
PID 2372 wrote to memory of 1116	2372	Icloader.exe	cmd.exe
PID 2372 wrote to memory of 1116	2372	Icloader.exe	cmd.exe
PID 1116 wrote to memory of 3152	1116	cmd.exe	INST.exe
PID 1116 wrote to memory of 3152	1116	cmd.exe	INST.exe
PID 1116 wrote to memory of 3152	1116	cmd.exe	INST.exe
PID 3152 wrote to memory of 4376	3152	INST.exe	WScript.exe
PID 3152 wrote to memory of 4376	3152	INST.exe	WScript.exe
PID 3152 wrote to memory of 4376	3152	INST.exe	WScript.exe
PID 3152 wrote to memory of 3864	3152	INST.exe	WScript.exe
PID 3152 wrote to memory of 3864	3152	INST.exe	WScript.exe
PID 3152 wrote to memory of 3864	3152	INST.exe	WScript.exe
PID 4376 wrote to memory of 3708	4376	WScript.exe	cmd.exe
PID 4376 wrote to memory of 3708	4376	WScript.exe	cmd.exe
PID 4376 wrote to memory of 3708	4376	WScript.exe	cmd.exe
PID 3708 wrote to memory of 1904	3708	cmd.exe	hyperportsession.exe
PID 3708 wrote to memory of 1904	3708	cmd.exe	hyperportsession.exe
PID 1904 wrote to memory of 4392	1904	hyperportsession.exe	hyperportsession.exe
PID 1904 wrote to memory of 4392	1904	hyperportsession.exe	hyperportsession.exe
PID 3532 wrote to memory of 5032	3532	Icloader.exe	Icloader.exe
PID 3532 wrote to memory of 5032	3532	Icloader.exe	Icloader.exe
PID 5032 wrote to memory of 1180	5032	Icloader.exe	cmd.exe
PID 5032 wrote to memory of 1180	5032	Icloader.exe	cmd.exe
PID 5032 wrote to memory of 4900	5032	Icloader.exe	cmd.exe
PID 5032 wrote to memory of 4900	5032	Icloader.exe	cmd.exe
PID 4900 wrote to memory of 1480	4900	cmd.exe	INST.exe
PID 4900 wrote to memory of 1480	4900	cmd.exe	INST.exe
PID 4900 wrote to memory of 1480	4900	cmd.exe	INST.exe
PID 1480 wrote to memory of 2424	1480	INST.exe	WScript.exe
PID 1480 wrote to memory of 2424	1480	INST.exe	WScript.exe
PID 1480 wrote to memory of 2424	1480	INST.exe	WScript.exe
PID 1480 wrote to memory of 4936	1480	INST.exe	WScript.exe
PID 1480 wrote to memory of 4936	1480	INST.exe	WScript.exe
PID 1480 wrote to memory of 4936	1480	INST.exe	WScript.exe
PID 4392 wrote to memory of 2248	4392	hyperportsession.exe	cmd.exe
PID 4392 wrote to memory of 2248	4392	hyperportsession.exe	cmd.exe
PID 2424 wrote to memory of 3344	2424	WScript.exe	cmd.exe
PID 2424 wrote to memory of 3344	2424	WScript.exe	cmd.exe
PID 2424 wrote to memory of 3344	2424	WScript.exe	cmd.exe
PID 2248 wrote to memory of 344	2248	cmd.exe	w32tm.exe
PID 2248 wrote to memory of 344	2248	cmd.exe	w32tm.exe
PID 3344 wrote to memory of 948	3344	cmd.exe	hyperportsession.exe
PID 3344 wrote to memory of 948	3344	cmd.exe	hyperportsession.exe
PID 948 wrote to memory of 5084	948	hyperportsession.exe	BackgroundTransferHost.exe
PID 948 wrote to memory of 5084	948	hyperportsession.exe	BackgroundTransferHost.exe
PID 2248 wrote to memory of 1892	2248	cmd.exe	smss.exe
PID 2248 wrote to memory of 1892	2248	cmd.exe	smss.exe
PID 2544 wrote to memory of 2364	2544	Icloader.exe	Icloader.exe
PID 2544 wrote to memory of 2364	2544	Icloader.exe	Icloader.exe
PID 2364 wrote to memory of 2344	2364	Icloader.exe	cmd.exe
PID 2364 wrote to memory of 2344	2364	Icloader.exe	cmd.exe
PID 2364 wrote to memory of 3016	2364	Icloader.exe	cmd.exe
PID 2364 wrote to memory of 3016	2364	Icloader.exe	cmd.exe
PID 3016 wrote to memory of 4276	3016	cmd.exe	INST.exe
PID 3016 wrote to memory of 4276	3016	cmd.exe	INST.exe
PID 3016 wrote to memory of 4276	3016	cmd.exe	INST.exe
PID 4276 wrote to memory of 1940	4276	INST.exe	WScript.exe
PID 4276 wrote to memory of 1940	4276	INST.exe	WScript.exe
PID 4276 wrote to memory of 1940	4276	INST.exe	WScript.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\lastcheatX.rar
1⤵
- DcRat
- Modifies registry class
PID:1156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lastcheatX.rar"
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:116

C:\Users\Admin\Desktop\Icloader.exe
"C:\Users\Admin\Desktop\Icloader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\Desktop\Icloader.exe
"C:\Users\Admin\Desktop\Icloader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SYSTEM32\cmd.exe
cmd /c echo %temp%
3⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\INST.exe
C:\Users\Admin\AppData\Local\Temp\INST.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\AQTx4XyFVLzflDDrifZPwFGdIcSe.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Comproviderdriver\kWY7NjZwZ1iBKBun9q6.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Comproviderdriver\hyperportsession.exe
"C:\Comproviderdriver\hyperportsession.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Comproviderdriver\hyperportsession.exe
"C:\Comproviderdriver\hyperportsession.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOR4mfHcFP.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:344

C:\Windows\Web\Screen\smss.exe
"C:\Windows\Web\Screen\smss.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\file.vbs"
5⤵
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Comproviderdriver\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Comproviderdriver\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Comproviderdriver\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Users\Admin\Desktop\Icloader.exe
"C:\Users\Admin\Desktop\Icloader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\Desktop\Icloader.exe
"C:\Users\Admin\Desktop\Icloader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SYSTEM32\cmd.exe
cmd /c echo %temp%
3⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\INST.exe
C:\Users\Admin\AppData\Local\Temp\INST.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\AQTx4XyFVLzflDDrifZPwFGdIcSe.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Comproviderdriver\kWY7NjZwZ1iBKBun9q6.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Comproviderdriver\hyperportsession.exe
"C:\Comproviderdriver\hyperportsession.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\odt\BackgroundTransferHost.exe
"C:\odt\BackgroundTransferHost.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\file.vbs"
5⤵
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IcloaderI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Icloader.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Icloader" /sc ONLOGON /tr "'C:\Users\Default User\Icloader.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IcloaderI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Icloader.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\_57D7098A-1618-437E-8B21-423BE64314C1\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Temp\_57D7098A-1618-437E-8B21-423BE64314C1\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\_57D7098A-1618-437E-8B21-423BE64314C1\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Icloader" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\Icloader.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IcloaderI" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\Icloader.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IcloaderI" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\Icloader.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.UI.Shell\pris\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Shell\pris\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemResources\Windows.UI.Shell\pris\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Screen\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Web\Screen\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Screen\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 9 /tr "'C:\odt\BackgroundTransferHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHost" /sc ONLOGON /tr "'C:\odt\BackgroundTransferHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 6 /tr "'C:\odt\BackgroundTransferHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\инструкция.txt
1⤵
PID:1592

C:\Users\Admin\Desktop\Icloader.exe
"C:\Users\Admin\Desktop\Icloader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\Desktop\Icloader.exe
"C:\Users\Admin\Desktop\Icloader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SYSTEM32\cmd.exe
cmd /c echo %temp%
3⤵
PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\INST.exe
C:\Users\Admin\AppData\Local\Temp\INST.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\AQTx4XyFVLzflDDrifZPwFGdIcSe.vbe"
5⤵
- Checks computer location settings
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Comproviderdriver\kWY7NjZwZ1iBKBun9q6.bat" "
6⤵
PID:4932

C:\Comproviderdriver\hyperportsession.exe
"C:\Comproviderdriver\hyperportsession.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\file.vbs"
5⤵
PID:3688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Comproviderdriver\AQTx4XyFVLzflDDrifZPwFGdIcSe.vbe

Filesize
213B

MD5
9113279e9c8b6335ec9e3e1e311ef188

SHA1
37a4e9ab4bf02a2a65d48918f16f2b494ff5f446

SHA256
829fb3f8655a6ae7791d83e099d9892359924b841d47f0930c7cd92e1d65129e

SHA512
1f846e02362b8fcd4b3c91c745bbe7d08f5e171664d0c96f70800e3a689553c580aaf9845b3e18d4320277b6777964701b82b1664319d9f49f7174e7d39f0389

Download Submit
C:\Comproviderdriver\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Comproviderdriver\hyperportsession.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Comproviderdriver\hyperportsession.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Comproviderdriver\hyperportsession.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Comproviderdriver\hyperportsession.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Comproviderdriver\hyperportsession.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Comproviderdriver\kWY7NjZwZ1iBKBun9q6.bat

Filesize
43B

MD5
f9b0386eda9b5c1cecad9c265da5b3b7

SHA1
f69cc98e2d196c0f5e2de7a7c75324852bf472fb

SHA256
e59356966e672a4f59cadb7924e07b50346d517101523d7076a03d8c908cc1e1

SHA512
d042e61171f1a5ed353332cdcf018000b9ce61403439282fff5bd029e65dca888bd4374b9986bd13d92a7c1766399d88e2be80ced8b7a8baf797461e65b7346b

Download Submit
C:\Recovery\WindowsRE\886983d96e3d3e

Filesize
187B

MD5
91cbd77c9b4f3b1b0095f0f541d671cf

SHA1
73cc72a749fe778501603ef6246a1b229cd6eb37

SHA256
8a9f1e4454f08c86cb8f98f7440f52f9e9545813600134afd70a77608bad9c5f

SHA512
5ecfdc86d6cac8cdfe86d560f71a11df05ecec51e468cf3d46d650446240b839e8fbfa80f8dd853be10987901d7a27fd5152a1024cbdc16ab8fccdcea3fc0380

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperportsession.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
4d296d79f5cb893a533ffea2db9c7430

SHA1
e7fdb706b84df6a2bccc2b4468d0bad09659e323

SHA256
9f89b41601f6ff66b222e393b73cde2e6537cebceaaa422b445cf3193f281475

SHA512
0e106312f8567388548b7505aa39403cc8c55f42d9f0ac6a03cef699d452e0d6fd639df336bcce470b0763f8163a2a320a9c12314b837d16e5077aa034c13c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
2.6MB

MD5
1ce7698d0f91c39eac6b579e139ae9c4

SHA1
c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4

SHA256
31920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc

SHA512
e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
2.6MB

MD5
1ce7698d0f91c39eac6b579e139ae9c4

SHA1
c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4

SHA256
31920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc

SHA512
e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
2.6MB

MD5
1ce7698d0f91c39eac6b579e139ae9c4

SHA1
c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4

SHA256
31920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc

SHA512
e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
2.6MB

MD5
1ce7698d0f91c39eac6b579e139ae9c4

SHA1
c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4

SHA256
31920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc

SHA512
e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
2.6MB

MD5
1ce7698d0f91c39eac6b579e139ae9c4

SHA1
c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4

SHA256
31920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc

SHA512
e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
2.6MB

MD5
1ce7698d0f91c39eac6b579e139ae9c4

SHA1
c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4

SHA256
31920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc

SHA512
e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\base_library.zip

Filesize
1.0MB

MD5
b344c8ac7c6cb7ce58c5a4ec6c760b96

SHA1
16cb3b9f8fcc90364155f081fb51a74bdf16dce9

SHA256
77c53672ee2afece093ded8b42d316fe443626451448ef603744ca9c7e0cfdb3

SHA512
2976d162b0719c2a1bebf4bc14f6595c291e117f3a2956b69e53996f4a0f4de14a1ea9ec50122a30e95e953ba320a1ac4bf73a5d5980fa7d61bfd92c9af62b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25442\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25442\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25442\base_library.zip

Filesize
1.0MB

MD5
b344c8ac7c6cb7ce58c5a4ec6c760b96

SHA1
16cb3b9f8fcc90364155f081fb51a74bdf16dce9

SHA256
77c53672ee2afece093ded8b42d316fe443626451448ef603744ca9c7e0cfdb3

SHA512
2976d162b0719c2a1bebf4bc14f6595c291e117f3a2956b69e53996f4a0f4de14a1ea9ec50122a30e95e953ba320a1ac4bf73a5d5980fa7d61bfd92c9af62b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25442\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25442\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\base_library.zip

Filesize
1.0MB

MD5
b344c8ac7c6cb7ce58c5a4ec6c760b96

SHA1
16cb3b9f8fcc90364155f081fb51a74bdf16dce9

SHA256
77c53672ee2afece093ded8b42d316fe443626451448ef603744ca9c7e0cfdb3

SHA512
2976d162b0719c2a1bebf4bc14f6595c291e117f3a2956b69e53996f4a0f4de14a1ea9ec50122a30e95e953ba320a1ac4bf73a5d5980fa7d61bfd92c9af62b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35322\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOR4mfHcFP.bat

Filesize
195B

MD5
f8baa9d2403c0b4742cc63c28e58c3ab

SHA1
790f7e872b24f6c9fb946b6d37cf74f783bc8f84

SHA256
5cfa47104eeb8045971f6cd76dd190b8a91aa8f81bf0f52cad53bddf045ed7b5

SHA512
fb550baf3a4401abc25fcde160bb53a4e70cd3ce741570dee101854a2cf0e9eb707cb4a3c166948b6c74e25c842b9b2d9b81529bd19dfa491f67a31923fb0d59

Download Submit
C:\Users\Admin\Desktop\Icloader.exe

Filesize
7.9MB

MD5
ce12fa0411314efb0e9e9d3c6fb943f4

SHA1
1f14997e49595ffe8148f1ad0884d2428444e193

SHA256
1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753

SHA512
4cb44891e8c4dff32b8516a36200773225c999822b18e2b118da24e7dd1dd9164b83089b68ee55adcafe9fc1df46422576fc0b4fd073e194ccba95f8d92ed4c7

Download Submit
C:\Users\Admin\Desktop\Icloader.exe

Filesize
7.9MB

MD5
ce12fa0411314efb0e9e9d3c6fb943f4

SHA1
1f14997e49595ffe8148f1ad0884d2428444e193

SHA256
1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753

SHA512
4cb44891e8c4dff32b8516a36200773225c999822b18e2b118da24e7dd1dd9164b83089b68ee55adcafe9fc1df46422576fc0b4fd073e194ccba95f8d92ed4c7

Download Submit
C:\Users\Admin\Desktop\Icloader.exe

Filesize
7.9MB

MD5
ce12fa0411314efb0e9e9d3c6fb943f4

SHA1
1f14997e49595ffe8148f1ad0884d2428444e193

SHA256
1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753

SHA512
4cb44891e8c4dff32b8516a36200773225c999822b18e2b118da24e7dd1dd9164b83089b68ee55adcafe9fc1df46422576fc0b4fd073e194ccba95f8d92ed4c7

Download Submit
C:\Users\Admin\Desktop\Icloader.exe

Filesize
7.9MB

MD5
ce12fa0411314efb0e9e9d3c6fb943f4

SHA1
1f14997e49595ffe8148f1ad0884d2428444e193

SHA256
1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753

SHA512
4cb44891e8c4dff32b8516a36200773225c999822b18e2b118da24e7dd1dd9164b83089b68ee55adcafe9fc1df46422576fc0b4fd073e194ccba95f8d92ed4c7

Download Submit
C:\Users\Admin\Desktop\Icloader.exe

Filesize
7.9MB

MD5
ce12fa0411314efb0e9e9d3c6fb943f4

SHA1
1f14997e49595ffe8148f1ad0884d2428444e193

SHA256
1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753

SHA512
4cb44891e8c4dff32b8516a36200773225c999822b18e2b118da24e7dd1dd9164b83089b68ee55adcafe9fc1df46422576fc0b4fd073e194ccba95f8d92ed4c7

Download Submit
C:\Users\Admin\Desktop\Icloader.exe

Filesize
7.9MB

MD5
ce12fa0411314efb0e9e9d3c6fb943f4

SHA1
1f14997e49595ffe8148f1ad0884d2428444e193

SHA256
1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753

SHA512
4cb44891e8c4dff32b8516a36200773225c999822b18e2b118da24e7dd1dd9164b83089b68ee55adcafe9fc1df46422576fc0b4fd073e194ccba95f8d92ed4c7

Download Submit
C:\Users\Admin\Desktop\Icloader.exe

Filesize
7.9MB

MD5
ce12fa0411314efb0e9e9d3c6fb943f4

SHA1
1f14997e49595ffe8148f1ad0884d2428444e193

SHA256
1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753

SHA512
4cb44891e8c4dff32b8516a36200773225c999822b18e2b118da24e7dd1dd9164b83089b68ee55adcafe9fc1df46422576fc0b4fd073e194ccba95f8d92ed4c7

Download Submit
C:\Users\Admin\Desktop\инструкция.txt

Filesize
558B

MD5
9209eb8556a39547861530e88519a563

SHA1
f6a6054dc4b4e38fed7c46c27f71d034da60f4bd

SHA256
d207ba40ba3bb2c762ff27c19572fd4c8883e1008c4910e3f37908bf9ced22c6

SHA512
bcf00968d3dd1cb0d91b2dfe2d92e7dec69c5cb262dda41fde612d3f09e000f50624ee617fbc5fdce1e0cd8f94b4a9e389fd124d5385eaaa7866e5e6a4cc20e5

Download Submit
C:\Windows\Web\Screen\smss.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\Windows\Web\Screen\smss.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\odt\BackgroundTransferHost.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
C:\odt\BackgroundTransferHost.exe

Filesize
2.3MB

MD5
87f1ada78f54205efdbd5d57bc0a0a08

SHA1
10d0478598d4c327ace6dc12e8590ea0e40ab53a

SHA256
373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a

SHA512
bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f

Download Submit
memory/116-132-0x0000000000000000-mapping.dmp

Download
memory/344-186-0x0000000000000000-mapping.dmp

Download
memory/948-194-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/948-190-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/948-187-0x0000000000000000-mapping.dmp

Download
memory/1116-144-0x0000000000000000-mapping.dmp

Download
memory/1180-174-0x0000000000000000-mapping.dmp

Download
memory/1480-176-0x0000000000000000-mapping.dmp

Download
memory/1892-196-0x0000000000000000-mapping.dmp

Download
memory/1892-201-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/1892-199-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/1904-164-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/1904-154-0x0000000000000000-mapping.dmp

Download
memory/1904-157-0x0000000000110000-0x0000000000362000-memory.dmp

Filesize
2.3MB

Download
memory/1904-158-0x000000001CBB0000-0x000000001CC00000-memory.dmp

Filesize
320KB

Download
memory/1904-159-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/1904-160-0x000000001D150000-0x000000001D678000-memory.dmp

Filesize
5.2MB

Download
memory/1940-216-0x0000000000000000-mapping.dmp

Download
memory/2248-183-0x0000000000000000-mapping.dmp

Download
memory/2344-211-0x0000000000000000-mapping.dmp

Download
memory/2364-204-0x0000000000000000-mapping.dmp

Download
memory/2372-136-0x0000000000000000-mapping.dmp

Download
memory/2424-179-0x0000000000000000-mapping.dmp

Download
memory/3016-212-0x0000000000000000-mapping.dmp

Download
memory/3152-145-0x0000000000000000-mapping.dmp

Download
memory/3344-184-0x0000000000000000-mapping.dmp

Download
memory/3688-217-0x0000000000000000-mapping.dmp

Download
memory/3708-153-0x0000000000000000-mapping.dmp

Download
memory/3864-149-0x0000000000000000-mapping.dmp

Download
memory/4276-213-0x0000000000000000-mapping.dmp

Download
memory/4376-148-0x0000000000000000-mapping.dmp

Download
memory/4392-161-0x0000000000000000-mapping.dmp

Download
memory/4392-165-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/4392-188-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/4560-143-0x0000000000000000-mapping.dmp

Download
memory/4636-221-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/4636-219-0x0000000000000000-mapping.dmp

Download
memory/4900-175-0x0000000000000000-mapping.dmp

Download
memory/4932-218-0x0000000000000000-mapping.dmp

Download
memory/4936-180-0x0000000000000000-mapping.dmp

Download
memory/5032-167-0x0000000000000000-mapping.dmp

Download
memory/5084-195-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/5084-200-0x00007FFA05170000-0x00007FFA05C31000-memory.dmp

Filesize
10.8MB

Download
memory/5084-191-0x0000000000000000-mapping.dmp

Download