dcrat | f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb

Analysis

max time kernel
117s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb.exe
Size

2.1MB
MD5

c6a02c990fb951ba0ced642a4daa9845
SHA1

76229ba125995c44227ee1f598dd6510b19fd646
SHA256

f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb
SHA512

6bdf39e8e5adb6babde6b8609d585e62c31f2725897bde515d4d592bb7403e0bd59b735c30f572c8d80b64a6ce561c4e6c7a1d54fa1980b9459a8976432f2b36
SSDEEP

49152:IBJv/xDnYHGnSvxNGxcz+NYJxe1oaz/eccZa:yRhnYHZUczjaz/PUa

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\taskhost.exe\", \"C:\\fontCrtmonitor\\WMIADAP.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\3082\\lsass.exe\", \"C:\\fontCrtmonitor\\hypercomCrtMonitor.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\taskhost.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\taskhost.exe\", \"C:\\fontCrtmonitor\\WMIADAP.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\taskhost.exe\", \"C:\\fontCrtmonitor\\WMIADAP.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\3082\\lsass.exe\""	hypercomCrtMonitor.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2052	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
952	powershell.exe
1356	powershell.exe
1048	powershell.exe
2092	powershell.exe
2236	powershell.exe
2376	powershell.exe
1112	powershell.exe
1612	powershell.exe
1348	powershell.exe
1540	powershell.exe
860	powershell.exe
2300	powershell.exe
1336	powershell.exe
1244	powershell.exe
2496	powershell.exe
320	powershell.exe
292	powershell.exe
1688	powershell.exe
2272	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2608	hypercomCrtMonitor.exe
1604	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2652	cmd.exe
2652	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Microsoft.NET\\Framework64\\3082\\lsass.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\hypercomCrtMonitor = "\"C:\\fontCrtmonitor\\hypercomCrtMonitor.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\fontCrtmonitor\\WMIADAP.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\fontCrtmonitor\\WMIADAP.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\taskhost.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\taskhost.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Microsoft.NET\\Framework64\\3082\\lsass.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hypercomCrtMonitor = "\"C:\\fontCrtmonitor\\hypercomCrtMonitor.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	hypercomCrtMonitor.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE3E69DB3F0DD4E77B6E68F76689E42D.TMP	csc.exe
File created	\??\c:\Windows\System32\wa0wg5.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\taskhost.exe	hypercomCrtMonitor.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\b75386f1303e64	hypercomCrtMonitor.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\3082\lsass.exe	hypercomCrtMonitor.exe
File created	C:\Windows\Microsoft.NET\Framework64\3082\6203df4a6bafc7	hypercomCrtMonitor.exe
File created	C:\Windows\Microsoft.NET\Framework64\3082\lsass.exe	hypercomCrtMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
688	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	winlogon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	winlogon.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
688	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2248	schtasks.exe
540	schtasks.exe
1616	schtasks.exe
1512	schtasks.exe
548	schtasks.exe
1604	schtasks.exe
2440	schtasks.exe
2904	schtasks.exe
2848	schtasks.exe
1280	schtasks.exe
1248	schtasks.exe
1476	schtasks.exe
1644	schtasks.exe
2144	schtasks.exe
3048	schtasks.exe
676	schtasks.exe
2284	schtasks.exe
1132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
2608	hypercomCrtMonitor.exe
1244	powershell.exe
2496	powershell.exe
320	powershell.exe
1612	powershell.exe
1048	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	hypercomCrtMonitor.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	1604	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2880	2312	f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb.exe	30
PID 2312 wrote to memory of 2880	2312	f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb.exe	30
PID 2312 wrote to memory of 2880	2312	f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb.exe	30
PID 2312 wrote to memory of 2880	2312	f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb.exe	30
PID 2880 wrote to memory of 2652	2880	WScript.exe	32
PID 2880 wrote to memory of 2652	2880	WScript.exe	32
PID 2880 wrote to memory of 2652	2880	WScript.exe	32
PID 2880 wrote to memory of 2652	2880	WScript.exe	32
PID 2652 wrote to memory of 2608	2652	cmd.exe	34
PID 2652 wrote to memory of 2608	2652	cmd.exe	34
PID 2652 wrote to memory of 2608	2652	cmd.exe	34
PID 2652 wrote to memory of 2608	2652	cmd.exe	34
PID 2608 wrote to memory of 2696	2608	hypercomCrtMonitor.exe	39
PID 2608 wrote to memory of 2696	2608	hypercomCrtMonitor.exe	39
PID 2608 wrote to memory of 2696	2608	hypercomCrtMonitor.exe	39
PID 2696 wrote to memory of 2948	2696	csc.exe	41
PID 2696 wrote to memory of 2948	2696	csc.exe	41
PID 2696 wrote to memory of 2948	2696	csc.exe	41
PID 2608 wrote to memory of 1244	2608	hypercomCrtMonitor.exe	57
PID 2608 wrote to memory of 1244	2608	hypercomCrtMonitor.exe	57
PID 2608 wrote to memory of 1244	2608	hypercomCrtMonitor.exe	57
PID 2608 wrote to memory of 2236	2608	hypercomCrtMonitor.exe	58
PID 2608 wrote to memory of 2236	2608	hypercomCrtMonitor.exe	58
PID 2608 wrote to memory of 2236	2608	hypercomCrtMonitor.exe	58
PID 2608 wrote to memory of 2496	2608	hypercomCrtMonitor.exe	59
PID 2608 wrote to memory of 2496	2608	hypercomCrtMonitor.exe	59
PID 2608 wrote to memory of 2496	2608	hypercomCrtMonitor.exe	59
PID 2608 wrote to memory of 2376	2608	hypercomCrtMonitor.exe	60
PID 2608 wrote to memory of 2376	2608	hypercomCrtMonitor.exe	60
PID 2608 wrote to memory of 2376	2608	hypercomCrtMonitor.exe	60
PID 2608 wrote to memory of 1112	2608	hypercomCrtMonitor.exe	61
PID 2608 wrote to memory of 1112	2608	hypercomCrtMonitor.exe	61
PID 2608 wrote to memory of 1112	2608	hypercomCrtMonitor.exe	61
PID 2608 wrote to memory of 1612	2608	hypercomCrtMonitor.exe	62
PID 2608 wrote to memory of 1612	2608	hypercomCrtMonitor.exe	62
PID 2608 wrote to memory of 1612	2608	hypercomCrtMonitor.exe	62
PID 2608 wrote to memory of 952	2608	hypercomCrtMonitor.exe	63
PID 2608 wrote to memory of 952	2608	hypercomCrtMonitor.exe	63
PID 2608 wrote to memory of 952	2608	hypercomCrtMonitor.exe	63
PID 2608 wrote to memory of 1356	2608	hypercomCrtMonitor.exe	64
PID 2608 wrote to memory of 1356	2608	hypercomCrtMonitor.exe	64
PID 2608 wrote to memory of 1356	2608	hypercomCrtMonitor.exe	64
PID 2608 wrote to memory of 1048	2608	hypercomCrtMonitor.exe	65
PID 2608 wrote to memory of 1048	2608	hypercomCrtMonitor.exe	65
PID 2608 wrote to memory of 1048	2608	hypercomCrtMonitor.exe	65
PID 2608 wrote to memory of 320	2608	hypercomCrtMonitor.exe	66
PID 2608 wrote to memory of 320	2608	hypercomCrtMonitor.exe	66
PID 2608 wrote to memory of 320	2608	hypercomCrtMonitor.exe	66
PID 2608 wrote to memory of 292	2608	hypercomCrtMonitor.exe	67
PID 2608 wrote to memory of 292	2608	hypercomCrtMonitor.exe	67
PID 2608 wrote to memory of 292	2608	hypercomCrtMonitor.exe	67
PID 2608 wrote to memory of 1688	2608	hypercomCrtMonitor.exe	68
PID 2608 wrote to memory of 1688	2608	hypercomCrtMonitor.exe	68
PID 2608 wrote to memory of 1688	2608	hypercomCrtMonitor.exe	68
PID 2608 wrote to memory of 2272	2608	hypercomCrtMonitor.exe	69
PID 2608 wrote to memory of 2272	2608	hypercomCrtMonitor.exe	69
PID 2608 wrote to memory of 2272	2608	hypercomCrtMonitor.exe	69
PID 2608 wrote to memory of 2092	2608	hypercomCrtMonitor.exe	70
PID 2608 wrote to memory of 2092	2608	hypercomCrtMonitor.exe	70
PID 2608 wrote to memory of 2092	2608	hypercomCrtMonitor.exe	70
PID 2608 wrote to memory of 2300	2608	hypercomCrtMonitor.exe	71
PID 2608 wrote to memory of 2300	2608	hypercomCrtMonitor.exe	71
PID 2608 wrote to memory of 2300	2608	hypercomCrtMonitor.exe	71
PID 2608 wrote to memory of 1336	2608	hypercomCrtMonitor.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb.exe
"C:\Users\Admin\AppData\Local\Temp\f88cc7a80fe0f1d450c11a28bdd09c833e1c463f3dcb88098d454ad4b9d24ebb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\fontCrtmonitor\ifUWZN8j70y5ln1VmUlPoxGQIJVqWpVjYm.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\fontCrtmonitor\127OCPq9EML0Us.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\fontCrtmonitor\hypercomCrtMonitor.exe
      "C:\fontCrtmonitor/hypercomCrtMonitor.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgn3exz2\wgn3exz2.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB87.tmp" "c:\Windows\System32\CSCE3E69DB3F0DD4E77B6E68F76689E42D.TMP"
        6⤵
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontCrtmonitor/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontCrtmonitor\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\3082\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontCrtmonitor\hypercomCrtMonitor.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qyUInM1WaO.bat"
        5⤵
        
        PID:876
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:568
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:688
      - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\fontCrtmonitor\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\fontCrtmonitor\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\fontCrtmonitor\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\3082\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hypercomCrtMonitorh" /sc MINUTE /mo 7 /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hypercomCrtMonitor" /sc ONLOGON /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hypercomCrtMonitorh" /sc MINUTE /mo 14 /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEB87.tmp

Filesize
1KB

MD5
1ab69a34217f1309559df8a7c90feab9

SHA1
e211b6b1cf065b81136ebedff090440711932b33

SHA256
cb85a96a8300b7d647c2d3831d7b326aa080eeef16efcb12452911e59856611d

SHA512
e648de552ce626fd995a8af46a941fa7d5baa3b2d063401f2206432aa2d8cecf08282343e8b5f647d52b483de9bedbf71330ec62ad0380bf30d15df0396b1e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyUInM1WaO.bat

Filesize
203B

MD5
e10bfca5602469d06d74ec05b81e93fd

SHA1
98159c72eb021a7bca104cc7964d8bd7670a5f79

SHA256
64f124a0dc1b93654ac843c2eaf0345b9973e4bc028cd7a5a3ed02d4924959dd

SHA512
d60806e6b1cd103ee669e5825e485d8289f3e022abd9bf78963904d29148750fcbda3275b38bbf3d5dd6f03f5687e829283a188f28742b0fc748a7c9b4e7779e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EKXNRK4DZIYDRH93DCSY.temp

Filesize
7KB

MD5
3f8873a5e5142f3d57343ccc3c2b0551

SHA1
7177706b75e74ca41a37b536e4cbd76955c67c1a

SHA256
2ce69ce603f9f9ddbae66e1d190a4b41c0adfbf5ba4370a65fc9288dc9bf3b49

SHA512
7db34b69fbdb801fbbf9881b89608f8d3e2d72fd9e536aba4c8e938f581cd0d705e1ff7a66ea05d376ab2bf1c828d327a4730578757ce3f736d493f56bb68c47

Download Submit
C:\fontCrtmonitor\127OCPq9EML0Us.bat

Filesize
89B

MD5
fecf2898e0794e94c3dba205a5ece246

SHA1
78183f1d084b1d54c454c45f800f96a8262ba726

SHA256
48d63405e3893247e884ffb79d280e1a75f1bc4ee5b380589c3c467396652b61

SHA512
dfd3161fd6cb56fbfdcadb6d8977ba9323080d275ecc594f139e3a1d25bfa1dc2f57aff9d2ef768143dd99749a35fa0f2f38da57fda6e9669d4227e6d22a6231

Download Submit
C:\fontCrtmonitor\hypercomCrtMonitor.exe

Filesize
1.8MB

MD5
288245556758577765bdfc6506f9df52

SHA1
558efb1a41b97fe79a3e4badbc6968dfa1675a54

SHA256
cbfe87606ce14216e4cb469653c7f5d3965fd16d0dd48ec5004db618654bf73f

SHA512
afb7c50182136a06eb0b38b6f236842565ca64e90436e1029e361a2b8cda7728cf2cfa73a73e6b8fd82da536d2626d5c708c46595c9f7b798c3dbd1a1220f0e7

Download Submit
C:\fontCrtmonitor\ifUWZN8j70y5ln1VmUlPoxGQIJVqWpVjYm.vbe

Filesize
207B

MD5
68586b219985baf80d838935d8decf3b

SHA1
420f3bbd334d09c6c9f90afed8d716fbeee36295

SHA256
f8510b4f41d4c9aa718439b243bc071e7c02c1ecc0be9118ee824f54656029dc

SHA512
3cf1bd459d05170bfad8fee3ca2c0e3310737f48fcc846f7005d773ae2b631fd0516ff5bbed822636e6292101a82e8bb8e7d7602830e20d694ff10ac086b5e2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wgn3exz2\wgn3exz2.0.cs

Filesize
407B

MD5
f9e0365512a23f84c8ddfee5345fe1a5

SHA1
7125d85ee1a53f843b22559e118cb5108abab26f

SHA256
01988b3cb1af7543aeca54ae6daa19af57b584530d0654c2428700db35dd3f75

SHA512
c9aad08b1a2416b023307fbf1e8ec32095b977df3c5c4f91215f81bdd23061889213b5d4c14b5864b6025c702a778e23d1ef566af8d9a7ea00633c823176f8a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wgn3exz2\wgn3exz2.cmdline

Filesize
235B

MD5
472ce0beb8d8252e20447ce40c9b4a10

SHA1
d66c241c9a1a23d5e46ed406f18f3df378dd0b74

SHA256
4384df35125138fc08647de7e7df14ed59e1c225f6e28896df59dca3530935a1

SHA512
50d2123fb2f533899d4af34453524f49e310398ff32c8fd8048ebeba3f273a5acd5b826cf6d557285545be49ba02980d34d4ff98989cb352503e06c1bd997a61

Download Submit
\??\c:\Windows\System32\CSCE3E69DB3F0DD4E77B6E68F76689E42D.TMP

Filesize
1KB

MD5
b74f131aab310dc6e37b43e729c24199

SHA1
bade4cf35d7e80e79880396c1fdd518d9ab78bdf

SHA256
5fdff2a34cc18e36619ff327b292a8255286dc102d85074b7fc625ccbdbe1858

SHA512
733cb12c94d0a8bedc9a38c073dff2fc46553854d7e835767aaa749b4754beef77fa3bc8232eab21c92bc808c08b150cafe5c035bb33d82292fbf76fec55d885

Download Submit
memory/1244-56-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1604-148-0x0000000000870000-0x0000000000A38000-memory.dmp

Filesize
1.8MB

Download
memory/2496-65-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2608-21-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2608-19-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2608-17-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/2608-15-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/2608-13-0x00000000010A0000-0x0000000001268000-memory.dmp

Filesize
1.8MB

Download