dcrat | 5daab1d2ee0966832a50b6cc7635707a18d81105d51614c75d106c16ff8012c2

Analysis

max time kernel
118s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

incore.exe
Size

2.1MB
MD5

03d4e131a10bf6c41d45c0918a9e3ea5
SHA1

e067835a072ceb0d3cc3dd12e8a6d1a43f4d8bb7
SHA256

5daab1d2ee0966832a50b6cc7635707a18d81105d51614c75d106c16ff8012c2
SHA512

225ca4831acbe4a243e033dae107f92e1bbcad6430ae96f0ec8235fd4adf199b5f80f94457a036369816c6e92f5429e4bfb7cc9e5b644d5bf480816f643cefb0
SSDEEP

24576:2TbBv5rUyXVxp8qWcx5AkyZrtziLafchZChMHTzC6SXYdzNyCzrgEctNjfRn5rEp:IBJXcJQLa0hs2HTbbtNhzrgZnp5rEp

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\fr-FR\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\cmd.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\fr-FR\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\cmd.exe\", \"C:\\Windows\\Logs\\CBS\\OSPPSVC.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\fr-FR\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\cmd.exe\", \"C:\\Windows\\Logs\\CBS\\OSPPSVC.exe\", \"C:\\fontCrtmonitor\\cmd.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\fr-FR\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\cmd.exe\", \"C:\\Windows\\Logs\\CBS\\OSPPSVC.exe\", \"C:\\fontCrtmonitor\\cmd.exe\", \"C:\\fontCrtmonitor\\conhost.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\fr-FR\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\cmd.exe\", \"C:\\Windows\\Logs\\CBS\\OSPPSVC.exe\", \"C:\\fontCrtmonitor\\cmd.exe\", \"C:\\fontCrtmonitor\\conhost.exe\", \"C:\\fontCrtmonitor\\hypercomCrtMonitor.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Journal\\fr-FR\\explorer.exe\""	hypercomCrtMonitor.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2664	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2980	powershell.exe
1380	powershell.exe
2596	powershell.exe
1252	powershell.exe
1124	powershell.exe
1256	powershell.exe
348	powershell.exe
1892	powershell.exe
912	powershell.exe
1064	powershell.exe
1240	powershell.exe
2120	powershell.exe
1628	powershell.exe
1376	powershell.exe
2160	powershell.exe
2464	powershell.exe
2144	powershell.exe
1040	powershell.exe
768	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	hypercomCrtMonitor.exe
1432	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2908	cmd.exe
2908	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Journal\\fr-FR\\explorer.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\cmd.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Logs\\CBS\\OSPPSVC.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\fontCrtmonitor\\cmd.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\fontCrtmonitor\\conhost.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\fontCrtmonitor\\conhost.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hypercomCrtMonitor = "\"C:\\fontCrtmonitor\\hypercomCrtMonitor.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Journal\\fr-FR\\explorer.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\cmd.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Logs\\CBS\\OSPPSVC.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\fontCrtmonitor\\cmd.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\hypercomCrtMonitor = "\"C:\\fontCrtmonitor\\hypercomCrtMonitor.exe\""	hypercomCrtMonitor.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCCDC44E5A96E14345A3CCE27553A895F.TMP	csc.exe
File created	\??\c:\Windows\System32\9w3j6e.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cmd.exe	hypercomCrtMonitor.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\ebf1f9fa8afd6d	hypercomCrtMonitor.exe
File created	C:\Program Files\Windows Journal\fr-FR\explorer.exe	hypercomCrtMonitor.exe
File created	C:\Program Files\Windows Journal\fr-FR\7a0fd90576e088	hypercomCrtMonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\OSPPSVC.exe	hypercomCrtMonitor.exe
File created	C:\Windows\Logs\CBS\1610b97d3ab4a7	hypercomCrtMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	incore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1328	schtasks.exe
268	schtasks.exe
2116	schtasks.exe
2156	schtasks.exe
2076	schtasks.exe
2984	schtasks.exe
2472	schtasks.exe
2168	schtasks.exe
2136	schtasks.exe
272	schtasks.exe
2948	schtasks.exe
336	schtasks.exe
900	schtasks.exe
1708	schtasks.exe
2700	schtasks.exe
1692	schtasks.exe
1596	schtasks.exe
1528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2792	hypercomCrtMonitor.exe
2160	powershell.exe
1124	powershell.exe
1628	powershell.exe
1064	powershell.exe
2980	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	hypercomCrtMonitor.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1432	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1964	1956	incore.exe	31
PID 1956 wrote to memory of 1964	1956	incore.exe	31
PID 1956 wrote to memory of 1964	1956	incore.exe	31
PID 1956 wrote to memory of 1964	1956	incore.exe	31
PID 1964 wrote to memory of 2908	1964	WScript.exe	32
PID 1964 wrote to memory of 2908	1964	WScript.exe	32
PID 1964 wrote to memory of 2908	1964	WScript.exe	32
PID 1964 wrote to memory of 2908	1964	WScript.exe	32
PID 2908 wrote to memory of 2792	2908	cmd.exe	34
PID 2908 wrote to memory of 2792	2908	cmd.exe	34
PID 2908 wrote to memory of 2792	2908	cmd.exe	34
PID 2908 wrote to memory of 2792	2908	cmd.exe	34
PID 2792 wrote to memory of 388	2792	hypercomCrtMonitor.exe	39
PID 2792 wrote to memory of 388	2792	hypercomCrtMonitor.exe	39
PID 2792 wrote to memory of 388	2792	hypercomCrtMonitor.exe	39
PID 388 wrote to memory of 2840	388	csc.exe	41
PID 388 wrote to memory of 2840	388	csc.exe	41
PID 388 wrote to memory of 2840	388	csc.exe	41
PID 2792 wrote to memory of 2160	2792	hypercomCrtMonitor.exe	57
PID 2792 wrote to memory of 2160	2792	hypercomCrtMonitor.exe	57
PID 2792 wrote to memory of 2160	2792	hypercomCrtMonitor.exe	57
PID 2792 wrote to memory of 2980	2792	hypercomCrtMonitor.exe	58
PID 2792 wrote to memory of 2980	2792	hypercomCrtMonitor.exe	58
PID 2792 wrote to memory of 2980	2792	hypercomCrtMonitor.exe	58
PID 2792 wrote to memory of 348	2792	hypercomCrtMonitor.exe	60
PID 2792 wrote to memory of 348	2792	hypercomCrtMonitor.exe	60
PID 2792 wrote to memory of 348	2792	hypercomCrtMonitor.exe	60
PID 2792 wrote to memory of 1376	2792	hypercomCrtMonitor.exe	62
PID 2792 wrote to memory of 1376	2792	hypercomCrtMonitor.exe	62
PID 2792 wrote to memory of 1376	2792	hypercomCrtMonitor.exe	62
PID 2792 wrote to memory of 1892	2792	hypercomCrtMonitor.exe	63
PID 2792 wrote to memory of 1892	2792	hypercomCrtMonitor.exe	63
PID 2792 wrote to memory of 1892	2792	hypercomCrtMonitor.exe	63
PID 2792 wrote to memory of 1628	2792	hypercomCrtMonitor.exe	64
PID 2792 wrote to memory of 1628	2792	hypercomCrtMonitor.exe	64
PID 2792 wrote to memory of 1628	2792	hypercomCrtMonitor.exe	64
PID 2792 wrote to memory of 2464	2792	hypercomCrtMonitor.exe	65
PID 2792 wrote to memory of 2464	2792	hypercomCrtMonitor.exe	65
PID 2792 wrote to memory of 2464	2792	hypercomCrtMonitor.exe	65
PID 2792 wrote to memory of 1124	2792	hypercomCrtMonitor.exe	66
PID 2792 wrote to memory of 1124	2792	hypercomCrtMonitor.exe	66
PID 2792 wrote to memory of 1124	2792	hypercomCrtMonitor.exe	66
PID 2792 wrote to memory of 2120	2792	hypercomCrtMonitor.exe	67
PID 2792 wrote to memory of 2120	2792	hypercomCrtMonitor.exe	67
PID 2792 wrote to memory of 2120	2792	hypercomCrtMonitor.exe	67
PID 2792 wrote to memory of 1240	2792	hypercomCrtMonitor.exe	68
PID 2792 wrote to memory of 1240	2792	hypercomCrtMonitor.exe	68
PID 2792 wrote to memory of 1240	2792	hypercomCrtMonitor.exe	68
PID 2792 wrote to memory of 1256	2792	hypercomCrtMonitor.exe	69
PID 2792 wrote to memory of 1256	2792	hypercomCrtMonitor.exe	69
PID 2792 wrote to memory of 1256	2792	hypercomCrtMonitor.exe	69
PID 2792 wrote to memory of 1064	2792	hypercomCrtMonitor.exe	70
PID 2792 wrote to memory of 1064	2792	hypercomCrtMonitor.exe	70
PID 2792 wrote to memory of 1064	2792	hypercomCrtMonitor.exe	70
PID 2792 wrote to memory of 1252	2792	hypercomCrtMonitor.exe	71
PID 2792 wrote to memory of 1252	2792	hypercomCrtMonitor.exe	71
PID 2792 wrote to memory of 1252	2792	hypercomCrtMonitor.exe	71
PID 2792 wrote to memory of 912	2792	hypercomCrtMonitor.exe	72
PID 2792 wrote to memory of 912	2792	hypercomCrtMonitor.exe	72
PID 2792 wrote to memory of 912	2792	hypercomCrtMonitor.exe	72
PID 2792 wrote to memory of 768	2792	hypercomCrtMonitor.exe	73
PID 2792 wrote to memory of 768	2792	hypercomCrtMonitor.exe	73
PID 2792 wrote to memory of 768	2792	hypercomCrtMonitor.exe	73
PID 2792 wrote to memory of 1040	2792	hypercomCrtMonitor.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\incore.exe
"C:\Users\Admin\AppData\Local\Temp\incore.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\fontCrtmonitor\3ZRHIxPIjsb.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\fontCrtmonitor\ggooOvvNMLFpJUHeJA7JSZJLf.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\fontCrtmonitor\hypercomCrtMonitor.exe
      "C:\fontCrtmonitor/hypercomCrtMonitor.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qgspexgv\qgspexgv.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES515B.tmp" "c:\Windows\System32\CSCCDC44E5A96E14345A3CCE27553A895F.TMP"
        6⤵
        
        PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontCrtmonitor/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontCrtmonitor\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontCrtmonitor\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontCrtmonitor\hypercomCrtMonitor.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2gNLuse8Qj.bat"
        5⤵
        
        PID:700
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2496
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1880
      - C:\Program Files\Windows Journal\fr-FR\explorer.exe
        
        "C:\Program Files\Windows Journal\fr-FR\explorer.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\CBS\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\CBS\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\fontCrtmonitor\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\fontCrtmonitor\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\fontCrtmonitor\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\fontCrtmonitor\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\fontCrtmonitor\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\fontCrtmonitor\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hypercomCrtMonitorh" /sc MINUTE /mo 6 /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hypercomCrtMonitor" /sc ONLOGON /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hypercomCrtMonitorh" /sc MINUTE /mo 14 /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2gNLuse8Qj.bat

Filesize
227B

MD5
0f13e69a004ae7b656fe33131e434500

SHA1
6e4cefa2abb12bd4615865972a61d9e975d056d7

SHA256
44ee8209fa824d4348a5adcafed8aea608a80105e09864a6b591fcfd43251dab

SHA512
93a1f7d5d6819c8f717921474332bddeae84b3cb0eb2554ba4c26047e0376cd9e6c8ceb77708887743d66ae7588eba4a95df781037f25fc3bdf8461dc843e732

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES515B.tmp

Filesize
1KB

MD5
4a2c2a1b6b2556e7e907ac12f0a6b4d0

SHA1
7d1f18b5f1532e733c5bc247584ce944c8b6515a

SHA256
d5d150c774dfe085e24d179e117c6893618d617745e1d4d3d381cb6204313f31

SHA512
088eae086691481dfcdb91a1bc07526786b89a640521c9a249cc582f3b930f43a6381c1a94cd73089f35c9e5d46d6ae9b9f74a93f468ab12ec51d3a534bea207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f01eedc48f9acc53b2a54b76a9423c43

SHA1
5fa05f1a68a281cf6718279b0cf5364116376824

SHA256
b5fea502c3d9e71c93102b41c40a3780a1e28cdbec590e24721c05bd462de673

SHA512
5c8fd249ee36b8bb0e7547e709b4c5e37c5a2e4a0d0df03498c63eaaf998c8244e5912393f494a8fc88dc56a045f722808a36e8e539f9d7f6a1b863a9376e777

Download Submit
C:\fontCrtmonitor\3ZRHIxPIjsb.vbe

Filesize
218B

MD5
623fc76c6ffa7386cf3ba5bd07316cd0

SHA1
f35d0b54e393e8f9a0662d175e0e1895e47c6e05

SHA256
2e5e3b082cf3350781210ee9c1d404fc3b530c182b22a3a4a05c7cd6b04f5b18

SHA512
d44af88f6e249fb4cdc78c61db0f7020e1c9f98b0e5bb0c4ec2261ece646ef464c3a5b30df9e042da3112b8b3c8dc7f1f55ae54f3948dcd3f192cdd317f57125

Download Submit
C:\fontCrtmonitor\ggooOvvNMLFpJUHeJA7JSZJLf.bat

Filesize
92B

MD5
3b890edc86e87609973d9d0dacbb0b0a

SHA1
94b43c89db0ed52658e8a76dc075c40d959d1e51

SHA256
33c65a531e04e663ba8a9590080c1786330f6f98c32a7da57694f4df6f48aeac

SHA512
5d3bf328910e66aa498b7c2b49e86a2e6eb71c7710c8aa4561dc121070c44bf62b40bd65227113decaa71080ee9b2a7f978f0648401580ce02d9e869619d889d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qgspexgv\qgspexgv.0.cs

Filesize
383B

MD5
9031a67cdb247e8755394312d16ab84b

SHA1
0f319fa97411a95c6bd04da550910e95d802145f

SHA256
5b1051a6029816696d05fe7ec7414c1761c6fc534fa1cf4099755c2507e14400

SHA512
0c06a216bc4963f4adddbb5312ed39563227db0447dbfe819fa8eb7b058a098ec75af670135683dcd6632435efba5284e6e432d1edd81a0a3281cbb403899882

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qgspexgv\qgspexgv.cmdline

Filesize
235B

MD5
7feeb39374052bc0bae3edfc7ef11e14

SHA1
37751f4f39cb35e76956f9ad5f0f3f38f3e8c993

SHA256
6cb96676fa7961bcfb13e36c6b979758b97f7533008e77d325f5eecdd5d4d13d

SHA512
37709bf8d16da50e62ef0d5c195b5a7f44a2c452f9b11fbc758c2a5f1c7ac0aa1c05dd86b331906e10747a312e44809c089f1038f14e36c463052632a5f3a02e

Download Submit
\??\c:\Windows\System32\CSCCDC44E5A96E14345A3CCE27553A895F.TMP

Filesize
1KB

MD5
70046c6c63d509bb29450ef32b59dda3

SHA1
26802b73997ee22a7cd3d07ae77016969603cf00

SHA256
dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

SHA512
d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

Download Submit
\fontCrtmonitor\hypercomCrtMonitor.exe

Filesize
1.8MB

MD5
2a6e3f3275d854bf07aba2427baa6610

SHA1
37d6411844b5d8a9d997f38f7718168b33cbc564

SHA256
4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b

SHA512
a6054ab62fc7415dafaca1dc273b42edd9680541e964b7b20d6b7ed07d65fb2ee01ea833bfedec9abc3687814449bb65f7c041ba462aed5cc44397e0ae2d4ef0

Download Submit
memory/1432-142-0x0000000000F80000-0x0000000001148000-memory.dmp

Filesize
1.8MB

Download
memory/2160-53-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2160-54-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2792-21-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/2792-19-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/2792-17-0x0000000000760000-0x000000000077C000-memory.dmp

Filesize
112KB

Download
memory/2792-15-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2792-13-0x0000000000810000-0x00000000009D8000-memory.dmp

Filesize
1.8MB

Download