dcrat | 5daab1d2ee0966832a50b6cc7635707a18d81105d51614c75d106c16ff8012c2

Analysis

max time kernel
44s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

incore.exe
Size

2.1MB
MD5

03d4e131a10bf6c41d45c0918a9e3ea5
SHA1

e067835a072ceb0d3cc3dd12e8a6d1a43f4d8bb7
SHA256

5daab1d2ee0966832a50b6cc7635707a18d81105d51614c75d106c16ff8012c2
SHA512

225ca4831acbe4a243e033dae107f92e1bbcad6430ae96f0ec8235fd4adf199b5f80f94457a036369816c6e92f5429e4bfb7cc9e5b644d5bf480816f643cefb0
SSDEEP

24576:2TbBv5rUyXVxp8qWcx5AkyZrtziLafchZChMHTzC6SXYdzNyCzrgEctNjfRn5rEp:IBJXcJQLa0hs2HTbbtNhzrgZnp5rEp

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\", \"C:\\fontCrtmonitor\\WmiPrvSE.exe\", \"C:\\Windows\\tracing\\audiodg.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\", \"C:\\fontCrtmonitor\\WmiPrvSE.exe\", \"C:\\Windows\\tracing\\audiodg.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\smss.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\", \"C:\\fontCrtmonitor\\WmiPrvSE.exe\", \"C:\\Windows\\tracing\\audiodg.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\smss.exe\", \"C:\\fontCrtmonitor\\hypercomCrtMonitor.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dllhost.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\", \"C:\\fontCrtmonitor\\WmiPrvSE.exe\""	hypercomCrtMonitor.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2936	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1624	powershell.exe
1092	powershell.exe
2036	powershell.exe
1524	powershell.exe
856	powershell.exe
2472	powershell.exe
2452	powershell.exe
2024	powershell.exe
1100	powershell.exe
1164	powershell.exe
2416	powershell.exe
1940	powershell.exe
1352	powershell.exe
1520	powershell.exe
2432	powershell.exe
772	powershell.exe
1936	powershell.exe
876	powershell.exe
1760	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2556	hypercomCrtMonitor.exe
672	services.exe

Loads dropped DLL 2 IoCs

pid	Process
1804	cmd.exe
1804	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Media Player\\Network Sharing\\dllhost.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Media Player\\Network Sharing\\dllhost.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\fontCrtmonitor\\WmiPrvSE.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\smss.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hypercomCrtMonitor = "\"C:\\fontCrtmonitor\\hypercomCrtMonitor.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\fontCrtmonitor\\WmiPrvSE.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\tracing\\audiodg.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\tracing\\audiodg.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\smss.exe\""	hypercomCrtMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\hypercomCrtMonitor = "\"C:\\fontCrtmonitor\\hypercomCrtMonitor.exe\""	hypercomCrtMonitor.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC96FB70235D3243BD99D34A4E182CC64D.TMP	csc.exe
File created	\??\c:\Windows\System32\qmeprf.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\services.exe	hypercomCrtMonitor.exe
File created	C:\Program Files (x86)\Google\CrashReports\c5b4cb5e9653cc	hypercomCrtMonitor.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe	hypercomCrtMonitor.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\5940a34987c991	hypercomCrtMonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tracing\audiodg.exe	hypercomCrtMonitor.exe
File created	C:\Windows\tracing\42af1c969fbb7b	hypercomCrtMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	incore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2768	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	services.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2768	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2508	schtasks.exe
592	schtasks.exe
2156	schtasks.exe
2368	schtasks.exe
3064	schtasks.exe
1476	schtasks.exe
1860	schtasks.exe
2524	schtasks.exe
1240	schtasks.exe
1236	schtasks.exe
2828	schtasks.exe
324	schtasks.exe
1232	schtasks.exe
2132	schtasks.exe
3012	schtasks.exe
3016	schtasks.exe
1216	schtasks.exe
2980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2556	hypercomCrtMonitor.exe
2472	powershell.exe
2432	powershell.exe
1164	powershell.exe
772	powershell.exe
2452	powershell.exe
2036	powershell.exe
1352	powershell.exe
1524	powershell.exe
1940	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	hypercomCrtMonitor.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	672	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2772	2172	incore.exe	30
PID 2172 wrote to memory of 2772	2172	incore.exe	30
PID 2172 wrote to memory of 2772	2172	incore.exe	30
PID 2172 wrote to memory of 2772	2172	incore.exe	30
PID 2772 wrote to memory of 1804	2772	WScript.exe	31
PID 2772 wrote to memory of 1804	2772	WScript.exe	31
PID 2772 wrote to memory of 1804	2772	WScript.exe	31
PID 2772 wrote to memory of 1804	2772	WScript.exe	31
PID 1804 wrote to memory of 2556	1804	cmd.exe	33
PID 1804 wrote to memory of 2556	1804	cmd.exe	33
PID 1804 wrote to memory of 2556	1804	cmd.exe	33
PID 1804 wrote to memory of 2556	1804	cmd.exe	33
PID 2556 wrote to memory of 2136	2556	hypercomCrtMonitor.exe	38
PID 2556 wrote to memory of 2136	2556	hypercomCrtMonitor.exe	38
PID 2556 wrote to memory of 2136	2556	hypercomCrtMonitor.exe	38
PID 2136 wrote to memory of 2892	2136	csc.exe	40
PID 2136 wrote to memory of 2892	2136	csc.exe	40
PID 2136 wrote to memory of 2892	2136	csc.exe	40
PID 2556 wrote to memory of 2024	2556	hypercomCrtMonitor.exe	56
PID 2556 wrote to memory of 2024	2556	hypercomCrtMonitor.exe	56
PID 2556 wrote to memory of 2024	2556	hypercomCrtMonitor.exe	56
PID 2556 wrote to memory of 2432	2556	hypercomCrtMonitor.exe	57
PID 2556 wrote to memory of 2432	2556	hypercomCrtMonitor.exe	57
PID 2556 wrote to memory of 2432	2556	hypercomCrtMonitor.exe	57
PID 2556 wrote to memory of 772	2556	hypercomCrtMonitor.exe	58
PID 2556 wrote to memory of 772	2556	hypercomCrtMonitor.exe	58
PID 2556 wrote to memory of 772	2556	hypercomCrtMonitor.exe	58
PID 2556 wrote to memory of 856	2556	hypercomCrtMonitor.exe	59
PID 2556 wrote to memory of 856	2556	hypercomCrtMonitor.exe	59
PID 2556 wrote to memory of 856	2556	hypercomCrtMonitor.exe	59
PID 2556 wrote to memory of 1100	2556	hypercomCrtMonitor.exe	60
PID 2556 wrote to memory of 1100	2556	hypercomCrtMonitor.exe	60
PID 2556 wrote to memory of 1100	2556	hypercomCrtMonitor.exe	60
PID 2556 wrote to memory of 1164	2556	hypercomCrtMonitor.exe	61
PID 2556 wrote to memory of 1164	2556	hypercomCrtMonitor.exe	61
PID 2556 wrote to memory of 1164	2556	hypercomCrtMonitor.exe	61
PID 2556 wrote to memory of 1624	2556	hypercomCrtMonitor.exe	62
PID 2556 wrote to memory of 1624	2556	hypercomCrtMonitor.exe	62
PID 2556 wrote to memory of 1624	2556	hypercomCrtMonitor.exe	62
PID 2556 wrote to memory of 1092	2556	hypercomCrtMonitor.exe	63
PID 2556 wrote to memory of 1092	2556	hypercomCrtMonitor.exe	63
PID 2556 wrote to memory of 1092	2556	hypercomCrtMonitor.exe	63
PID 2556 wrote to memory of 1936	2556	hypercomCrtMonitor.exe	64
PID 2556 wrote to memory of 1936	2556	hypercomCrtMonitor.exe	64
PID 2556 wrote to memory of 1936	2556	hypercomCrtMonitor.exe	64
PID 2556 wrote to memory of 2472	2556	hypercomCrtMonitor.exe	65
PID 2556 wrote to memory of 2472	2556	hypercomCrtMonitor.exe	65
PID 2556 wrote to memory of 2472	2556	hypercomCrtMonitor.exe	65
PID 2556 wrote to memory of 2416	2556	hypercomCrtMonitor.exe	66
PID 2556 wrote to memory of 2416	2556	hypercomCrtMonitor.exe	66
PID 2556 wrote to memory of 2416	2556	hypercomCrtMonitor.exe	66
PID 2556 wrote to memory of 876	2556	hypercomCrtMonitor.exe	67
PID 2556 wrote to memory of 876	2556	hypercomCrtMonitor.exe	67
PID 2556 wrote to memory of 876	2556	hypercomCrtMonitor.exe	67
PID 2556 wrote to memory of 1760	2556	hypercomCrtMonitor.exe	68
PID 2556 wrote to memory of 1760	2556	hypercomCrtMonitor.exe	68
PID 2556 wrote to memory of 1760	2556	hypercomCrtMonitor.exe	68
PID 2556 wrote to memory of 2036	2556	hypercomCrtMonitor.exe	69
PID 2556 wrote to memory of 2036	2556	hypercomCrtMonitor.exe	69
PID 2556 wrote to memory of 2036	2556	hypercomCrtMonitor.exe	69
PID 2556 wrote to memory of 1352	2556	hypercomCrtMonitor.exe	70
PID 2556 wrote to memory of 1352	2556	hypercomCrtMonitor.exe	70
PID 2556 wrote to memory of 1352	2556	hypercomCrtMonitor.exe	70
PID 2556 wrote to memory of 1520	2556	hypercomCrtMonitor.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\incore.exe
"C:\Users\Admin\AppData\Local\Temp\incore.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\fontCrtmonitor\3ZRHIxPIjsb.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\fontCrtmonitor\ggooOvvNMLFpJUHeJA7JSZJLf.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\fontCrtmonitor\hypercomCrtMonitor.exe
      "C:\fontCrtmonitor/hypercomCrtMonitor.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\brah4ff5\brah4ff5.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2136
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6B9.tmp" "c:\Windows\System32\CSC96FB70235D3243BD99D34A4E182CC64D.TMP"
        6⤵
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontCrtmonitor/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontCrtmonitor\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontCrtmonitor\hypercomCrtMonitor.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y1MfKM9se5.bat"
        5⤵
        
        PID:2500
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1740
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2768
      - C:\Program Files (x86)\Google\CrashReports\services.exe
        
        "C:\Program Files (x86)\Google\CrashReports\services.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\fontCrtmonitor\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\fontCrtmonitor\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\fontCrtmonitor\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hypercomCrtMonitorh" /sc MINUTE /mo 12 /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hypercomCrtMonitor" /sc ONLOGON /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hypercomCrtMonitorh" /sc MINUTE /mo 14 /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC6B9.tmp

Filesize
1KB

MD5
1d79f18e4b424987fc53ac88fb263d4d

SHA1
1c972f841efdd6b068cd245f36782c7f2bbdb921

SHA256
a6f497d488843c1e031ab5764e4c2936fb53845fa36df1aea26c872cce02ce4f

SHA512
8cf42b5fe8afb932a1afff6b7acb4865fef22ca856a0281871a9bdff079e82c3d26ee1b4eaa7c28cd0e77bd5ec0a3ca44e666275ddb7c33bd7366b6977378ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y1MfKM9se5.bat

Filesize
183B

MD5
c19ff5d8fc37d7bc815bfaeb46fefd65

SHA1
4a68d189191c2e5af892cb4af40b666ee7fc5058

SHA256
a3887719bf72f807a2d25662cfb898c0c8abcc24170b7eb09c22f39805ff35f6

SHA512
64843abc57a11629fbba5a4ed34907e480ef97305ed560b18f2661ea254310b10a6c0d56cadae2da75be87f1bba1264cd198894a1477481f074f5dda59723af0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d654ed1a472855dc66564ad7dd552098

SHA1
24dc4fd6654d508196a0a101e25fa81df5e2cc9f

SHA256
6af6124f004dcc6eb9e2f17296e09759065a094ba0516faea1ca55bf75bdf0eb

SHA512
defaa1b729522fb818858808f364bb0b8d3e40eff4cea6401f4a63bd2d4e032264a904c3706efdfb47ae03623e0506f4d83dbbbb67d50527d22ae54bef2488c5

Download Submit
C:\fontCrtmonitor\3ZRHIxPIjsb.vbe

Filesize
218B

MD5
623fc76c6ffa7386cf3ba5bd07316cd0

SHA1
f35d0b54e393e8f9a0662d175e0e1895e47c6e05

SHA256
2e5e3b082cf3350781210ee9c1d404fc3b530c182b22a3a4a05c7cd6b04f5b18

SHA512
d44af88f6e249fb4cdc78c61db0f7020e1c9f98b0e5bb0c4ec2261ece646ef464c3a5b30df9e042da3112b8b3c8dc7f1f55ae54f3948dcd3f192cdd317f57125

Download Submit
C:\fontCrtmonitor\ggooOvvNMLFpJUHeJA7JSZJLf.bat

Filesize
92B

MD5
3b890edc86e87609973d9d0dacbb0b0a

SHA1
94b43c89db0ed52658e8a76dc075c40d959d1e51

SHA256
33c65a531e04e663ba8a9590080c1786330f6f98c32a7da57694f4df6f48aeac

SHA512
5d3bf328910e66aa498b7c2b49e86a2e6eb71c7710c8aa4561dc121070c44bf62b40bd65227113decaa71080ee9b2a7f978f0648401580ce02d9e869619d889d

Download Submit
C:\fontCrtmonitor\hypercomCrtMonitor.exe

Filesize
1.8MB

MD5
2a6e3f3275d854bf07aba2427baa6610

SHA1
37d6411844b5d8a9d997f38f7718168b33cbc564

SHA256
4aa398eb330d666b85164e1fdc28802c585071870e09576109523cdafc10ee7b

SHA512
a6054ab62fc7415dafaca1dc273b42edd9680541e964b7b20d6b7ed07d65fb2ee01ea833bfedec9abc3687814449bb65f7c041ba462aed5cc44397e0ae2d4ef0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\brah4ff5\brah4ff5.0.cs

Filesize
397B

MD5
74a85eb4b4328b6dae29d74fe2d0e3ee

SHA1
0e07b5ea8c2664701ddd7ff7c03eaee778113d85

SHA256
ec218dae55c36cffe343a978b09185a610f02dacdf9e0066d76890872224dae8

SHA512
774e3d7f6a211fe46b78276f541eddd9d6c42fad8480376c57668675760924c7584c9b759663be8324284e59f64647e75518d8a3d27e18bf55e843dcfacc73e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\brah4ff5\brah4ff5.cmdline

Filesize
235B

MD5
db3ee69906c749e550f19ba04a956ab2

SHA1
13e5e899d2ad39478c3d372099698ab95617608e

SHA256
b0bf78413abb5590d0888d5735e11372e32109d7e71b36eb13c49f90f86f31f0

SHA512
451cfcbb558a4c0e53173f0f43ceea9901241d73c01713de1ba98025982c87a39a0cde59a22ef1eb4fb9bdad1b3ae27fa94233cf2ed75269903542a36909f0bd

Download Submit
\??\c:\Windows\System32\CSC96FB70235D3243BD99D34A4E182CC64D.TMP

Filesize
1KB

MD5
167c870490dc33ec13a83ebb533b1bf6

SHA1
182378ebfa7c8372a988dee50a7dd6f8cda6a367

SHA256
3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

SHA512
1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

Download Submit
memory/672-146-0x0000000000880000-0x0000000000A48000-memory.dmp

Filesize
1.8MB

Download
memory/2472-53-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2472-59-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2556-21-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2556-19-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/2556-17-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2556-15-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2556-13-0x0000000000E10000-0x0000000000FD8000-memory.dmp

Filesize
1.8MB

Download